ColdFusion 7 Strong Encryption

February 10, 2005

ColdFusion MX 7 adds strong encryption support to the Encrypt and Decrypt functions. In addition to the legacy algorithm used in Encrypt, and Decrypt - ColdFusion MX 7 now makes it incredibly easy to use AES, Blowfish, DES, and Triple DES encryption. It also adds the ability to encode the encrypted string using three different binary encoding algorithms Base64, Hexidecimal, and the UUEncode algorithm.

Here's an example:

<!--- options for algorithm are
<cfset algorithm = "AES">
<!--- encoding options, Base64, hex, or uu --->
<cfset encoding = "hex">
<!--- generate a key --->
<cfset key = GenerateSecretKey(algorithm)>
<cfset str = "This is my secret string." >
<cfset enc = Encrypt(str, key, algorithm, encoding)>
<cfset dec = Decrypt(enc, key, algorithm, encoding)>


The default encoding algorithm is UUEncode, this algorithm however may not be best if you need to pass the encrypted value around (as the possible character values are greatest). The safest choice for encoding is hex which will only use the characters A-F and 0-9 - it also will yield the longest string. The next best choice is Base64 encoding, this encoding will use characters a-z A-Z 0-9 and sometimes will use = signs at the end for padding.

Encryption Algorithms

The DES (Data Encryption Standard) algorithm was developed in the US in the 1970's by the NSA. DES is no longer considered secure and can be broken in hours or days by exhaustive key search. There are around 72 quadrillion possible keys.

Triple DES (DESEDE) to make it harder to break we encrypt using one key, encrypt using another key, and finally decrypt using the first key. Triple DES is still considered a secure algorithm, and is in wide use.

The AES/Rijndael (Advanced Encryption Standard) algorithm is your strongest choice, it uses at least 128 bit keys (can use 128, 192, or 256), and even executes faster than DES and Triple DES algorithms (which use 56 bit keys).

Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key.NIST AES Fact Sheet

The blowfish algorithm was also designed as a replacement to DES - it uses variable key lengths (32-448 bits) and is appropriate for both domestic (US) and international use. Blowfish is significantly faster than DES (20x).

Algorithm Strength Speed Key Length
DES Low Slow 256
Triple DES Good Slowest 256
Blowfish Strong Fast, but time consuming to initialize a new key 232 - 2448
AES Strong Fast 2128, 2192, 2256

Other Sources: An introduction to modern crypto systems, and Do we need AES?, Description of a new variable-length key, 64-bit block cipher (blowfish) all good reads.

Related Entries

6 people found this page useful, what do you think?


Pete, One interesting thing I pulled form the docs on the new encryption features is this gem: "The JCE framework includes facilities for using other provider implementations; however, Macromedia cannot provide technical support for third-party security providers." What this means is that the encryption framework in CF is now plugable, and you can theoretically add any additional encryption types supportable through JCE.
It's a little disappointing that SHA1, SHA256, SHA512 and its' variations weren't included in the new encryption. SHA was developed as a replacement for triple-DES. I would use SHA-1 or higher over triple-DES any day. "SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are the required secure hash algorithms for use in U.S. Federal applications, including use by other cryptographic algorithms and protocols, for the protection of sensitive unclassified information. FIPS PUB 180-1 also encouraged adoption and use of SHA-1 by private and commercial organizations." - Try SHA1 at: (sorry, will not work with safari users) .pjf
I'm sure this is a stupid question but, based on your post, why would you use anything other than the AES algorithm (CF-wise, at least) if it's both the strongest and fastest option?
Dave, blowfish might be faster in some cases, depends how you use it. You might also use other encryption methods if your integrating with a legacy system, or there are cryptography restrictions (blowfish is safe to use internationally).
I don't think it's a stupid question. I can think of a couple of things: 1. Be compatible with older systems or athentication methods - web services, interfacing with other systems, etc. 2. If I remember correctly, AES is subject to U.S. customs export controls. In short, it would be illegal to export it to specific countries (the list is quite long with I remember correctly). Best, .pjf
Thanks Pete and Peter, this makes sense. Regards, Dave.
Peter - SHA-1 and AES serve two entirely different purposes. AES is a data encryption/DECRYPTION protocol. SHA-1, et al, are hashing functions - it's a one-way encrypt. You can't take an SHA-1 encryption and restore the original data.
Anj, Yeah, I wasn't very clear about that - sha is a one-way hash. I wasn't thinking about decrypting anything. Just about a translucent DB I was working on. .pjf
.pjf, If you don't mind using UDFs, there are ones for SHA1, SHA256, and RIPEMD160 over at
Thanks Rob, I already use them... ;-) .pjf
what about encoding...which is the best choice?
Does anyone know of any new CF7 features regarding asymmetrical public/private key schemes? I've read this article ( but was just wondering if anything was easier in 7.
Dear I became able to encrypt data using 128bit AES,but couldnot able to decrypt it.(i used asHex())it's showing badpadding exception. please help me
How to decrypt password which are encrypted by SHA1 Algorithm
Shyam, SHA is a one-way hashing alogithm. Once hashed, there is no way to un-hash the text. A lot of systems use this type of encryption for passwords. In order to compare the passwords, you take the user input and hash it and then compare it to the hash in your DB. If they match, then the person entered the correct password.
has any one ever written a version of des that uses an extension of 3des there creating 7des eg(ededede and dededed) which uses 7 56 bit keys plus cypher block chaining if you would like such a program contact me at <>
So you are saying there is no way to decrypt SHA-1 passwords even if I have the key?
I had a total nightmare getting AES to work. The third party we're working with specifies both key and initialization vector an there's almost no documentation on this for CF. I've got some notes (and step by step details) at if anybody needs it.
will you please tell me wat is BASE64.. and explain some example...
What data type should you use to store the encrypted value if you select the AES algorithm and use hex for the encoding?
can anyone help me out in writing the sample code for TRIPLEDES encrytion.
Good stuff! Thanks for sharing.

Recent Entries


did you hack my cf?