Welcome!

ColdFusion Authors: Maureen O'Gara, Hovhannes Avoyan, Yakov Fain, Pat Romanski, Liz McMillan

Related Topics: ColdFusion

ColdFusion: Article

Data Encryption in ColdFusion: An Overview of the Built-in Features

CF didn't used to offer much in the way of built-in data encryption; that all changed in CFMX 7
By Jeffry Houser
Article Rating:
January 25, 2006 08:30 PM EST
Reads:
 37,405

I named this file "send.cfm". It encrypts a piece of data and uses cfhttp to submit it onto a receive.cfm page in the root directory of your local Web server. The variable's scope is cfdumped. This will show us our encrypted value and the results of the HTTP post (which will include the decrypted value). Take a look at receive.cfm:

<cfset decryptedstring = decrypt(form.data,'12345')>

<cfoutput>
   #decryptedstring#
</cfoutput>

This page is simpler than the previous. It decrypts the data from the form post, then outputs it. In the real world, you'd use a key that was a little more complicated than "12345" (most likely generating something with the GenerateSecretKey function), and your data will probably not be hard coded, but something taken out of a database. When the time comes, you can expand on the concepts in this example to make something a little more complex. You can read the livedoc information on encrypt at http://livedocs.macromedia.com/coldfusion/7/ htmldocs/00000457.htm#1104201, decrypt at http://livedocs.macromedia.com/coldfusion/7/ htmldocs/00000452.htm#1103962, and GenerateSecretKey at http://livedocs.macromedia.com/coldfusion/7/ htmldocs/00000468.htm#4992278.

Where to Go From Here
What's next? One thing that ColdFusion does not (yet) natively support is a public/private key encryption scheme. In this type of scheme, you would use one key to encrypt data and another to decrypt the data. If you were sending data to me, you would encrypt it with my public key, then it can only be decrypted with my private key and you know that I'll be the only one reading it. Or perhaps I wanted to verify that you were truly the one sending me the data. If you encrypt it using your private key, I can decrypt using your public key. Two keys increase the amount of encryption available.

There are two public / private key tags listed in the Macromedia Developer's exchange, one from www.tamuri.com/ and one from www.digitaloutlook.com/. Both require that you install PGP, which (I'm warning you) will prevent ColdFusion's wsconfig tool from working. It is a roadblock if you are using CFMX in the J2EE configuration. The Tamuri product only works with PGP 8.0, which appears to no longer be available, and I was never able to get it to work. I had much better luck with the Digital Outlook tag, but the tag stopped working for an unknown reason and even support couldn't help me get it back to a functional point. Hopefully Adobe will include this functionality natively in the next release.

Published January 25, 2006 – Reads 37,405
Copyright © 2006 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By Jeffry Houser

Jeffry is a technical entrepreneur with over 10 years of making the web work for you. Lately Jeffry has been cooped up in his cave building the first in a line of easy to use interface components for Flex Developers at www.flextras.com . He has a Computer Science degree from the days before business met the Internet and owns DotComIt, an Adobe Solutions Partner specializing in Rich Internet Applications. Jeffry is an Adobe Community Expert and produces The Flex Show, a podcast that includes expert interviews and screencast tutorials. Jeffry is also co-manager of the Hartford CT Adobe User Group, author of three ColdFusion books and over 30 articles, and has spoken at various events all over the US. In his spare time he is a musician, old school adventure game aficionado, and recording engineer. He also owns a Wii. You can read his blog at www.jeffryhouser.com, check out his podcast at www.theflexshow.com or check out his company at www.dot-com-it.com.

Comments (5) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
Jeff Houser 11/08/07 06:18:11 PM EST

Joshua,

A lot of things have changed thanks to PCI Compliance. I am not up on them, but here is a place to start:

https://www.pcisecuritystandards.org/

I strongly recommend anything you do comply with such guidelines.
Joshua Rountree 11/08/07 11:22:32 AM EST

Hey, if you had to store credit card data in a database would you also store the key that was generated in a separate field?
How would you handle this for decrption purposes?

Please advise, thanks!
Jeff Houser 02/13/06 12:44:21 PM EST

Based on recent tests, It appears that the latest version of PGP (9.05) will not break the CF WSConfig tool. When I wrote this article I was using 9.02, which caused a lot of problems.
Jeff Houser 02/13/06 12:42:32 PM EST

Hi queZZtion,

Who knows what the next version will contain. Yes, I hope that CF adds native support for public / private key encryption. I don't know if it is being considered (or not).
news desk 01/25/06 09:54:35 PM EST

It is likely that at some point in your development career you had to deal with sensitive data. It might have been credit card numbers in an e-commerce site, or an employee identification number on an intranet. Perhaps you were setting up a security scheme and wanted to protect the passwords of the user.