ColdFusion defaults avoid flawed Random Number Generator
I've been researching a very interesting security topic for the past few weeks related to the Snowden NSA leaks and even related to ColdFusion. Thankfully Adobe's default settings avoid the weakness.
According to reports, the NSA has designed a backdoor into a random number generator algorithm, and was able to push it through NIST to be approved in 2006 as a FIPS standard. While the algorithm is apparently not named in the documents, all evidences points to an algorithm called Dual Elliptic Curve Deterministic Random Bit Generator (or Dual_EC_DRBG or ECDRBG). I am not qualified to explain the flaws in this algorithm, so I'll point you to someone who has explained it well, Matthew Green a cryptographer and research professor at Johns Hopkins University.
So how does this relate to ColdFusion?
The Enterprise version of ColdFusion has shipped with a library called BSafe Crypto-J, from RSA which is a java security provider that implements FIPS compliant crypto algorithms, allows CF's crypto to be FIPS compliant.
It turns out that RSA's default random number generator for its BSafe libraries is ECDRBG! This is interesting because ECDRBG is much slower than other secure random number generator algorithms approved by FIPS, and doubts about its security were published in 2007. Read more about this here.
So if ColdFusion is using BSafe are we at risk?
ColdFusion start up scripts specify
-Dcoldfusion.jsafe.defaultalgo=FIPS186Random as a jvm argument (jvm.config) by default (I checked CF8, 9 and 10 installs and they all had it, but you should double check yours). It was unclear to me if FIPS186Random was still going to use ECDRBG since it is a FIPS 186 approved algorithm, so I contacted Adobe about this and suggested they contact RSA for clarification. The response I received from Adobe was:
We confirmed with RSA as well, FIPS186Random is safe to use and does not make use of ECDRBG variants of algorithms.
Adobe has just posted a blog entry about the issue.
So you need to make sure that you have note removed that line of configuration, or else you may be using the default one.
How can I find out which Random Number Generator is default?
Run the following CFML code:
<cfset secureRand = CreateObject("java", "java.security.SecureRandom")> <cfdump var="#secureRand.getAlgorithm()#">
What is at risk if I'm using ECDRGB?
Random numbers are used in key generation, so this could weaken SSL/TLS connections made by your code (eg a CFHTTP call to a HTTPS url). Random numbers are also used in session identifier generation. Presumably an attacker that understands how to exploit the weakness could more accurately guess valid session identifiers.
How can I change the BSafe default RNG algorithm?
According to the RSA documentation you can set the java system property
-Dcom.rsa.crypto.default.random to another algorithm (for example
HMACDRBG). Adobe however has their own system property
-Dcoldfusion.jsafe.defaultalgo that you can set for ColdFusion (in the jvm.config file).
What if I am running CF Standard not Enterprise?
The RSA BSafe CryptoJ libraries should only be enabled on enterprise installations of ColdFusion. Either way you can double check using the code above which random number generator is default (usually SHA1PRNG on standard).
- CFSummit 2016 Slides
- Securing Legacy CFML - dev.Objective() 2016 Slides
- My CFSummit 2015 Slide Decks
- Adding Chrome Custom Search for CFDocs
- Disable Flash Remoting on ColdFusion Servers
- HackMyCF Adds SSL/TLS Scanner
- IncompatibleClassChangeError after ColdFusion 11 Update 5
- Scope Injection in CFML