Re: can't get encrypt to work.

Tue, 16 Feb 2010 19:25:57 -0800 

This is a simplified UDF function version of Crypto.cfc that uses a salt for
each password.

It returns a struct that contains the hashed password, and the salt used.

To verify a password against the encrypted version, you just encrypt the
form post with the exact same method, but passing in the stored salt, then
compare the 2 encrypted passwords.

In some super security scenarios you would also have a Server key, that is
unique to the application and is stored in a third spot separate from the
database.

This way if someone hacks your database and accesses the users salt and the
encrypted data, they are still missing the Server key as well as how many
times you iterated your hash.


<cffunction name="Crypto" access="public" returntype="any" output="no">
   <cfargument name="password" type="string" />
   <cfargument name="salt" default="#GenerateSecretKey('AES')#" hint="user
salt added to password, then stored in the secured database" />

<cfscript>
var local = structNew();
 var i = 1;
var iterations = 1024;
var algorithm = "SHA-512";
 local.salt = arguments.salt;
local.passwordHash = hash( arguments.password & arguments.salt, algorithm,
'UTF-8' );
 for (i = 1; i LTE iterations; i = i + 1)
{
  local.passwordHash = hash( local.passwordHash & arguments.salt ,
algorithm, 'UTF-8' );
}
 return local;
  </cfscript>
 </cffunction>
 <cfdump var="#Crypto('my3ecretPa55w0rd5trf')#" /> << normal use (VERY
SECURE as long as Salts are secured)


       <cfset ServerSalt = "8Ru5rbpvMmNEQK5UiKKaZQ==" />             <<
Server Salt stored as a permanent fixture of the application.
       <cfdump var="#Crypto('my3ecretPa55w0rd5trf' & ServerSalt)#" />
 == (SUPER SECURE even if database is compromised)



-- 
/Kevin Pepperman


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330813
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to