ColdFusion Muse

Webmaniacs - Cryptography and Dentistry

Mark Kruger May 23, 2008 1:20 PM Coldfusion Security, Conferences Comments (3)

On Tuesday I took in a workshop on Cryptography by Dean Saxe. Dean is an impressive character with a head stuffed full of knowledge and spilling out everywhere. He obviously knew what he was talking about. As a topic, cryptography is so impossibly complicated and intricate that he could not do it justice in a 50 minute session. Most discussions about cryptography center around keys, algorithms and best practices - and this was no exception. Dean recommended against relying on CF's own encrypt and decrypt functions for anything but the most rudimentary encryption. In fact, he probably didn't even go that far. That tidbit of advice is common from almost every security pro I have ever heard mention the subject. When it came to discussing keys it was like a trip to the dentist.

Read More
  • Share:

3 Comments

  • JC's Gravatar
    Posted By
    JC | 5/23/08 1:36 PM
    Sounds handy. I spent hours banging my head on Adobe's useless CF8 Encrypt() livedocs the other day... they're cleaning it up following an email I sent, but even the one they updated isnt very useful.

    CF8 now supports several public/private key encryption algorithms, which takes care of a big chunk of the security concerns regarding the key, but the documentation has zero information on how to actually *use* it.
  • Mark Kruger's Gravatar
    Posted By
    Mark Kruger | 5/23/08 1:42 PM
    JC,

    Thanks for the comments. Dean will chime in here pretty soon I think and add to the discussion. But the knock on CF's native encryption function has always been that it is behind the curve a bit I think.

    -mk
  • Dean H. Saxe's Gravatar
    Posted By
    Dean H. Saxe | 5/23/08 6:34 PM
    The challenge with CF is really key management. The APIs aren't there and are not flexible enough (IMHO), so you're better off using native functions of the JCA/JCE to handle all of this under the covers.

    To be fair, my biggest gripe with developers and encryption is the use of encryption to solve problems often leads to bigger problems. One must solve a specific issue (data confidentiality, integrity, authentication or non repudiation) or a collection of the above with crypto. When crypto "magic faerie dust" is used in every application "because it makes it more secure" that is a big red warning sign. Crypto != security, but some types of security may be obtained through the judicious use of crypto.

    Finally, with the key storage question, it is all a matter of risk tolerance when deciding how to store and manage keys. What is right for a PCI DSS environment is not necessarily correct for other domains. Only you can tell what your risk profile is and, therefore, decide the best way to manage encryption key storage, inarguably the hardest part of using crypto, in your own code.

    -dhs
Google Search
Google
Subscribe
Enter your email address to subscribe to this blog.
Recent Comments
  • Remembering Wil Genovese
    Mary Jo said: Wil's presence here will be sorely missed. We became good friends over the years and I will miss our... [More]
  • Remembering Wil Genovese
    charlie arehart said: Very sad news, and a real loss for the CF community which was blessed with so much of his knowledge ... [More]
  • Remembering Wil Genovese
    Mark A Kruger said: @Mike, Ha - yes! He was always a hoot at staff meetings. :) To be clear to the rest of the world ... [More]
  • Remembering Wil Genovese
    Mike Letson said: On several occasions, Will led me through deep technical waters that enabled me to serve my clients ... [More]
  • Remembering Wil Genovese
    Russ said: Rest in Peace man, my condolences to the family. Cancer seems to kill so many people now. :-( Both ... [More]
Archives By Subject
Twitter
    Facebook
    Aggregators


    Subscribe in NewsGator Online

    Add to Google
    RSS