Comments on: Notes: ColdFusion 8 Application Security http://blog.crankybit.com/notes-coldfusion-8-application-security/ Take a byte out of tech! Wed, 08 Feb 2012 15:54:01 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: RealTime - Questions: "Encrypt plain text passwords already in database?" http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-63050 RealTime - Questions: "Encrypt plain text passwords already in database?" Wed, 01 Dec 2010 19:41:13 +0000 http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-63050 [...] to Use Mutt Email Client with Gmail An overview of core security features in TYPO3 4.3 | PIT Blog! Cranky Bit » Notes: ColdFusion 8 Application Security [...] [...] to Use Mutt Email Client with Gmail An overview of core security features in TYPO3 4.3 | PIT Blog! Cranky Bit » Notes: ColdFusion 8 Application Security [...]

]]> By: David http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-42604 David Fri, 09 Apr 2010 10:01:37 +0000 http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-42604 Unable to find a constructor for class javax.crypto.spec.SecretKeySpec that accepts parameters of type ( java.lang.String, java.lang.String ). I'm getting this error message after run the above code. any idea? Unable to find a constructor for class javax.crypto.spec.SecretKeySpec that accepts parameters of type ( java.lang.String, java.lang.String ).

I’m getting this error message after run the above code. any idea?

]]> By: JonnyWipperSnapper http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-23997 JonnyWipperSnapper Mon, 22 Dec 2008 16:28:44 +0000 http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-23997 Fantastic! I really needed this! Fantastic! I really needed this!

]]> By: Pablo Varando http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-10354 Pablo Varando Tue, 18 Dec 2007 04:57:56 +0000 http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-10354 Code example... (original post the code was removed) [!--- Java Crypto Object to Secret Key ---] [cfset Seckey = CreateObject("Java", "javax.crypto.spec.SecretKeySpec") /] [!--- BASE 64 Decoder ---] [cfset B64Decoder = CreateObject("Java", "sun.misc.BASE64Decoder") /] [!--- Cipher ---] [cfset Dcipher = CreateObject("Java", "javax.crypto.Cipher") /] [cfset Seckey = Seckey.init(SharedKeyB64Decoded, "DESede") /] [cfset Dcipher = DCipher.getInstance("DESede") /] [cfset DTest = Dcipher.init(DCipher.ENCRYPT_MODE, Seckey) /] [!--- pass the byte array and finalize the dcipher object --- /] [cfset EncryptedText = B64Encoder.encode(Dcipher.doFinal(PlainText.getBytes())) /] Code example… (original post the code was removed)

[!--- Java Crypto Object to Secret Key ---]
[cfset Seckey = CreateObject("Java", "javax.crypto.spec.SecretKeySpec") /]

[!--- BASE 64 Decoder ---]
[cfset B64Decoder = CreateObject("Java", "sun.misc.BASE64Decoder") /]
[!--- Cipher ---]
[cfset Dcipher = CreateObject("Java", "javax.crypto.Cipher") /]

[cfset Seckey = Seckey.init(SharedKeyB64Decoded, "DESede") /]
[cfset Dcipher = DCipher.getInstance("DESede") /]
[cfset DTest = Dcipher.init(DCipher.ENCRYPT_MODE, Seckey) /]

[!--- pass the byte array and finalize the dcipher object --- /]
[cfset EncryptedText = B64Encoder.encode(Dcipher.doFinal(PlainText.getBytes())) /]

]]> By: Pablo Varando http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-10353 Pablo Varando Tue, 18 Dec 2007 04:55:09 +0000 http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-10353 A note on 8. "If you need to read it back, Encrypt() and Decrypt(). Requires a secret key to encrypt and get it back. So the key has to be somewhere were your app can read it, so be sure to protect that key. Off the webroot and in a secure manner." You should really look to use 3DES (DeSede) or AES to encrypt your data. It is more secure then encrypt() decrypt() as it uses powerful encryption algorythms. Since ColdFusion sits on top of Java you can easily encrypt your data with the following object calls: <!--- Java Crypto Object to Secret Key ---> <!--- pass the byte array and finalize the dcipher object ---> That will give you far more powerful encryption over your data and will ensure you have less of a chance of being hacked in the end. A note on 8.

“If you need to read it back, Encrypt() and Decrypt(). Requires a secret key to encrypt and get it back. So the key has to be somewhere were your app can read it, so be sure to protect that key. Off the webroot and in a secure manner.”

You should really look to use 3DES (DeSede) or AES to encrypt your data. It is more secure then encrypt() decrypt() as it uses powerful encryption algorythms. Since ColdFusion sits on top of Java you can easily encrypt your data with the following object calls:

That will give you far more powerful encryption over your data and will ensure you have less of a chance of being hacked in the end.

]]> By: Steve Mac http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-4646 Steve Mac Thu, 27 Sep 2007 06:17:35 +0000 http://blog.crankybit.com/notes-coldfusion-8-application-security/#comment-4646 It’s very good article. Great site with very good look and perfect information. It’s very good article. Great site with very good look and perfect information.

]]>