1 Reply Latest reply on Jan 2, 2008 5:54 AM by Robert_Com99

    Using JSafeJCE Encryption

    Robert_Com99
      We have CF8 Developer edition installed and are trying to utilize the FIPS140-2 compliant encryption features of JSafeJCE. When try a simple encrypt with the basic install:

      <cfset token = Encrypt(tokenString, tokenEncryptionKey, "AES/CBC/PKCS5Padding", "Hex", tokenEncryptionIV)>

      We get:

      The key specified is not a valid key for this encryption: Illegal key size. (incidentally, this occurs whether we provide the key or use the generatesecretkey call)

      If we then switch to the SUN strong encryption, the call completes successfully. Why are we tied to the SUN provider? The ColdFusion 8 Developer Security Guidelines document at

      http://www.adobe.com/devnet/coldfusion/articles/dev_security/coldfusion_security_cf8.pdf

      indicates that "The JSafeJCE provider replaces the Sun provider for these algorithms in CF8 Enterprise: AES, DESEDE, DES, RC2, RC4, PBEwithM". Replace to me means that the Sun provider is not needed. Is that incorrect?

      We also considered the possibility that we are running the developer edition since all of the documentation explicitly states "Enterprise Edition". We ruled that out based on the feature comparison matrix that list Enterprise and developer in the same column.

      Has anyone experienced this issue?