Welcome!

ColdFusion Authors: Maureen O'Gara, Hovhannes Avoyan, Yakov Fain, Pat Romanski, Liz McMillan

Related Topics: ColdFusion

ColdFusion: Article

Public-Key Encryption

Making strong encryption nearly painless
By Wayne Graham
Article Rating:
September 15, 2004 12:00 AM EDT
Reads:
 42,220

Installation
The first step in integrating GnuPG for ColdFusion is downloading the GnuPG binaries (or source code, for the more adventurous). Binaries are available at www.gnupg.org/(en)/download/index.html for most operating systems (examples in this article are based on a Windows implementation). Once you have downloaded the binaries, it is a good idea to verify the signature or MD5 checksum on the file to validate the integrity of the download. If you already have a version of GnuPG (or PGP), import the public key from www.gnupg.org/(en)/signature_key.htm and the appropriate signature file from the main GnuPG download page. Verify the signature file by opening the command prompt, navigating to the location of the compressed binaries and signature file, and typing:

gpg --verify "gnupg-w32cli-1.2.5.zip.sig"

You should see:

gpg --verify "gnupg-w32cli-1.2.5.zip.sig"
gpg: Signature made 07/26/04 05:48:55 using DSA key ID 57548DCD
gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn@gnu.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner
Primary key fingerprint: 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD

You have a good signature from Werner Koch for this file. The warning stems from an additional step needed to trust the signature. To do this, you need to execute the "--edit-key" command:

gpg --edit-key "dd9jn@gnu.org"

You will see:

gpg (GnuPG) 1.2.5; Copyright © 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Pub 1024/57548DCD created: 1998-07-07 expires: 2004-12-31 trust: -/-
(1). Werner Koch (gnupg sig) <dd9jn@gnu.org>

Command>

You will notice that there is a prompt named Command. At this prompt, type "trust" to bring up the trust options:

pub 1024D/57548DCD created: 1998-07-07 expires: 2004-12-31 trust: -/-
(1). Werner Koch (gnupg sig) <dd9jn@gnu.org>

Please decide how far you trust this user to correctly
Verify other users' keys (by looking at passports,
Checking fingerprints from difference sources...)?

1 = Don't know
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision?

I chose "5" to ultimately trust the key, and verified my choice.

pub 1024D/57548DCD created: 1998-07-07 expires: 2004-12-31 trust: f/-
(1). Werner Koch (gnupg sig) <dd9jn@gnu.org>
Please note that the shown key validity is not necessarily correct
Unless you restart the program.

Command>

Type "quit" to exit GnuPG's command prompt. Now, if you run the same verification as before (gpg --verify "gnupg-w32cli-1.2.5.zip.sig"), you will see:

gpg: Signature made 07/26/04 08:48:55 using DSA key ID 57548DCD
gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn@gnu.org>"
gpg: check the trustdb
gpg: checking at depth 0 signed=0 of(-/q/n/m/f/u)=0/0/0/0/06
gpg: next trustdb check due at 2004-12-31

Please note that this is a detached signature, so both the signature file and downloaded file need to be in the same directory.

If you do not have a version of GnuPG (or PGP), you will need an MD5 checker like FastSum (www.fastsum.com) to verify the file's fingerprint. The command for checking the MD5 checksum will look like this:

C:\fastSum\fastSum.exelocationOfGnuPGDownload\gnupg-w32cli-1.2.5.zip

The result will look like this:

MD5 Checksum calculation and verification utility. [1.6.0.92] EN
(C) 2003 Kirill Zinov and Vitaly Rogotsevich. Web site: www.fastsum.com

Calculating...

c:\downloads\gnupg-w32cli-1.2.5.zip3D93D73942117C4C0182CB15E01DE70F

Calculation summary:
Processed 1 files in 0 folders with total size 1.43 Mb.
Elapsed time: 00:00:00 Average speed: 27.72 Mb\Sec.

Published September 15, 2004 – Reads 42,220
Copyright © 2004 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By Wayne Graham

Wayne Graham is a systems administrator at the College of William and Mary's Earl Gregg Swem Library. Wayne is also the co-manager of the Williamsburg Macromedia User's Group and has been developing with ASP, Java, and ColdFusion since 2001.

Comments (10) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
Thomas Gorgolione 07/23/08 05:05:27 PM EDT

You have to compile the code manually from the zip file (see post #5). I did that already, so if you want you can just download it here:

www.tgorg.com/etc/GnuPG.jar
Jeff 01/31/08 08:07:47 AM EST

Does anyone have the GnuPG.jar file? I found the CF component but that still needs the GnuPG.jar file to operate and the link in the article to get GnuPG.jar does not work.
Shaun 09/04/07 02:21:25 PM EDT

Found this:
http://res.sys-con.com/story/46359/source.html
William Broadhead 07/21/05 03:00:51 PM EDT

Good story. Very informative. One thing I would note is that in cf using the encrypt/decrypt: You don't have to, and shouldn't include the actual key in your code, NOR in your Database... A tecnnique I use is to store the key in a text file on the server in a directory that is accessible to coldfusion but NOT part of the http accessible directory. Using cffile you can read and load the information in the file to memory as an application key to use for hashing passwords while never having the key in your code nor in your database. Although obviously, as the article points out, security can never be completely infallible, this can reduce the capacity of your data to be compromised if you did somehow lose a copy of your database or page code, you would need also need to lose the file for someone to put it all together...
Mark 07/14/05 01:53:05 PM EDT

Great article, very well written.
Brad 03/28/05 10:13:32 AM EST

Great Article, convinced my peers to use this instead of upgrading to CF7Mx.

As for the gentleman looking for the source, click the Source Code link located under Related Sites. Scroll down... you're welcome.
Nguyen Tran 03/21/05 10:50:00 AM EST

Where to download the file? GnuPG.jar

The link you provided as:
www.sys-con.com/coldfusion/sourcec.cfm
Point to the page at:
http://sys-con.com/magazine/archives.cfm?id=5

On this page, there is no link to download the file GnuPG.jar

Please give us the link to download the file GnuPG.jar

Thank you
Tom 02/08/05 06:05:04 AM EST

hello,

i´ve the same problem: where is gnupg.jar?
regards, tom
Shane 12/16/04 11:14:17 AM EST

nevermind.... I found it.
Shane 12/16/04 11:09:21 AM EST

Great article. I've been looking forward to trying this out but haven't been able to find the gnupg.jar file. Am I overlooking it somewhere? Please advise.

Thanks.