jeffcoughlin.com

Going Down to CFUNITED-05

I've been trying to decide for the last few months whether or not to go to this year's CFUNITED conference and I finally gave in to my temptations.

I don't mind driving down there (should only be half a day's drive) however this can get pricy, fast (gas, hotel, admission, etc). So I'm planning to ask around the Hartford area (probably at the next Hartford CFUG meeting) to see if anyone is interested in carpooling and/or sharing a suite or something.

Let me know if anyone is interested. I'm planning on leaving the Hartford, CT area early Tuesday morning (June 28, 2005). If you live near CT or MA (or are along the way) contact me and maybe a few of us can think of something.

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
John Wells's Gravatar Jeff,
I am trying to find out how to improve security re uploads and downloads at a DOD site. The site is open to the web with good login protection, https etc. but they have prohibited CF upload for years.

Is there some way we could encrypt/decrypt common file types (.xls.doc.pdf) during the process? Or some other approach to convince the security types that CF is a good tool?

They are using FTP and uploading to a single directory now, which I dont think is any better.

Thanks for any insights you may have.
I got CF 7 yesterday and hope to try that doc tag soon.

Enjoyed your BLOG

John Wells
#1 by John Wells | 5/10/05 4:25 PM
John Wells's Gravatar Jeff,
I am trying to find out how to improve security re uploads and downloads at a DOD site. The site is open to the web with good login protection, https etc. but they have prohibited CF upload for years.

Is there some way we could encrypt/decrypt common file types (.xls.doc.pdf) during the process? Or some other approach to convince the security types that CF is a good tool?

They are using FTP and uploading to a single directory now, which I dont think is any better.

Thanks for any insights you may have.
I got CF 7 yesterday and hope to try that doc tag soon.

Enjoyed your BLOG
#2 by John Wells | 5/10/05 4:27 PM
Jeff Coughlin's Gravatar John,

I'm glad you enjoy reading my blog. :)

The U.S. Dept of Defense can have some pretty tight security restrictions depending on the project. FTP itself is very unsecure unless using SFTP (I prefer SSH). This doesn't make it perfect, but FTP alone is very open to hackers.

With regards to the encrypt() and decrypt() functions in ColdFusion you might want a little background. First let me say that no type of encryption is full-proof (at least none that I know of). The question is how strong do you want your encryption? ColdFusion's encrypt() function uses a XOR-based algorithm to create a random 32-bit key (using the seed provided to the encrypt() function). The result is a UUencoded string. If the DOD requires stronger encryption (such as 1024 or 2048) then you may want to look at a third-party product (see below).

What have I used in the past? I prefer tunneling (VPN). Its been around for years and is preferred by most companies. It is not always an ideal soltion, so you'll have to decide if it works for you.

In the custom tag I provided on my site I used ToBase64() in order to allow the ability to transport binary ASCII data over SMTP and/or HTTP protocols.

"XOR Pro's and Cons"

Pros:
- For string ecryption its very fast (using DES and AES can take longer)

Cons:
- Like any encryption function that can be decrypted, it can be reverse-engineered. Here's an example of brute forcing a XOR based encryption (http://browsex.com/XOR.html).

If the 32-bit encryption is not strong enough for your problem then don't turn down ColdFusion just yet. As long as you're using CFMX 6 or greater you can always consider a java-based solution and just call it right from ColdFusion (If you're using CF4 - CF5 then you'd have to use a CFX solution).

Example:
<cfscript>
oEncryption = createObject("java", "javapath.customEncrypt");
myEncryptedVar = oEncryption.encrypt("text");
</cfscript>

---

One last note: You did ask about encrypting PDFs. CF7 introduced the tag CFDOCUMENT. Using this tag you can create a PDF from your data (or HTML) and encrypt it (using either 32-bit or 128-bit encryption).
#3 by Jeff Coughlin | 5/11/05 10:37 AM
Jeff Coughlin's Gravatar Well, this will teach me to speak before I research... :)

I just found on Macromedia's website that CF7 introduced strong encryption in the encrypt() function. This may of some interest to the DOD. Looks like I'll have to update that custom tag now :).

http://www.macromedia.com/cfusion/knowledgebase/in...
#4 by Jeff Coughlin | 5/11/05 10:42 AM



BlogCFC 5.9.8.007 by Raymond Camden | RSS | Contact Blog Owner