The encrypt and decrypt functions have been enhanced to accept optional arguments that were not in the original ColdFusion MX 7 documentation. The online documentation for ColdFusion MX 7 Security Functions contains usage information about these cryptographic functions, and this TechNote contains extended information about how to use them.
The arguments to the encrypt anddecrypt functions are changed as follows:
Encrypt(string, key, [algorithm ,encoding ,IVorSalt ,iterations])
Decrypt(string, key, [algorithm ,encoding ,IVorSalt ,iterations])
- string String to encrypt or decrypt. This is always interpreted as a UTF-8 string for ColdFusion encryption.
- key Encryption key or password.
- For the CFMX_COMPAT algorithm, a string used as a seed to generate a 32-bit encryption key.
- For Block Encryption algorithms, a key in the format used by the algorithm.
For these algorithms, use the GenerateSecretKey function to generate the key. - For Password Based Encryption algorithms (names starting with PBE) - the password or passphrase
- algorithm (Optional) The algorithm to use to encrypt or decrypt the string.
ColdFusion MX includes both a backwards-compatible algorithm and the default algorithms provided by the Java Runtime:- Compatibility Algorithm
- CFMX_COMPAT: The algorithm used in ColdFusion MX and prior releases. This algorithm is the least secure option. (default)
- Block Encryption Algorithms
- AES: The Advanced Encryption Standard specified by U.S. Nation Institute of Standards and Technology (NIST) FIPS-197.
- BLOWFISH: The Blowfish algorithm defined by Bruce Schneier.
- DES: The Data Encryption Standard algorithm defined by NIST FIPS-46-3.
- DESEDE: The "Triple DES" algorithm defined by NIST FIPS-46-3.
- Password Based Encryption Algorithms
- PBEWithMD5AndDES: A password-based version of the DES algorithm that uses the MD5 hash to change your password into an encryption key
- If you install the Sun Unlimited Strength Jurisdiction Policy Files for Java 1.4.2, the following Password Based algorithm is added:
PBEWithMD5AndTripleDES: A password-based version of the DESEDE algorithm that uses the MD5 hash to change your password into an encryption key
If you install a Java Cryptology Extension (JCE) security provider, you can use the additional encryption and decryption algorithms it provides.
- Compatibility Algorithm
- encoding (Optional; if you specify this parameter, you must also specify the algorithm parameter)
The binary encoding in which to represent the encrypted data as a string.- Base64: Use the Base64 algorithm, as specified by IETF RFC 2045
- Hex: Use the characters A-F and 0-9 to represent the hexadecimal byte values
- UU: (Default) Use the UUEncode algorithm
- IVorSalt (Optional; if you specify this parameter, you must also specify the algorithm parameter)
You may specify this optional parameter to adjust ColdFusion encryption to match the details of other encryption software.- For Block Encryption Algorithms - This is the binary Initialization Vector value to use with the algorithm. The algorithm must contain a Feedback Mode (see below) other than ECB. This must be a binary value that is exactly the same size as the algorithm block size (see below) The same value must be passed to Decrypt to successfully decrypt the data.
- For Password Based Encryption Algorithms - This is the binary Salt value to transform the password into a key. The same value must be used to decrypt the data.
- iterations (Optional; if you specify this parameter, you must also specify algorithm parameter with a Password Based Encryption (PBE) algorithm)
You may specify this optional parameter to adjust ColdFusion encryption to match the details of other encryption software. This is the number of iterations to transform the password into a binary key. Do not specify this parameter for Block Encryption Algorithms. The same value must be used to decrypt the data.
ColdFusion MX 7.0.1 adds two additional encryption functions that encrypt binary values (bytes) and return binary values:
EncryptBinary(bytes, key, [algorithm ,IVorSalt ,iterations])
DecryptBinary(bytes, key, [algorithm ,IVorSalt ,iterations])
- bytes binary data to encrypt or decrypt.
- key Encryption key or password. See Encrypt and Decrypt functions for details.
- algorithm (Optional) The algorithm to use to encrypt or decrypt the string. See Encrypt and Decrypt functions for details.
- IVorSalt (Optional; if you specify this parameter, you must also specify the algorithm parameter) See Encrypt and Decrypt functions for details.
- iterations (Optional; if you specify this parameter, you must also specify algorithm parameter with a Password Based Encryption (PBE) algorithm) See Encrypt and Decrypt functions for details.
The binary functions are useful for interchange with other software in two circumstances: