Highlighted

Encrypt base64 encoded, hashed with the secret key

Community Beginner ,
Jan 07, 2015

Copy link to clipboard

Copied

I'd grateful for help in creating a hash value that is "base64 encoded, hashed (SHA-256) with the secret key string that is a concatenation of the a few values I have (accountId, userId, and Time)"

The documentation given to us has a sample and shows us how to create the hash via PHP, but I need to know how to do this in using ColdFusion.

Below is the sample starting values and the correct output for those sample values. If I can recreate this then I can create what I need with real values. 

Sample Values from Documentation (using PHP)

  • $key = 'abc123';
  • $accountId = 123;
  • $userId = 123456;
  • $time = 1379605500; // 9-19-2013 15:45:00 GMT
  • $signatureString = $accountId . $userId . $time;
  • $signature = base64_encode(hash_hmac('sha256', $signatureString, $key, "true"));

So, using the above sample values the documentation show that the string "1231234561379605500" will be converted to this hash, "DSJHPt7kUbRdB8U9XfCXXe4eTXDkiqpGud1Z0fO9EPg="

Does anyone know how to do that in ColdFusion? I'm too embarrassed to show what I've been trying.

Thanks in advance for help!

Jake

TOPICS
Security

Views

4.8K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Encrypt base64 encoded, hashed with the secret key

Community Beginner ,
Jan 07, 2015

Copy link to clipboard

Copied

I'd grateful for help in creating a hash value that is "base64 encoded, hashed (SHA-256) with the secret key string that is a concatenation of the a few values I have (accountId, userId, and Time)"

The documentation given to us has a sample and shows us how to create the hash via PHP, but I need to know how to do this in using ColdFusion.

Below is the sample starting values and the correct output for those sample values. If I can recreate this then I can create what I need with real values. 

Sample Values from Documentation (using PHP)

  • $key = 'abc123';
  • $accountId = 123;
  • $userId = 123456;
  • $time = 1379605500; // 9-19-2013 15:45:00 GMT
  • $signatureString = $accountId . $userId . $time;
  • $signature = base64_encode(hash_hmac('sha256', $signatureString, $key, "true"));

So, using the above sample values the documentation show that the string "1231234561379605500" will be converted to this hash, "DSJHPt7kUbRdB8U9XfCXXe4eTXDkiqpGud1Z0fO9EPg="

Does anyone know how to do that in ColdFusion? I'm too embarrassed to show what I've been trying.

Thanks in advance for help!

Jake

TOPICS
Security

Views

4.8K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jan 07, 2015 0
Community Beginner ,
Jan 07, 2015

Copy link to clipboard

Copied

Ok, I've overcome my embarrassment. 🙂  Here is what I was trying...

<!--- Sample Values --->

<cfset lmsKey = 'abc123'>

<cfset acctId = "123">

<cfset userId = "123456">

<cfset time = "1379605500">

<cfset signatureString = "#acctId##userId##time#">

<cfset encryptSignature = Encrypt(signatureString,lmsKey,'SHA-256','Base64')>

The ColdFusion error I received is...

"The SHA-256 algorithm is not supported by the Security Provider you have chosen."

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 07, 2015 0
Advocate ,
Jan 07, 2015

Copy link to clipboard

Copied

You need to use the function Hash instead of Encrypt -- encryption is de-cryptable whereas hash is not de-hashable (in theory) and SHA-256 is a hash algorithm.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 07, 2015 0
Adobe Community Professional ,
Jan 08, 2015

Copy link to clipboard

Copied

<cfset signatureString = acctId & userId & time>, followed by what Steve Sommers said.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 08, 2015 0
Community Beginner ,
Jan 08, 2015

Copy link to clipboard

Copied

Steve, Thanks! You are correct with your statement about using Hash vs Encrypt but it turns out Encrypt is what I needed because the partner doesn't actually decrypt, they just compare our hash to theirs, since we also send the acctId,  userId & time in the URL. We both encrypt then they match, it's valid. And the Hash function doesn't let us add in a secret code whereas the Encrypt method does.

We're running CF9 so we needed to take the extra step that we found via this article from Ben Nadel to get us there. Crypto.cfc For Hmac-SHA1, Hmac-Sha256, and Hmac-MD5 Code Generation In ColdFusion. Evidently CF10+ introduced the hmac() function for generating secure, hashed message authentication codes (HMAC) which makes dealing with 3rd-Party APIs much easier.

So thanks all and I hope this helps others!

Jake

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 08, 2015 0
Advocate ,
Jan 09, 2015

Copy link to clipboard

Copied

RE: We're running CF9...

An FYI on a completely different track, I'm not sure what type of applications you are hosting but CF9 end-of-life (standard life without premium fees for extended support) was 12/31/2014. You may want to create an upgrade plan -- especially if you host anything that requires security compliance (like credit cards).

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 09, 2015 1
Community Beginner ,
Jan 09, 2015

Copy link to clipboard

Copied

Thanks Steve! Yeah, I'm told we'll be bypassing CF10 and upgrading to CF11. Very Excite!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 09, 2015 0
Adobe Community Professional ,
Jan 09, 2015

Copy link to clipboard

Copied

@RevJake1890

As you are happy with the solution, please mark it as the correct answer. Thanks.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 09, 2015 0