Skip to main content
R
RevJake1890
Participating Frequently
January 8, 2015
Question

Encrypt base64 encoded, hashed with the secret key

  • January 8, 2015
  • 2 replies
  • 8741 views

I'd grateful for help in creating a hash value that is "base64 encoded, hashed (SHA-256) with the secret key string that is a concatenation of the a few values I have (accountId, userId, and Time)"

The documentation given to us has a sample and shows us how to create the hash via PHP, but I need to know how to do this in using ColdFusion.

Below is the sample starting values and the correct output for those sample values. If I can recreate this then I can create what I need with real values. 

Sample Values from Documentation (using PHP)

  • $key = 'abc123';
  • $accountId = 123;
  • $userId = 123456;
  • $time = 1379605500; // 9-19-2013 15:45:00 GMT
  • $signatureString = $accountId . $userId . $time;
  • $signature = base64_encode(hash_hmac('sha256', $signatureString, $key, "true"));

So, using the above sample values the documentation show that the string "1231234561379605500" will be converted to this hash, "DSJHPt7kUbRdB8U9XfCXXe4eTXDkiqpGud1Z0fO9EPg="

Does anyone know how to do that in ColdFusion? I'm too embarrassed to show what I've been trying.

Thanks in advance for help!

Jake

This topic has been closed for replies.

2 replies

R
RevJake1890Author
Participating Frequently
January 9, 2015

Steve, Thanks! You are correct with your statement about using Hash vs Encrypt but it turns out Encrypt is what I needed because the partner doesn't actually decrypt, they just compare our hash to theirs, since we also send the acctId,  userId & time in the URL. We both encrypt then they match, it's valid. And the Hash function doesn't let us add in a secret code whereas the Encrypt method does.

We're running CF9 so we needed to take the extra step that we found via this article from Ben Nadel to get us there. Crypto.cfc For Hmac-SHA1, Hmac-Sha256, and Hmac-MD5 Code Generation In ColdFusion. Evidently CF10+ introduced the hmac() function for generating secure, hashed message authentication codes (HMAC) which makes dealing with 3rd-Party APIs much easier.

So thanks all and I hope this helps others!

Jake

S
Steve Sommers
Legend
January 9, 2015

RE: We're running CF9...

An FYI on a completely different track, I'm not sure what type of applications you are hosting but CF9 end-of-life (standard life without premium fees for extended support) was 12/31/2014. You may want to create an upgrade plan -- especially if you host anything that requires security compliance (like credit cards).

    R
    RevJake1890Author
    Participating Frequently
    January 9, 2015

    Thanks Steve! Yeah, I'm told we'll be bypassing CF10 and upgrading to CF11. Very Excite!

    R
    RevJake1890Author
    Participating Frequently
    January 8, 2015

    Ok, I've overcome my embarrassment. :-)  Here is what I was trying...

    <!--- Sample Values --->

    <cfset lmsKey = 'abc123'>

    <cfset acctId = "123">

    <cfset userId = "123456">

    <cfset time = "1379605500">

    <cfset signatureString = "#acctId##userId##time#">

    <cfset encryptSignature = Encrypt(signatureString,lmsKey,'SHA-256','Base64')>

    The ColdFusion error I received is...

    "The SHA-256 algorithm is not supported by the Security Provider you have chosen."

    S
    Steve Sommers
    Legend
    January 8, 2015

    You need to use the function Hash instead of Encrypt -- encryption is de-cryptable whereas hash is not de-hashable (in theory) and SHA-256 is a hash algorithm.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices