28 Replies Latest reply on Mar 19, 2010 8:43 AM by TLC-IT

    Coldfusion and PGP

    aubweb Level 1
      Hi All,

      I have pgp desktop installed on my server and I try to decrypt a string using my private & public key but I am completely lost...
      Should I use cfexecute with gnugp, a cfx tag or open pgp or the Bouncy Castle Cryptography Library ...

      I have a post form where I recieve a encrypted userid and I just need to decrypt it ...
      Can you please help ?
        • 1. Re: Coldfusion and PGP
          Daverms Level 3
          Hi,

          Found this CFC,

          https://store1.adobe.com/cfusion/exchange/index.cfm?event=extensionDetail&loc=en_us&extid= 1010167

          Anyway I am not sure whether it will meet your requirement or not.
          • 2. Re: Coldfusion and PGP
            aubweb Level 1
            Thank you, but I have already tried to use this cfc.
            I am able to encrypt a string but when I try to decrypt it I have this error :


            quote:

            An exception occurred when executing a COM method. The cause of this exception was that: AutomationException: 0x80004005 - Memory allocation error in 'Nsdpgp3Lib.PGP.1'. The error occurred in C:\Inetpub\wwwroot\EAMEDASHBOARD\pgp.cfc: line 319
            • 3. Re: Coldfusion and PGP
              davidmedifit Level 1
              We use CFX_PGP - a 3rd party solution - for all of our PGP needs. It works very well and we've had no problems with it. I don't think there are many other solutions out there.

              Cheers,

              David
              • 4. Re: Coldfusion and PGP
                davidmedifit Level 1
                We use CFX_PGP - a 3rd party solution - for all of our PGP needs. It works very well and we've had no problems with it. I don't think there are many other solutions out there.

                Here is a link to the company - they were nice enough to give us a free license for our development machine.

                Cheers,

                David
                • 5. Re: Coldfusion and PGP
                  aubweb Level 1
                  thank you David but where's the link ?
                  • 6. Re: Coldfusion and PGP
                    davidmedifit Level 1
                    Oops, sorry: www.digitaloutlook.com

                    There appears to be an error on the store site right now, but I'm sure an email to the administrator will get it sorted out pretty quickly.

                    I hope it is what you are looking for.

                    David
                    • 7. Re: Coldfusion and PGP
                      aubweb Level 1
                      Thank you !
                      I'll let you know ...
                      • 8. Re: Coldfusion and PGP
                        aubweb Level 1
                        Thank you !
                        I'll let you know ...
                        • 9. Re: Coldfusion and PGP
                          aubweb Level 1
                          I've test the cfx_pgp tag but I was not able to encrypt or decrypt a string.
                          There is something weird because when I try to encrypt something, I have an error telling me that the passphrase is not correct (normaly you do not need to use a passphrase to encrypt ..)

                          so well... I am still stuck ....
                          • 10. Re: Coldfusion and PGP
                            Daverms Level 3
                            Hi,

                            Have you contacted their(www.digitaloutlook.com) support?..
                            • 11. Re: Coldfusion and PGP
                              aubweb Level 1
                              Ok it's fixed !
                              I had to uncheck this on the CF Admin

                              Keep Library Loaded (Check this box to retain the library in RAM. )
                              • 12. Re: Coldfusion and PGP
                                aubweb Level 1
                                Unfortunately I'll have to pay 400 bucks for that ...
                                • 13. Re: Coldfusion and PGP
                                  jgolub
                                  I use this free command-line tool for Windows:

                                  http://www.pgpi.org/products/pgp/versions/freeware/win32/6.5.8/

                                  and cfexecute. It works just fine and doesn't cost a penny.
                                  • 14. Re: Coldfusion and PGP
                                    aubweb Level 1
                                    Cool,

                                    does it work with pgp 9 ?
                                    if it does can you please send me an example of how to use the tool with cfexecute to decrypt a string ?

                                    I never used cfexecute tag... :-(

                                    Thank you !
                                    • 15. Re: Coldfusion and PGP
                                      jgolub Level 1
                                      I don't know offhand if it works with PGP 9. You'll have to find that out yourself :).

                                      Below is the cfexecute code that I used, where the request.pgp.exe variable contains a full path to the PGP executable.
                                      • 16. Re: Coldfusion and PGP
                                        aubweb Level 1
                                        Thanks Joshua

                                        but what's #attributes.inputFilePath# & #attributes.outputFilePath#
                                        is it the syntax to decrypt a string ?
                                        • 17. Re: Coldfusion and PGP
                                          jgolub Level 1
                                          The command-line tool works on files, not strings. So, you put into a file the string that you want decrypted.

                                          Then, attributes.inputFilePath is the variable containing the full path to the file to be decrypted.

                                          attributes.outputFilePath is the variable containing the full path to the file that will be created to contain the decrypted information.

                                          attribute.passphrase is the variable containing the passphrase needed to gain access to the private key needed for the decryption.
                                          • 18. Re: Coldfusion and PGP
                                            hwy419
                                            Where is the "Keep Library Loaded" in CF Admin? Are you using CF8?
                                            • 19. Re: Coldfusion and PGP
                                              aubweb Level 1
                                              Hi hwy419,

                                              yes I am running cf8.
                                              you'll find this option there : Extensions > CFX Tags > Manage C++ CFX
                                              • 20. Re: Coldfusion and PGP
                                                BigJ57

                                                One of the simpler things I tried for this is to use the BonCode PGP implementation from RIAForge.

                                                It only implements a simple subset of PGP functions using armored files. Thus,

                                                the examples given use armored/compacted files. These files have an .asc extension.

                                                You can generate those using your PGP Desktop software and read the results with it.

                                                 

                                                For your simple example you pass in your content, your public key path to a function and it will encrypt it for you.

                                                If you want to decrypt it you use another function passing in the key file location (the path to your key files you generated with PGP Desktop). It will need your private key path, your password, and your content to decrypt.

                                                • 21. Re: Coldfusion and PGP
                                                  ToeJam

                                                  Not a very good title but check out my cookbook entry on how I handle PGP on my win server with Coldfusion.

                                                   

                                                  http://cookbooks.adobe.com/post_How_to_execute_a_Windows__bat_file_-16396.html

                                                  • 22. Re: Coldfusion and PGP
                                                    TLC-IT Level 3

                                                    CF has some "pretty good" encryption routines of its own which you might be able to use ... unless you had to use PGP.

                                                     

                                                    Quite frankly, though, I think that encryption is often used too much.  If, for exmple, you know that you are talking over an "https://" secured link, then you already have very strong encryption of the entire conversation between the client and the host ... even though all of it is entirely invisible to you.  There is no incremental benefit to further encrypting the data that you are sending over an already-secure channel.

                                                     

                                                    The built-in CF encryption routines are, of course, based on the underlying Java library implementations.  If you need to encrypt data in a database, you might be able to use them.  But once again, your database might already provide an encrypted store, in which case there is no incremental benefit to a cumbersome additional encryption layer of your own.

                                                     

                                                    Anytime you "roll your own crypto," you run the very great risk of having a false sense of security.  "If it's difficult to do, then it must be secure."  That may well not be the case.

                                                    • 23. Re: Coldfusion and PGP
                                                      Chiwi8888
                                                      There is no incremental benefit to further encrypting the data that you are sending over an already-secure channel.

                                                      Sorry I but have to correct this, as this is just not true.  The major difference is HTTPS is only point to point, using key pairs you ensure end to end security.

                                                      • 24. Re: Coldfusion and PGP
                                                        Chiwi8888 Level 1

                                                        Take a look at http://www.gpg4win.org/

                                                         

                                                        Its a windows package of gnupgp, has gui tools, the works.

                                                         

                                                        Use the gui manager to set up your keyring with your certs, then one cfexecute command.  I know you want to do a string, but here is an example for a file:

                                                         

                                                        <cfexecute name="#GNUPGPFullPath#" arguments="--passphrase #gKeyPassphrase# --batch -o #inputFilePath# -d -r #gEncryptionKeyID# #outputpath#" timeout="300"></cfexecute>

                                                        • 25. Re: Coldfusion and PGP
                                                          TLC-IT Level 3

                                                          If you are dealing with a "man in the middle" situation, yes, you have to send encrypted material in such a way that it remains secure even if it is sent via carrier-pigeon.

                                                           

                                                          It is extremely difficult, though, to ensure truly secure communications and message-integrity in such a situation, where the messages must make "an intermediate stop" or be entrusted to a potentially un-trustworthy third party message handler (such as e-mail).  And once again, there might be a protocol such as S/MIME that would provide a "secure channel apart from the web-app itself."

                                                           

                                                          So...  if you can possibly avail yourself of "a secure channel apart from the web-app," one that goes without-interruption directly from source to destination and provides blanket protection to "anything and everything" that is sent along it, the situation will be much stronger than any other.  Without it, any one of the applications can be "the weakest link."

                                                           

                                                          A penetrator willl never attempt to hijack your system by breaking through the encryption directly, knowing that this isn't possible (unless their company name is NSA or MI6).  They'll look for holes and weaknesses in how you handled your data, or for residual files left behind by your methods, or exposure of your private keys.  They'll also learn a great deal from where the messages are going and coming.  But if the only thing that they can touch is a channel, where everything in the channel is encrypted, they're in a much more difficult situation.

                                                           

                                                          An encrypted channel also brings other benefits:  message integrity, no "man in the middle," and so on.  All invisibly and at no charge to you.

                                                          • 26. Re: Coldfusion and PGP
                                                            Chiwi8888 Level 1

                                                            I think you totally missed the point I was making. HTTPS only ensures security between the web server and its client.  The data could be travelling further on networks and/or systems which are no longer passing the data around securely.

                                                             

                                                            It is extremely difficult, though, to ensure truly secure communications and message-integrity in such a situation, where the messages must make "an intermediate stop" or be entrusted to a potentially un-trustworthy third party message handler (such as e-mail).

                                                             

                                                            I don't see how this is extremely difficult.  Its pretty easy, and is exactly what public/private key pairs are great for.  A encryption cert ensures the security and a signing cert ensures the integrity of the message.  If an email signed and encrypted like this made an intermediary stop, then there is no danger.  The message cannot be tampered with and/or read.

                                                            • 27. Re: Coldfusion and PGP
                                                              ToeJam Level 1

                                                              I appreciate what you are saying TLC-IT but, SSL is simply not good enough for many of my clients because they are in the health industry. They have to ensure that when the data is transmitted whether, to DB or FTP for later distribution and that the information packet is secure the entire route. Many of my clients generate specific keys for each vendor/client that been exchanged to insure data integrity and those key can be easily revoked at any time thus rendering future data packets unusable.

                                                              • 28. Re: Coldfusion and PGP
                                                                TLC-IT Level 3

                                                                ToeJam, when you said ... "whether to DB or FTP for later distribution" ... I instantly withdraw my comments in your case because quite clearly you are doing the right thing now in your case.

                                                                 

                                                                It is "particularly correct," if you will, that they are creating and exchanging digital certificates so that "they can be revoked, thus rendering future data packets unusable."  The certificates would be issued with a fairly short expiration date, each one to an individual recipient and/or for a particular message type, and those would be updated on a regular basis (whether or not message compromise was suspected).

                                                                 

                                                                Many people make the mistake of using strong encryption (like PGP) with ... (doh!!) ... "passwords."  There is a vast difference between using a "simple password" and using a digital certificate, which of course may be "protected with" a password.  You're doing it right.

                                                                 

                                                                For your scenario, SSL is not an appropriate or a sufficient technology, and PGP/GPG (specifically "in the way that you are now using it...") unarguably and indisputably is.

                                                                 

                                                                When information has to be handled by a non-secure store, or a multi-stage transport (like e-mail) which can and probably does make copies at each stop, then obviously the only way to handle the situation is to encrypt the message before tendering.  The mechanism obviously also needs all of the things that you are now giving it:  individually revocable certificates; validation of both message content and sender/recipient address; secure certificate/key exchange.