Welcome!

You will be redirected in 30 seconds or close now.

ColdFusion Authors: Yakov Fain, Jeremy Geelan, Maureen O'Gara, Nancy Y. Nee, Tad Anderson

Related Topics: ColdFusion

ColdFusion: Article

Data Encryption in ColdFusion: An Overview of the Built-in Features

CF didn't used to offer much in the way of built-in data encryption; that all changed in CFMX 7

It is likely that at some point in your development career you had to deal with sensitive data. It might have been credit card numbers in an e-commerce site, or an employee identification number on an intranet. Perhaps you were setting up a security scheme and wanted to protect the passwords of the user.

Maybe you wanted to encrypt some user data before sending it off to a business partner via a Web service, or setting a cookie on the user's machine? For whatever the reason you probably took a look at ColdFusion's built-in functions for encrypting data.

Unfortunately, in versions of ColdFusion prior to the seventh release, ColdFusion didn't offer much in the way of built-in data encryption. You had to go looking outside of the built-in functionality, and often purchase a custom tag to do anything advanced with encryption. Thankfully, ColdFusion MX7 expanded the built-in encryption set and gives us a much broader range of features without going outside the language. This article will tell you about those features and offer some suggestions on where to go when you need more.

Password Encryption
Have you ever come across a Website that forces you to register to see their content? If so, have you ever tried to register only to be told that you already have an account? In the dark reaches of your mind, you have a vague memory of trying to access some content on their site many years ago. They won't let you re-register because you already have an account, so you click that "I forgot my password" box. Many sites will not reveal your password to you. A common approach is for you to provide an e-mail address, and then the site will reset your e-mail address and e-mail you the new one. Another approach might be for you to answer a series of password questions, after which you will be able to reset your password.

Why do you have to reset the password, instead of the site revealing the previous password to you? It's because they don't know the password. As part of the security process, they encrypt all passwords in their database, using a one-way algorithm. A one-way algorithm is a method of encryption where the encrypted string cannot be decrypted. There is no way to get the original data from the decrypted string. In ColdFusion you can set up this type of encryption using the hash function.

The hash function has three arguments:

  • String: The string argument specifies the data you want to encrypt.
  • Algorithm: The algorithm argument specifies the algorithm you want to use to generate your encrypted string. The algorithm selected will affect the length of the encrypted string. CFMX_COMPAT or MD5 will generate a 32-character string, compatible with previous version of CFMX. SHA will generate a 28-character string, SHA-256 a 44-character string, SHA-384 a 64-character string, and SHA-512 a 88 character string.
  • Encoding: Encoding is an option attribute that is used to specify the encoding to use when converting the string to byte data. If you leave out this attribute, the defaultCharset value, set in neo-runtime.xml, is used.
So, how can you apply this to your own development? Suppose you had a registration form on your Website. The users fill out a bunch of information, including username and password. The form probably looks something this:

<form action="save.cfm" method="post">
   username: <input type="text" name="username">
   password: <input type="password" name=" password">
   .. other user stuff here
</form>

The user steps through the registration process and at some point they submit the form. Your verification code decides that there is no problem with the user's submission, and you'll run an insert query like this:

<cfquery name="savestring" datasource="Mydb">
   insert into Users(username, password, otheruserstuff)
   values ('#form.username#', '#hash(form.password)#', 'otheruserstuff')
</cfquery>

Although you collected a plain text password, you don't actually store it in that format. The information is hashed when it goes into the database. How do you actually compare that information when the user tries to log back in? Easy, you hash the password they entered and compare the hashed results with the hashed value in the database.

Suppose this is your login form:

<form action="login.cfm" method="post">
   username: <input type="text" name="username">
   password: <input type="password" name=" password">
</form>

(Hey, that code snippet looks familiar.) The user clicks submit and, on the login page, you can verify the login like this:

<cfquery name="Login" datasource="Mydb">
   select * Users
   where username = '#form.username#' and password = '#hash(form.password)#'
</cfquery>

There you have it. More information about the hash function can be found in the livedocs http://livedocs.macromedia.com/coldfusion/7/htmldocs/00000503.htm#1105551.

Data Decryption
One drawback of the hash function is that you are never able to take the encrypted value and get the original string. Sometimes, you'll need to see the data behind your encrypted strings. ColdFusion has two functions to help us with this, aptly named encrypt and decrypt. Both functions have a similar set of arguments:

  • String: The string argument is required. It is either the string that you want to encrypt (for the encrypt function) or the encrypted string you want to decrypt (for the decrypt function)
  • Key: The key argument is used to specify the key for encryption and decryption. You use this value to go from the original value to an encrypted string, and to go from the encrypted string back to the original value. If you are using CFMX_COMPAT (which is included for backward compatibility), any string can be used in the encrypt function. Otherwise, you should use the GenerateSecretKey function to create a key for the particular algorithm. For decryption, you should use the same key value that you used to encrypt the value in the first place. GenerateSecretKey accepts one argument, which is the name of the algorithm.
  • Algorithm: The algorithm argument accepts the name of the encryption library that you want to use. CFMX_COMPAT is the default value, making this argument optional. Other values are AES, Blowfish, DES, or DESEDE.
  • Encoding: The encoding argument is used to specify the binary encoding that is used to represent the data as a string. UU is the default value, with the alternate's being Base64 or Hex.
  • IVorSalt: If you are using a block encryption algorithm, you need to specify the initialization vector (IV) for compatibility with other systems. You put that value here. For password-based encryption, specify the salt value here. A salt value is random data that is part of the session key and helps deter brute force decryption attempts.
  • Iterations: The iterations argument specifies the number of iterations that are taken to transform the password into a binary key. This argument is not used for block encryption algorithms.
For this example, I'll assume you need to integrate two systems and must send data from one to the other, via an HTTP post. (Believe it or not, my experience is that this method is still in wider use than SOAP Web services.) First, you need to create the page to send the data:

<cfset data = encrypt('Jeff','12345')>
<cfhttp url="http://localhost//recieve.cfm" method="post" result="MyResults" >
<cfhttpparam name="data" value="#data#" type="formfield">
</cfhttp>
<cfdump var="#variables#">

More Stories By Jeffry Houser

Jeffry is a technical entrepreneur with over 10 years of making the web work for you. Lately Jeffry has been cooped up in his cave building the first in a line of easy to use interface components for Flex Developers at www.flextras.com . He has a Computer Science degree from the days before business met the Internet and owns DotComIt, an Adobe Solutions Partner specializing in Rich Internet Applications. Jeffry is an Adobe Community Expert and produces The Flex Show, a podcast that includes expert interviews and screencast tutorials. Jeffry is also co-manager of the Hartford CT Adobe User Group, author of three ColdFusion books and over 30 articles, and has spoken at various events all over the US. In his spare time he is a musician, old school adventure game aficionado, and recording engineer. He also owns a Wii. You can read his blog at www.jeffryhouser.com, check out his podcast at www.theflexshow.com or check out his company at www.dot-com-it.com.

Comments (5) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Jeff Houser 11/08/07 06:18:11 PM EST

Joshua,

A lot of things have changed thanks to PCI Compliance. I am not up on them, but here is a place to start:

https://www.pcisecuritystandards.org/

I strongly recommend anything you do comply with such guidelines.

Joshua Rountree 11/08/07 11:22:32 AM EST

Hey, if you had to store credit card data in a database would you also store the key that was generated in a separate field?
How would you handle this for decrption purposes?

Please advise, thanks!

Jeff Houser 02/13/06 12:44:21 PM EST

Based on recent tests, It appears that the latest version of PGP (9.05) will not break the CF WSConfig tool. When I wrote this article I was using 9.02, which caused a lot of problems.

Jeff Houser 02/13/06 12:42:32 PM EST

Hi queZZtion,

Who knows what the next version will contain. Yes, I hope that CF adds native support for public / private key encryption. I don't know if it is being considered (or not).

news desk 01/25/06 09:54:35 PM EST

It is likely that at some point in your development career you had to deal with sensitive data. It might have been credit card numbers in an e-commerce site, or an employee identification number on an intranet. Perhaps you were setting up a security scheme and wanted to protect the passwords of the user.

@ThingsExpo Stories
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics gr...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things’). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing? IoT is not about the devices, it’s about the data consumed and generated. The devices are tools, mechanisms, conduits. In his session at Internet of Things at Cloud Expo | DXWor...
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution. In his session at @ThingsExpo, Akvelon expert and IoT industry leader Sergey Grebnov provided an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...