Skip to main content
D
Dominik38524635qk7t
Participant
September 24, 2025
Answered

AES encryption with AES/CBC/PKCS7

  • September 24, 2025
  • 2 replies
  • 572 views

We need to encrypt data using AES/CBC/PKCS7. However the CF encrypt method only accepts AES/CBC/PKCS5Padding. Any idea how to achieve this? We are using CF 2016.

    Correct answer BKBK

    Example using "AES/CBC/PKCS5Padding" in ColdFusion 2016: 
     https://trycf.com/gist/a731623422b8967baa1f363958329686/acf2016?theme=monokai 

    <cfscript>
    // Plaintext
    plaintext = "Secret message that needs AES encryption.";

    // Use raw binary 
    // AES requires a 16, 24, or 32 byte key (128, 192, 256 bits).
    // Here we'll use a 32-byte (256-bit) key for AES-256.
    keyBin = BinaryDecode("00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF", "hex");
    
    // Convert to Base64 strings for use with encrypt()
    key = ToBase64(keyBin);
    
    // AES CBC requires a 16-byte IV
    ivBin = BinaryDecode("0102030405060708090A0B0C0D0E0F10", "hex");

    // Encrypt: PKCS5Padding == PKCS7 padding here
    encrypted = encrypt(plaintext, key, "AES/CBC/PKCS5Padding", "hex", ivBin);

    // Decrypt
    decrypted = decrypt(encrypted, key, "AES/CBC/PKCS5Padding", "hex", ivBin);

    writeOutput("<b>Plaintext:</b> " & plaintext & "<br>");
    writeOutput("<b>Encrypted (Hex):</b> " & encrypted & "<br>");
    writeOutput("<b>Decrypted:</b> " & decrypted & "<br>");
</cfscript>

     

    2 replies

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    September 25, 2025

    In Java, as well as in ColdFusion (which runs on Java), "AES/CBC/PKCS5Padding" is the only padding available for block ciphers like AES. Nevertheless, as @Brian__ has mentioned, it is functionally identical to PKCS7 padding.
    So, you don't need to encrypt data using "AES/CBC/PKCS7".  


    Under the bonnet, "PKCS5Padding" is implemented to work with AES, using a 16-byte block size, as required by AES. That results, in practice, to the PKCS#7 scheme. So if you specify

    encrypt(data, key, "AES/CBC/PKCS5Padding", "Hex")

    in ColdFusion, you will in fact get AES in CBC mode with PKCS7 padding (although it is named "PKCS5Padding" in Java’s API).

    BKBK
    Community Expert
    BKBKCommunity ExpertCorrect answer
    Community Expert
    September 25, 2025

    Example using "AES/CBC/PKCS5Padding" in ColdFusion 2016: 
     https://trycf.com/gist/a731623422b8967baa1f363958329686/acf2016?theme=monokai 

    <cfscript>
    // Plaintext
    plaintext = "Secret message that needs AES encryption.";

    // Use raw binary 
    // AES requires a 16, 24, or 32 byte key (128, 192, 256 bits).
    // Here we'll use a 32-byte (256-bit) key for AES-256.
    keyBin = BinaryDecode("00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF", "hex");
    
    // Convert to Base64 strings for use with encrypt()
    key = ToBase64(keyBin);
    
    // AES CBC requires a 16-byte IV
    ivBin = BinaryDecode("0102030405060708090A0B0C0D0E0F10", "hex");

    // Encrypt: PKCS5Padding == PKCS7 padding here
    encrypted = encrypt(plaintext, key, "AES/CBC/PKCS5Padding", "hex", ivBin);

    // Decrypt
    decrypted = decrypt(encrypted, key, "AES/CBC/PKCS5Padding", "hex", ivBin);

    writeOutput("<b>Plaintext:</b> " & plaintext & "<br>");
    writeOutput("<b>Encrypted (Hex):</b> " & encrypted & "<br>");
    writeOutput("<b>Decrypted:</b> " & decrypted & "<br>");
</cfscript>

     

    D
    Dominik38524635qk7tAuthor
    Participant
    September 30, 2025

    Thank you for your suggestions and the example. This has been very helpful!

    Brian__
    Brian__
    Participating Frequently
    September 24, 2025

    The only difference between PKCS#5 padding and PKCS#7 padding is that PKCS#5 uses a fixed 8-byle block size, and PKCS#7 allows for vairalbe block sizes between 1 and 255 bytes.  So it's possible that using PKCS#5 may technically work.  But if you absolutelty need to use PKCS#7 padding, you should be able to call an external Java class via createObject("java",...) -- such as BouncyCastle -- that supports PKCS#7

     

    Also - ColdFusion 2016 has been EOL for a few years and is impacted by several critical vulnerabilities.  While not directly related to your question, there are important security/stability reasons to migrate to a supported platform.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices