ColdFusion 7 Strong Encryption
ColdFusion MX 7 adds strong encryption support to the Encrypt and Decrypt functions. In addition to the legacy algorithm used in Encrypt, and Decrypt - ColdFusion MX 7 now makes it incredibly easy to use AES, Blowfish, DES, and Triple DES encryption. It also adds the ability to encode the encrypted string using three different binary encoding algorithms Base64, Hexidecimal, and the UUEncode algorithm.
Here's an example:
<!--- options for algorithm are CFMX_COMPAT (default), AES, BLOWFISH, DES, and DESEDE ---> <cfset algorithm = "AES"> <!--- encoding options, Base64, hex, or uu ---> <cfset encoding = "hex"> <!--- generate a key ---> <cfset key = GenerateSecretKey(algorithm)> <cfset str = "This is my secret string." > <cfset enc = Encrypt(str, key, algorithm, encoding)> <cfset dec = Decrypt(enc, key, algorithm, encoding)> <cfoutput> <pre> string=#str# encrypted=#enc# decrypted=#dec# key=#key# algorithm=#algorithm# </pre> </cfoutput>
The default encoding algorithm is UUEncode, this algorithm however may not be best if you need to pass the encrypted value around (as the possible character values are greatest). The safest choice for encoding is
hex which will only use the characters A-F and 0-9 - it also will yield the longest string. The next best choice is Base64 encoding, this encoding will use characters a-z A-Z 0-9 and sometimes will use = signs at the end for padding.
The DES (Data Encryption Standard) algorithm was developed in the US in the 1970's by the NSA. DES is no longer considered secure and can be broken in hours or days by exhaustive key search. There are around 72 quadrillion possible keys.
Triple DES (DESEDE) to make it harder to break we encrypt using one key, encrypt using another key, and finally decrypt using the first key. Triple DES is still considered a secure algorithm, and is in wide use.
The AES/Rijndael (Advanced Encryption Standard) algorithm is your strongest choice, it uses at least 128 bit keys (can use 128, 192, or 256), and even executes faster than DES and Triple DES algorithms (which use 56 bit keys).
Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key.NIST AES Fact Sheet
The blowfish algorithm was also designed as a replacement to DES - it uses variable key lengths (32-448 bits) and is appropriate for both domestic (US) and international use. Blowfish is significantly faster than DES (20x).
|Blowfish||Strong||Fast, but time consuming to initialize a new key||232 - 2448|
|AES||Strong||Fast||2128, 2192, 2256|
Other Sources: An introduction to modern crypto systems, and Do we need AES?, Description of a new variable-length key, 64-bit block cipher (blowfish) all good reads.
- Hash - March 15, 2005
- Strong Encryption Technote shows undocumented features - February 22, 2005
- CFFUNCTION and CFARGUMENT don't support new types in ColdFusion 7 - April 13, 2005
- CFTIMER - Little things in ColdFusion 7 - February 11, 2005
- cfdirectory adds recursive support - Little Things in CFMX 7 - February 10, 2005
- What is the difference between ASCII Chr(10) and Chr(13)
- Fixinator and Foundeo Security Bundle
- Running CFML on AWS Lambda with FuseLess Slides
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token