Crypto in ColdFusion

 
Jan 24, 2000

by Michael Dinowitz

I want to start this article with a word of thanks to Allaire. After writing this article a few months back, I told them about it during a conversation concerning functions. They mentioned that they would show it to their new documentation team. I didn't hear back from them, but last week found a great article on both crypto and the Hash function (Dec. 27, 1999 - Jan. 2, 2000 issue of FA). This article was great. The new documentation team really knows what they're doing and I'm impressed. The only thing they missed was the CFusion_Encrypt() and CFusion_Decrypt() functions. For that reason, I'm reposting my article with both more information and a better layout. Between this article and Allaire's, you should know a lot about how encryption is handled in ColdFusion.

A distinct difference exists between CF 4.0.x and 4.5 when it comes to cryptography (crypto) functions. Before we go into the specifics, lets examine the two types of crypto functions that exist and how they're used. The first set of crypto functions in ColdFusion are the older, but hidden CFusion_Encrypt()/CFusion_Decrypt(). These functions are used in the CFAdmin and they've been in existence since CF 3.0. The 'official' functions used in the general program are Encrypt()/Decrypt() , which have existed since CF 4.0.

CFusion_Encrypt()/CFusion_Decrypt()

Personally, I believe that these are the best of the encryption functions. The result is a long string of numbers twice the length of the original string. It's clean, efficient and easy to store. The only downside is that it's easier to crack with the right information. Rather than go into how to crack an encrypted block or how it's encrypted, I'm going to point you to the book review for Applied Cryptography in the review section of this issue.

A small disclaimer here. These functions are 'administrative' in ColdFusion and are not documented anywhere other than here. Allaire does not suggest using them and offers no support for their use.

Encrypt()/Decrypt()

These are the 'standard' crypto functions in ColdFusion. Where the above CFusion_Encrypt() function returns a string of a rather set length and composed only of numbers, the Encrypt() function returns a string of varying length and of varying characters. This is a strength and a weakness. Having more 'randomness' thrown in results in a stronger encrypted value. Unfortunately, the characters that can be returned may result in errors in a developer's code. Characters such as single quotes ('), spaces ( ) and pound signs (#) can cause problems in saving the values, outputting them, and even in some cases decrypting them. The reason for this is a mystery to me at the moment, but it is one I'll mention to Allaire.

Another issue with these functions is more of a version issue. In versions of ColdFusion before 4.5, extra characters were added to the encrypted value. These characters were removed when the decrypt() function was used, but the storage and comparison of these values were a problem. The 'extra' characters were one of four different sets of three characters each. If we assume an Encrypt() function that simply encrypts a single character, the following 4 results may be expected. The first 2 characters are the actual encrypted character while the last three are the 'extras': 

!4'X[ 
!4,LY 
!4$X$ 
!4.D@
This is a problem when comparing encrypted strings. The same source string may not encrypt to the same result.

Which to use

Once you know the differences between the two groups of functions, you can decide which to use. I prefer the CFusion version of the functions, as I can always depend on the values being returned. The choice is expanded when you think of using the Hash() function as well. What to use all depends on the application you're writing and your personal preference. The only thing I ask is for you to know all the crypto options around.

CFusion_Decrypt

 (String, Key)

String

 (Required; accepts: String) String to be decrypted.

Key

 (Required; accepts: String) Key used to decrypt the String.
This function will take a string that has been encrypted with CFusion_Encrypt() and decrypt it using the key. This function will only decrypt strings that have first been encrypted by CFusion_Encrypt(). 
<CFSET Test1=CFusion_Decrypt('154507110711', 'test')>

<CFOUTPUT>
|#Test1#|<BR>
</CFOUTPUT>
Results:
|a test|
Data Type:
Category:
Version:
Related Functions:
String
Crypto
3.0
CFusion_Encrypt(), Decrypt()

CFusion_Encrypt

 (String, Key)

String

 (Required; accepts: String) String to be encrypted.

Key

 (Required; accepts: String) Encryption key used to encrypt the String.
This function will take a string and encrypt it using the key. This will result in a numeric string that will be twice the length of the source string. This process can be reversed using the CFusion_Decrypt() function. 
<CFSET Test1=CFusion_Encrypt('a test', 'test')>

<CFOUTPUT>
|#Test1#|<BR>
</CFOUTPUT>
Results:
|154507110711|
Data Type:
Category:
Version:
Related Functions:
String
Crypto
3.0
CFusion_Decrypt(), Encrypt()

Decrypt

 (String, Key)

String

 (Required; accepts: String) String to be decrypted.

Key

 (Required; accepts: String) Key used to decrypt the String.
This function will take a string that has been encrypted with Encrypt() and decrypt it using the key. This function will only decrypt strings that have first been encrypted by Encrypt(). If you look below to the encrypt function, you'll see that the result of the encryption is a string that contains a space as well as a single quote. This causes a problem with the decrypt in some cases. For this reason, the example will include the Encrypt() function to set the string as well as the Decrypt() function to decrypt it. 
<CFSET String=Encrypt('a test', 'test')>
<CFSET Test1=Decrypt(string, 'test')>

<CFOUTPUT>
|#Test1#|<BR>
</CFOUTPUT>
Results:
|a test|
Data Type:
Category:
Version:
Related Functions:
String
Crypto
4.0
Encrypt, CFusion_Decrypt

Encrypt

 (String, Key)

String

 (Required; accepts: String) String to be encrypted.

Key

 (Required; accepts: String) Encryption key used to encrypt the String.
This function will take a string and encrypt it using the key. This will result in a numeric string that will be twice the length of the source string. This process can be reversed using the Decrypt() function. Note that the results of this function will differ based on the version of ColdFusion you are using. Versions of ColdFusion earlier than 4.5 added one of 4 different sets of 3 characters to the end of an encrypted string. The 4 sets were: 
'X[ 
,LY 
$X$ 
.D@
This behavior was removed in ColdFusion 4.5. The string that results from this function will be between 1.5 and 2.5 times the length of the original string. In addition, result string can contain special characters including spaces ( ), single quotes (') and pound signs(#), all of which can cause problems in many cases. 
<CFSET Test1=Encrypt('a test', 'test')>

<CFOUTPUT>
|#Test1#|<BR>
</CFOUTPUT>
Results:
|&<$R9K&V' |
Data Type:
Category:
Version:
Related Functions:
String
Crypto
4.0
Decrypt(), CFusion_Encrypt()

Add a Comment
(If you subscribe, any new posts to this thread will be sent to your email address.)
  
Privacy | FAQ | Site Map | About | Guidelines | Contact | Advertising | What is ColdFusion?
House of Fusion | ColdFusion Jobs | Blog of Fusion | AHP Hosting