CF function generate3DesKey, v1.1

Posted by Paul Klinkenberg in CFML , Railo on July 21, 2010

Adobe Coldfusion already had this function built-in, without any documentation.

Now it is here for all CFML developers:

<cffunction name="generate3DesKey" output="no">
	<cfargument name="fromstring" type="string" required="no" />
	<cfif not structKeyExists(arguments, "fromString")>
		<cfreturn generateSecretKey('DESEDE') />
	</cfif>
	<cfset var secretKeySpec = createObject("java", "javax.crypto.spec.SecretKeySpec").init(arguments.fromstring.getBytes(), "DESede") />
	<cfreturn toBase64(SecretKeySpec.getEncoded()) />
</cffunction>

Updated, with thanks to Jason Dean :-)

del.icio.us Digg StumbleUpon Facebook Technorati Fav reddit Google Bookmarks
| Viewed 399 times
  1. Jason Dean

    #1 by Jason Dean - July 26, 2010 at 4:35 PM

    Paul,

    I'm curious about this function and where you would use it and whether or not it fully works.

    Does the Adobe ColdFusion generate3DesKey() function produce anything different than what generateSecretKey("DESEDE") would? As nears as I can tell, they both produce a 32-bit(256 bit) key. The only difference I can see is that the generate3DesKey() allows you to specify a 24 byte input string for generating the key, which may come in handy in certain cases, but for generating a new key, my understanding is that the generateSecretKey("DESEDE") function is superior. Even if you randomly create the input string, does passing in a 24-byte string to return a 32-byte string make sense?

    Did you create it for compatibility with code that uses the undocumented CF function? I guess if you have code that needs to use the passed in string for some reason, then this would be good to have, but I suspect it would be less secure than generating a new key with the proper function.

    Also, I am curious about your default argument value being equal to generateSecretKey('DESEDE'). The generateSecretKey() function will return a valid DESEDE key already, do you really want to run it through the key generator? Does it return a valid key?

    When I tried this on ColdFusion using generate3DesKey(generateSecretKey("DESEDE")), it produced an invalid key that would not work in encrypt().

    I would suggest making the argument required. If they do not have a string to pass in, then they are better off using generateSectretKey(). This would then work the same as the ColdFusion function, because it does require the parameter.
    Reply
  2. Paul Klinkenberg

    #2 by Paul Klinkenberg - July 26, 2010 at 5:07 PM

    Hi Jason, thanks for the comment! I guess you are absolutely right about the argument's default setting, I just changed the post according to your tip.
    I mistakenly assumed that the generateSecretKey function would return the 24bit string, and did not have ACF lying around ;-)
    The use for this function is indeed what you guessed: I already had a string which is used to both encrypt and decrypt. I guess it should be quite default to save the encryption string for decryption later on, right?
    Thanks again!
    Reply
(will not be published)
Leave this field empty: