Encrypts a string using a specific algorithm and encoding method.
String; can be much longer than the original string.
Security functions, String functions
Encrypt(string
,key
[,algorithm
,encoding
,IVorSalt
,iterations
])
Decrypt, EncryptBinary, DecryptBinary
ColdFusion 8: Added support for encryption using the RSA BSafe Crypto-J library on Enterprise Edition.
ColdFusion MX 7.01 : Added the IVorSalt
and iterations
parameters.
ColdFusion MX 7: Added the algorithm
and encoding
parameters.
Parameter |
Description |
---|---|
string |
String to encrypt. |
key |
String. Key or seed used to encrypt the string.
|
algorithm |
(Optional) The algorithm to use to encrypt the string. The Enterprise Edition of ColdFusion installs the RSA BSafe Crypto-J library, which provides FIPS-140 Compliant Strong Cryptography. It includes the following algorithms:
|
|
|
|
|
|
|
In addition to these algorithms, you can use the algorithms provided in the Standard Edition of ColdFusion. |
|
The Standard Edition of ColdFusion installs a cryptography library with the following algorithms:
If you install a security provider with additional cryptography algorithms, you can also specify any of its string encryption and decryption algorithms. |
|
encoding |
(Optional; if you specify this parameter, you must also specify the
|
IVorSalt |
(Optional) Specify this parameter to adjust ColdFusion encryption to match the details of other encryption software. If you specify this parameter, you must also specify the
|
iterations |
(Optional) The number of iterations to transform the password into a binary key. Specify this parameter to adjust ColdFusion encryption to match the details of other encryption software. If you specify this parameter, you must also specify the algorithm parameter with a Password Based Encryption (PBE) algorithm. Do not specify this parameter for Block Encryption algorithms. You must use the same value to encrypt and decrypt the data. |
This function uses a symmetric key-based algorithm, in which the same key is used to encrypt and decrypt a string. The security of the encrypted string depends on maintaining the secrecy of the key.
The following are the FIPS-140 approved algorithms included in the RSA BSafe Crypto-J library:
All algorithms included in the RSA BSafe Crypto-J library are available for use in the Enterprise Edition. In certain cases, you may want to restrict the available algorithms to FIPS-140 approved algorithms only. To do so, you specify the following in the JVM arguments on the Java and JVM page of the ColdFusion Administrator:
-Dcoldfusion.enablefipscrypto=true
FIPS-140 approved cryptography is not available if you are running ColdFusion on Websphere of JBoss.
To use the IBM/Lotus Sametime Instant Messaging Gateway in the Enterprise edition, you must disable the FIPS-140-only cryptography setting by specifying the following in the JVM arguments on the Java and JVM page of the ColdFusion Administrator:
-Dcoldfusion.disablejsafe=true
In Standard Edition, for all algorithms except the default algorithm, ColdFusion uses the Java Cryptography Extension (JCE) and installs a Sun Java runtime that includes the Sun JCE default security provider. This provider includes the algorithms listed in the Parameters section. The JCE framework includes facilities for using other provider implementations; however, cannot provide technical support for third-party security providers.
The default algorithm, which is the same one used in ColdFusion 5 and ColdFusion MX, uses an XOR-based algorithm that uses a pseudo-random 32-bit key, based on a seed passed by the user as a function parameter. This algorithm is less secure than the other available algorithms.
The following example encrypts and decrypts a text string. It lets you specify the encryption algorithm and encoding technique. It also has a field for a key seed to use with the CFMX_COMPAT algorithm. For all other algorithms, it generates a secret key.
<h3>Encrypt Example</h3> <!--- Do the following if the form has been submitted. ---> <cfif IsDefined("Form.myString")> <cfscript> /* GenerateSecretKey does not generate key for the CFMX_COMPAT algorithm, so use the key from the form. */ if (Form.myAlgorithm EQ "CFMX_COMPAT") theKey=Form.MyKey; // For all other encryption techniques, generate a secret key. else theKey=generateSecretKey(Form.myAlgorithm); //Encrypt the string encrypted=encrypt(Form.myString, theKey, Form.myAlgorithm, Form.myEncoding); //Decrypt it decrypted=decrypt(encrypted, theKey, Form.myAlgorithm, Form.myEncoding); </cfscript> <!--- Display the values used for encryption and decryption, and the results. ---> <cfoutput> <b>The algorithm:</b> #Form.myAlgorithm#<br> <b>The key:</B> #theKey#<br> <br> <b>The string:</b> #Form.myString# <br> <br> <b>Encrypted:</b> #encrypted#<br> <br> <b>Decrypted:</b> #decrypted#<br> </cfoutput> </cfif> <!--- The input form.---> <form action="#CGI.SCRIPT_NAME#" method="post"> <b>Select the encoding</b><br> <select size="1" name="myEncoding"> <option selected>UU</option> <option>Base64</option> <option>Hex</option> </select><br> <br> <b>Select the algorithm</b><br> <select size="1" name="myAlgorithm"> <option selected>CFMX_COMPAT</option> <option>AES</option> <option>DES</option> <option>DESEDE</option> </select><br> <br> <b>Input your key</b> (used for CFMX_COMPAT encryption only)<br> <input type = "Text" name = "myKey" value = "MyKey"><br> <br> <b>Enter string to encrypt</b><br> <textArea name = "myString" cols = "40" rows = "5" WRAP = "VIRTUAL">This string will be encrypted (you can replace it with more typing). </textArea><br> <input type = "Submit" value = "Encrypt my String"> </form>