Pete Freitag Pete Freitag

ColdFusion 7 Strong Encryption

Updated on November 14, 2023
By Pete Freitag
coldfusion

ColdFusion MX 7 adds strong encryption support to the Encrypt and Decrypt functions. In addition to the legacy algorithm used in Encrypt, and Decrypt - ColdFusion MX 7 now makes it incredibly easy to use AES, Blowfish, DES, and Triple DES encryption. It also adds the ability to encode the encrypted string using three different binary encoding algorithms Base64, Hexidecimal, and the UUEncode algorithm.

Here's an example:

<!--- options for algorithm are
CFMX_COMPAT (default), AES, BLOWFISH, DES, and DESEDE --->
<cfset algorithm = "AES">
<!--- encoding options, Base64, hex, or uu --->
<cfset encoding = "hex">
<!--- generate a key --->
<cfset key = GenerateSecretKey(algorithm)>
<cfset str = "This is my secret string." >
<cfset enc = Encrypt(str, key, algorithm, encoding)>
<cfset dec = Decrypt(enc, key, algorithm, encoding)>
<cfoutput>
<pre>
string=#str#
encrypted=#enc#
decrypted=#dec#
key=#key#
algorithm=#algorithm#
</pre>
</cfoutput>

Encoding

The default encoding algorithm is UUEncode, this algorithm however may not be best if you need to pass the encrypted value around (as the possible character values are greatest). The safest choice for encoding is hex which will only use the characters A-F and 0-9 - it also will yield the longest string. The next best choice is Base64 encoding, this encoding will use characters a-z A-Z 0-9 and sometimes will use = signs at the end for padding.

Encryption Algorithms

The DES (Data Encryption Standard) algorithm was developed in the US in the 1970's by the NSA. DES is no longer considered secure and can be broken in hours or days by exhaustive key search. There are around 72 quadrillion possible keys.

Triple DES (DESEDE) to make it harder to break we encrypt using one key, encrypt using another key, and finally decrypt using the first key. Triple DES is still considered a secure algorithm, and is in wide use.

The AES/Rijndael (Advanced Encryption Standard) algorithm is your strongest choice, it uses at least 128 bit keys (can use 128, 192, or 256), and even executes faster than DES and Triple DES algorithms (which use 56 bit keys).

Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key.NIST AES Fact Sheet (link no longer works; http://csrc.nist.gov/CryptoToolkit/aes/aesfact.html)

The blowfish algorithm was also designed as a replacement to DES - it uses variable key lengths (32-448 bits) and is appropriate for both domestic (US) and international use. Blowfish is significantly faster than DES (20x).

Algorithm Strength Speed Key Length
DES Low Slow 256
Triple DES Good Slowest 256
Blowfish Strong Fast, but time consuming to initialize a new key 232 - 2448
AES Strong Fast 2128, 2192, 2256

Other Sources: An introduction to modern crypto systems (link no longer works: http://www.giac.org/practical/GSEC/Andrew_Zwicke_GSEC.pdf), and Do we need AES? (link no longer applicable: http://www.cryptomathic.com/company/aes.html), Description of a new variable-length key, 64-bit block cipher (blowfish) all good reads.



cfml coldfusion 7 crypto

ColdFusion 7 Strong Encryption was first published on February 10, 2005.

If you like reading about cfml, coldfusion 7, or crypto then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

CFBreak
The weekly newsletter for the CFML Community


Comments

Pete,

One interesting thing I pulled form the docs on the new encryption features is this gem:

"The JCE framework includes facilities for using other provider implementations; however, Macromedia cannot provide technical support for third-party security providers."

What this means is that the encryption framework in CF is now plugable, and you can theoretically add any additional encryption types supportable through JCE.
by Rob Brooks-Bilson on 02/10/2005 at 3:05:32 PM UTC
It's a little disappointing that SHA1, SHA256, SHA512 and its' variations weren't included in the new encryption.

SHA was developed as a replacement for triple-DES. I would use SHA-1 or higher over triple-DES any day.

"SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are the required secure hash algorithms for use in U.S. Federal applications, including use by other cryptographic algorithms and protocols, for the protection of sensitive unclassified information. FIPS PUB 180-1 also encouraged adoption and use of SHA-1 by private and commercial organizations."
- http://en.wikipedia.org/wiki/SHA1

Try SHA1 at:
http://www.cs.eku.edu/faculty/styer/460/Encrypt/JS-SHA1.html
(sorry, will not work with safari users)

.pjf
by Peter J. Farrell on 02/10/2005 at 4:01:18 PM UTC
I'm sure this is a stupid question but, based on your post, why would you use anything other than the AES algorithm (CF-wise, at least) if it's both the strongest and fastest option?
by Dave Carabetta on 02/10/2005 at 4:17:00 PM UTC
Dave, blowfish might be faster in some cases, depends how you use it.

You might also use other encryption methods if your integrating with a legacy system, or there are cryptography restrictions (blowfish is safe to use internationally).
by Pete Freitag on 02/10/2005 at 4:21:36 PM UTC
I don't think it's a stupid question.

I can think of a couple of things:
1. Be compatible with older systems or athentication methods - web services, interfacing with other systems, etc.
2. If I remember correctly, AES is subject to U.S. customs export controls. In short, it would be illegal to export it to specific countries (the list is quite long with I remember correctly).

Best,
.pjf
by Peter J. Farrell on 02/10/2005 at 4:24:48 PM UTC
Thanks Pete and Peter, this makes sense.

Regards, Dave.
by Dave Carabetta on 02/10/2005 at 4:37:06 PM UTC
Peter - SHA-1 and AES serve two entirely different purposes.
AES is a data encryption/DECRYPTION protocol.

SHA-1, et al, are hashing functions - it's a one-way encrypt. You can't take an SHA-1 encryption and restore the original data.
by Anj on 02/11/2005 at 1:58:28 PM UTC
Anj,

Yeah, I wasn't very clear about that - sha is a one-way hash. I wasn't thinking about decrypting anything. Just about a translucent DB I was working on.

.pjf
by Peter J. Farrell on 02/11/2005 at 5:08:09 PM UTC
.pjf,

If you don't mind using UDFs, there are ones for SHA1, SHA256, and RIPEMD160 over at cflib.org.
by Rob Brooks-Bilson on 02/11/2005 at 5:19:11 PM UTC
Thanks Rob,
I already use them... ;-)

.pjf
by Peter J. Farrell on 02/11/2005 at 5:22:49 PM UTC
what about encoding...which is the best choice?
by Derek on 05/01/2005 at 9:45:47 PM UTC
Does anyone know of any new CF7 features regarding asymmetrical public/private key schemes? I've read
this article (http://cfdj.sys-con.com/read/46359.htm) but was just wondering if anything was easier in 7.
by Dan on 07/14/2005 at 6:05:35 PM UTC
How to decrypt password which are encrypted by SHA1 Algorithm
by Shyam on 05/29/2006 at 4:06:56 AM UTC
Shyam, SHA is a one-way hashing alogithm. Once hashed, there is no way to un-hash the text. A lot of systems use this type of encryption for passwords. In order to compare the passwords, you take the user input and hash it and then compare it to the hash in your DB. If they match, then the person entered the correct password.
by Peter J. Farrell on 05/29/2006 at 10:37:32 AM UTC
So you are saying there is no way to decrypt SHA-1 passwords even if I have the key?
by AJ on 02/16/2007 at 1:13:45 PM UTC
Good stuff! Thanks for sharing.
by Brad on 02/12/2011 at 2:04:36 AM UTC