Welcome!

You will be redirected in 30 seconds or close now.

ColdFusion Authors: Yakov Fain, Jeremy Geelan, Maureen O'Gara, Nancy Y. Nee, Tad Anderson

Related Topics: ColdFusion

ColdFusion: Article

Data Encryption in ColdFusion: An Overview of the Built-in Features

CF didn't used to offer much in the way of built-in data encryption; that all changed in CFMX 7

It is likely that at some point in your development career you had to deal with sensitive data. It might have been credit card numbers in an e-commerce site, or an employee identification number on an intranet. Perhaps you were setting up a security scheme and wanted to protect the passwords of the user.

Maybe you wanted to encrypt some user data before sending it off to a business partner via a Web service, or setting a cookie on the user's machine? For whatever the reason you probably took a look at ColdFusion's built-in functions for encrypting data.

Unfortunately, in versions of ColdFusion prior to the seventh release, ColdFusion didn't offer much in the way of built-in data encryption. You had to go looking outside of the built-in functionality, and often purchase a custom tag to do anything advanced with encryption. Thankfully, ColdFusion MX7 expanded the built-in encryption set and gives us a much broader range of features without going outside the language. This article will tell you about those features and offer some suggestions on where to go when you need more.

Password Encryption
Have you ever come across a Website that forces you to register to see their content? If so, have you ever tried to register only to be told that you already have an account? In the dark reaches of your mind, you have a vague memory of trying to access some content on their site many years ago. They won't let you re-register because you already have an account, so you click that "I forgot my password" box. Many sites will not reveal your password to you. A common approach is for you to provide an e-mail address, and then the site will reset your e-mail address and e-mail you the new one. Another approach might be for you to answer a series of password questions, after which you will be able to reset your password.

Why do you have to reset the password, instead of the site revealing the previous password to you? It's because they don't know the password. As part of the security process, they encrypt all passwords in their database, using a one-way algorithm. A one-way algorithm is a method of encryption where the encrypted string cannot be decrypted. There is no way to get the original data from the decrypted string. In ColdFusion you can set up this type of encryption using the hash function.

The hash function has three arguments:

  • String: The string argument specifies the data you want to encrypt.
  • Algorithm: The algorithm argument specifies the algorithm you want to use to generate your encrypted string. The algorithm selected will affect the length of the encrypted string. CFMX_COMPAT or MD5 will generate a 32-character string, compatible with previous version of CFMX. SHA will generate a 28-character string, SHA-256 a 44-character string, SHA-384 a 64-character string, and SHA-512 a 88 character string.
  • Encoding: Encoding is an option attribute that is used to specify the encoding to use when converting the string to byte data. If you leave out this attribute, the defaultCharset value, set in neo-runtime.xml, is used.
So, how can you apply this to your own development? Suppose you had a registration form on your Website. The users fill out a bunch of information, including username and password. The form probably looks something this:

<form action="save.cfm" method="post">
   username: <input type="text" name="username">
   password: <input type="password" name=" password">
   .. other user stuff here
</form>

The user steps through the registration process and at some point they submit the form. Your verification code decides that there is no problem with the user's submission, and you'll run an insert query like this:

<cfquery name="savestring" datasource="Mydb">
   insert into Users(username, password, otheruserstuff)
   values ('#form.username#', '#hash(form.password)#', 'otheruserstuff')
</cfquery>

Although you collected a plain text password, you don't actually store it in that format. The information is hashed when it goes into the database. How do you actually compare that information when the user tries to log back in? Easy, you hash the password they entered and compare the hashed results with the hashed value in the database.

Suppose this is your login form:

<form action="login.cfm" method="post">
   username: <input type="text" name="username">
   password: <input type="password" name=" password">
</form>

(Hey, that code snippet looks familiar.) The user clicks submit and, on the login page, you can verify the login like this:

<cfquery name="Login" datasource="Mydb">
   select * Users
   where username = '#form.username#' and password = '#hash(form.password)#'
</cfquery>

There you have it. More information about the hash function can be found in the livedocs http://livedocs.macromedia.com/coldfusion/7/htmldocs/00000503.htm#1105551.

Data Decryption
One drawback of the hash function is that you are never able to take the encrypted value and get the original string. Sometimes, you'll need to see the data behind your encrypted strings. ColdFusion has two functions to help us with this, aptly named encrypt and decrypt. Both functions have a similar set of arguments:

  • String: The string argument is required. It is either the string that you want to encrypt (for the encrypt function) or the encrypted string you want to decrypt (for the decrypt function)
  • Key: The key argument is used to specify the key for encryption and decryption. You use this value to go from the original value to an encrypted string, and to go from the encrypted string back to the original value. If you are using CFMX_COMPAT (which is included for backward compatibility), any string can be used in the encrypt function. Otherwise, you should use the GenerateSecretKey function to create a key for the particular algorithm. For decryption, you should use the same key value that you used to encrypt the value in the first place. GenerateSecretKey accepts one argument, which is the name of the algorithm.
  • Algorithm: The algorithm argument accepts the name of the encryption library that you want to use. CFMX_COMPAT is the default value, making this argument optional. Other values are AES, Blowfish, DES, or DESEDE.
  • Encoding: The encoding argument is used to specify the binary encoding that is used to represent the data as a string. UU is the default value, with the alternate's being Base64 or Hex.
  • IVorSalt: If you are using a block encryption algorithm, you need to specify the initialization vector (IV) for compatibility with other systems. You put that value here. For password-based encryption, specify the salt value here. A salt value is random data that is part of the session key and helps deter brute force decryption attempts.
  • Iterations: The iterations argument specifies the number of iterations that are taken to transform the password into a binary key. This argument is not used for block encryption algorithms.
For this example, I'll assume you need to integrate two systems and must send data from one to the other, via an HTTP post. (Believe it or not, my experience is that this method is still in wider use than SOAP Web services.) First, you need to create the page to send the data:

<cfset data = encrypt('Jeff','12345')>
<cfhttp url="http://localhost//recieve.cfm" method="post" result="MyResults" >
<cfhttpparam name="data" value="#data#" type="formfield">
</cfhttp>
<cfdump var="#variables#">

More Stories By Jeffry Houser

Jeffry is a technical entrepreneur with over 10 years of making the web work for you. Lately Jeffry has been cooped up in his cave building the first in a line of easy to use interface components for Flex Developers at www.flextras.com . He has a Computer Science degree from the days before business met the Internet and owns DotComIt, an Adobe Solutions Partner specializing in Rich Internet Applications. Jeffry is an Adobe Community Expert and produces The Flex Show, a podcast that includes expert interviews and screencast tutorials. Jeffry is also co-manager of the Hartford CT Adobe User Group, author of three ColdFusion books and over 30 articles, and has spoken at various events all over the US. In his spare time he is a musician, old school adventure game aficionado, and recording engineer. He also owns a Wii. You can read his blog at www.jeffryhouser.com, check out his podcast at www.theflexshow.com or check out his company at www.dot-com-it.com.

Comments (5) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Jeff Houser 11/08/07 06:18:11 PM EST

Joshua,

A lot of things have changed thanks to PCI Compliance. I am not up on them, but here is a place to start:

https://www.pcisecuritystandards.org/

I strongly recommend anything you do comply with such guidelines.

Joshua Rountree 11/08/07 11:22:32 AM EST

Hey, if you had to store credit card data in a database would you also store the key that was generated in a separate field?
How would you handle this for decrption purposes?

Please advise, thanks!

Jeff Houser 02/13/06 12:44:21 PM EST

Based on recent tests, It appears that the latest version of PGP (9.05) will not break the CF WSConfig tool. When I wrote this article I was using 9.02, which caused a lot of problems.

Jeff Houser 02/13/06 12:42:32 PM EST

Hi queZZtion,

Who knows what the next version will contain. Yes, I hope that CF adds native support for public / private key encryption. I don't know if it is being considered (or not).

news desk 01/25/06 09:54:35 PM EST

It is likely that at some point in your development career you had to deal with sensitive data. It might have been credit card numbers in an e-commerce site, or an employee identification number on an intranet. Perhaps you were setting up a security scheme and wanted to protect the passwords of the user.

IoT & Smart Cities Stories
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
Cell networks have the advantage of long-range communications, reaching an estimated 90% of the world. But cell networks such as 2G, 3G and LTE consume lots of power and were designed for connecting people. They are not optimized for low- or battery-powered devices or for IoT applications with infrequently transmitted data. Cell IoT modules that support narrow-band IoT and 4G cell networks will enable cell connectivity, device management, and app enablement for low-power wide-area network IoT. B...
The hierarchical architecture that distributes "compute" within the network specially at the edge can enable new services by harnessing emerging technologies. But Edge-Compute comes at increased cost that needs to be managed and potentially augmented by creative architecture solutions as there will always a catching-up with the capacity demands. Processing power in smartphones has enhanced YoY and there is increasingly spare compute capacity that can be potentially pooled. Uber has successfully ...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...