Click here to close now.

Welcome!

You will be redirected in 30 seconds or close now.

ColdFusion Authors: Yakov Fain, Maureen O'Gara, Nancy Y. Nee, Tad Anderson, Daniel Kaar

Related Topics: ColdFusion

ColdFusion: Article

Public-Key Encryption

Making strong encryption nearly painless

How secure are your applications? Public-Key encryption may be the solution when security really matters.

If you have developed an application that requires user authentication, you have undoubtedly wrestled with varying levels of security. At a basic level, most security models revolve around membership, authentication, and authorization functions. Secure socket layers (SSL) is a popular method for securing the transmission of data between Web server and client. ColdFusion MX and ColdFusion 6.1 have very good integration with Java's Secure Socket Extensions Library, which is capable of 2048-bit encryption. While the transmission of the data over the Internet via SSL helps secure against electronic eavesdropping, the data stored in your applications may still be at risk.

The storage of passwords is a prime example of this security risk. If your database is compromised in some way, the attacker has access to all user accounts and passwords. As a result, programmers have developed various techniques for addressing this issue. ColdFusion itself has an encryption function available - encrypt() - that utilizes an XOR (exclusive OR) algorithm to generate a pseudo 32-bit symmetric key. Another method involves using ColdFusion's hash() function. The hash() function is based on an MD5 (message digest version 5) 128-bit hash algorithm that converts strings into 32-bit hexadecimal "fingerprint" or "message digest" representations of the original string. A stronger variant of this method involves introducing salt - a random string of some length - and concatenating it with the password before performing the hash function.

While storing an encrypted or hashed version of passwords using ColdFusion's built-in functions is a good practice, these methodologies fall a bit short when security is a real issue. The hash() function is a one-way encryption algorithm that can be decrypted only by brute force. MD5 hashing as a method of securing passwords and other data falls apart when one does a Google search of "MD5 crack." For unsalted hashes, the time needed to crack a single MD5 hash online is about 40 minutes (http://passcracking.com). Depending on your personal computer speeds, this can be done faster with a tool like md5crack (www.checksum.org/download/MD5Crack). In fact, in 1994 Paul van Oorschot and Mike Wiener showed that a brute force attack on a 128-bit hash function requires 264 (2.1019) evaluations to crack; at the time such a crack would take less than a month with a $10 million investment in hardware.

To deal with the shortcomings of 128-bit hash functions, stronger encryption algorithms have been invented. Today's 160-bit encryption algorithms such as SHA1 (secure hash algorithm, www.w3.org/PICS/DSig/SHA1_1_0.html) and RipeMD160 (www.esat.kuleuven.ac.be/~bosselae/ripemd160.html) increase the time required for a brute force attack. For areas where a 160-bit hash is still not strong enough, SHA also comes in 256-bit, 384-bit, and 512-bit data lengths for added security in one-way encryption.

Because hash() is a one-way encryption algorithm, it is most appropriate when text does not need to be read (as in the case of passwords). By contrast, the encrypt() function utilizes symmetric-key cryptography, meaning that both the sender and receiver of the string share a common key used to encrypt and decrypt the string. Thus, the private key must at some point be transferred in some secure way, and is only effective if the symmetric key is kept secret.

In ColdFusion, this transfer is done on the server in memory when a page with the encrypt() function is requested, which keeps the transmission of the passphrase reasonably secure. Yet, in the case of encrypt(),the key is actually passed in both the encrypt() and decrypt() functions as plain text:

<cfscript>
   password = "Th1s !s A R@alLy str0nG pA5Sw0rD!";
   symmetricKey = "pa$sPhrAs3 f0r 3ncRypt1ng p4s$w0rDs";

   encrypted = encrypt(password, symmetricKey);
   decrypted = decrypt(encrypted, symmetricKey);
</cfscript>

<cfoutput>
<p>#encrypted# <br/> #decrypted#</p>
</cfoutput>

Depending on who has access to your code, this could be a recipe for disaster.

When you need to be able to encrypt and decrypt, additional steps must be taken. ColdFusion's encrypt() function can be decrypted, but the key must be passed in the code on the server, causing a security issue (plus encrypted data placed on the Web can be fairly easily cracked using any number of free tools available on the Internet.

An alternative to ColdFusion's private-key encryption method is public-key encryption. Public-key encryption - or asymmetric encryption - requires two keys - one private and one public. Data encrypted with your public key can be decrypted only with your private key, allowing you to freely distribute your public key in a non-secure manner (i.e., as clear text posted on a Web page). Asymmetric encryption uses longer algorithms for calculating file fingerprints than symmetric encryption algorithms, and is effective for generating significantly obfuscated data. As a brief side note, these algorithms are processor intensive, so using public key encryption may not be appropriate for very large files.

Unfortunately, in order to take advantage of asymmetric encryption in ColdFusion, you must look beyond built-in ColdFusion tools. The two big players in the realm of public-key cryptography are Pretty Good Privacy (PGP; www.pgp.com) and GNU Privacy Guard (GnuPG; www.gnupg.org). "GnuPG is a complete and free replacement for PGP," and since GnuPG does not depend on the patented International Data Encryption Algorithm (IDEA), there are no restrictions on its use, nor are there any licensing fees for integrating GnuPG into your applications. This last fact makes it an attractive candidate for developers, and is used in the examples for this article. Along with the strong two-way encryption algorithms (1024-bit DSA and ElGamal), GnuPG also supports stronger hashing functions (SHA1, RIPEMD160, and SHA256) for your one-way encryption needs.

More Stories By Wayne Graham

Wayne Graham is a systems administrator at the College of William and Mary's Earl Gregg Swem Library. Wayne is also the co-manager of the Williamsburg Macromedia User's Group and has been developing with ASP, Java, and ColdFusion since 2001.

Comments (10) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Thomas Gorgolione 07/23/08 05:05:27 PM EDT

You have to compile the code manually from the zip file (see post #5). I did that already, so if you want you can just download it here:

www.tgorg.com/etc/GnuPG.jar

Jeff 01/31/08 08:07:47 AM EST

Does anyone have the GnuPG.jar file? I found the CF component but that still needs the GnuPG.jar file to operate and the link in the article to get GnuPG.jar does not work.

Shaun 09/04/07 02:21:25 PM EDT

Found this:
http://res.sys-con.com/story/46359/source.html

William Broadhead 07/21/05 03:00:51 PM EDT

Good story. Very informative. One thing I would note is that in cf using the encrypt/decrypt: You don't have to, and shouldn't include the actual key in your code, NOR in your Database... A tecnnique I use is to store the key in a text file on the server in a directory that is accessible to coldfusion but NOT part of the http accessible directory. Using cffile you can read and load the information in the file to memory as an application key to use for hashing passwords while never having the key in your code nor in your database. Although obviously, as the article points out, security can never be completely infallible, this can reduce the capacity of your data to be compromised if you did somehow lose a copy of your database or page code, you would need also need to lose the file for someone to put it all together...

Mark 07/14/05 01:53:05 PM EDT

Great article, very well written.

Brad 03/28/05 10:13:32 AM EST

Great Article, convinced my peers to use this instead of upgrading to CF7Mx.

As for the gentleman looking for the source, click the Source Code link located under Related Sites. Scroll down... you're welcome.

Nguyen Tran 03/21/05 10:50:00 AM EST

Where to download the file? GnuPG.jar

The link you provided as:
www.sys-con.com/coldfusion/sourcec.cfm
Point to the page at:
http://sys-con.com/magazine/archives.cfm?id=5

On this page, there is no link to download the file GnuPG.jar

Please give us the link to download the file GnuPG.jar

Thank you

Tom 02/08/05 06:05:04 AM EST

hello,

i´ve the same problem: where is gnupg.jar?
regards, tom

Shane 12/16/04 11:14:17 AM EST

nevermind.... I found it.

Shane 12/16/04 11:09:21 AM EST

Great article. I've been looking forward to trying this out but haven't been able to find the gnupg.jar file. Am I overlooking it somewhere? Please advise.

Thanks.

@ThingsExpo Stories
SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched. @WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @WebRTCSummit Blog can be bookmarked ▸ Here @WebRTCSummit conference site can be bookmarked ▸ Here
SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborate. Cisco and our partners are building the platform for the Internet of Everything by connecting the...
Temasys has announced senior management additions to its team. Joining are David Holloway as Vice President of Commercial and Nadine Yap as Vice President of Product. Over the past 12 months Temasys has doubled in size as it adds new customers and expands the development of its Skylink platform. Skylink leads the charge to move WebRTC, traditionally seen as a desktop, browser based technology, to become a ubiquitous web communications technology on web and mobile, as well as Internet of Things compatible devices.
SYS-CON Events announced today that robomq.io will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. robomq.io is an interoperable and composable platform that connects any device to any application. It helps systems integrators and the solution providers build new and innovative products and service for industries requiring monitoring or intelligence from devices and sensors.
Wearable technology was dominant at this year’s International Consumer Electronics Show (CES) , and MWC was no exception to this trend. New versions of favorites, such as the Samsung Gear (three new products were released: the Gear 2, the Gear 2 Neo and the Gear Fit), shared the limelight with new wearables like Pebble Time Steel (the new premium version of the company’s previously released smartwatch) and the LG Watch Urbane. The most dramatic difference at MWC was an emphasis on presenting wearables as fashion accessories and moving away from the original clunky technology associated with t...
Docker is an excellent platform for organizations interested in running microservices. It offers portability and consistency between development and production environments, quick provisioning times, and a simple way to isolate services. In his session at DevOps Summit at 16th Cloud Expo, Shannon Williams, co-founder of Rancher Labs, will walk through these and other benefits of using Docker to run microservices, and provide an overview of RancherOS, a minimalist distribution of Linux designed expressly to run Docker. He will also discuss Rancher, an orchestration and service discovery platf...
SYS-CON Events announced today that Akana, formerly SOA Software, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Akana’s comprehensive suite of API Management, API Security, Integrated SOA Governance, and Cloud Integration solutions helps businesses accelerate digital transformation by securely extending their reach across multiple channels – mobile, cloud and Internet of Things. Akana enables enterprises to share data as APIs, connect and integrate applications, drive part...
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.
SYS-CON Events announced today that Liaison Technologies, a leading provider of data management and integration cloud services and solutions, has been named "Silver Sponsor" of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York, NY. Liaison Technologies is a recognized market leader in providing cloud-enabled data integration and data management solutions to break down complex information barriers, enabling enterprises to make smarter decisions, faster.
SYS-CON Events announced today that Solgenia will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Solgenia is the global market leader in Cloud Collaboration and Cloud Infrastructure software solutions. Designed to “Bridge the Gap” between Personal and Professional Social, Mobile and Cloud user experiences, our solutions help large and medium-sized organizations dr...
Cloud is not a commodity. And no matter what you call it, computing doesn’t come out of the sky. It comes from physical hardware inside brick and mortar facilities connected by hundreds of miles of networking cable. And no two clouds are built the same way. SoftLayer gives you the highest performing cloud infrastructure available. One platform that takes data centers around the world that are full of the widest range of cloud computing options, and then integrates and automates everything. Join SoftLayer on June 9 at 16th Cloud Expo to learn about IBM Cloud's SoftLayer platform, explore se...
The WebRTC Summit 2014 New York, to be held June 9-11, 2015, at the Javits Center in New York, NY, announces that its Call for Papers is open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 16th International Cloud Expo, @ThingsExpo, Big Data Expo, and DevOps Summit.
@ThingsExpo has been named the Top 5 Most Influential M2M Brand by Onalytica in the ‘Machine to Machine: Top 100 Influencers and Brands.' Onalytica analyzed the online debate on M2M by looking at over 85,000 tweets to provide the most influential individuals and brands that drive the discussion. According to Onalytica the "analysis showed a very engaged community with a lot of interactive tweets. The M2M discussion seems to be more fragmented and driven by some of the major brands present in the M2M space. This really allows some room for influential individuals to create more high value inter...
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on Twitter at @MicroservicesE
SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy. Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Raspberry Pi, BeagleBone, Spark and Intel Edison. You will also get an overview of cloud technologies s...
SYS-CON Events announced today that SafeLogic has been named “Bag Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. SafeLogic provides security products for applications in mobile and server/appliance environments. SafeLogic’s flagship product CryptoComply is a FIPS 140-2 validated cryptographic engine designed to secure data on servers, workstations, appliances, mobile devices, and in the Cloud.
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
SOA Software has changed its name to Akana. With roots in Web Services and SOA Governance, Akana has established itself as a leader in API Management and is expanding into cloud integration as an alternative to the traditional heavyweight enterprise service bus (ESB). The company recently announced that it achieved more than 90% year-over-year growth. As Akana, the company now addresses the evolution and diversification of SOA, unifying security, management, and DevOps across SOA, APIs, microservices, and more.
After making a doctor’s appointment via your mobile device, you receive a calendar invite. The day of your appointment, you get a reminder with the doctor’s location and contact information. As you enter the doctor’s exam room, the medical team is equipped with the latest tablet containing your medical history – he or she makes real time updates to your medical file. At the end of your visit, you receive an electronic prescription to your preferred pharmacy and can schedule your next appointment.
GENBAND has announced that SageNet is leveraging the Nuvia platform to deliver Unified Communications as a Service (UCaaS) to its large base of retail and enterprise customers. Nuvia’s cloud-based solution provides SageNet’s customers with a full suite of business communications and collaboration tools. Two large national SageNet retail customers have recently signed up to deploy the Nuvia platform and the company will continue to sell the service to new and existing customers. Nuvia’s capabilities include HD voice, video, multimedia messaging, mobility, conferencing, Web collaboration, deskt...