A thread has been going on for a bit today over on the Flex Coders list. How do you encrypt data in Flex, pass it to ColdFusion and then decrypt it? I struggled with this very same question quite a while ago; and sort of came up with an answer after a lot of trial and error. This post is me finally documenting my answer.
First, there are two open source AS3 libraries that you can use to deal with data encryption in Flex: ASCrypt3 and Crypto. ASCrypt3 was my attempt at converting an ActionSCript 2 library to an ActionScript 3 code base. I understand that Crypto was created from the ground up to make use of AS3 enhancements to make things more performant. Both libraries offer plenty of ways to encrypt, or decrypt data in Flex.
I'm going to assume that we want to use AES (Rijndael) to encrypt the data in Flex before sending it to ColdFusion. Unfortunately, I was never able to get the ASCrypt3 code base working with CF properly. People have told me they've used it succesfully for Java. I have used Crypto to succesfully pass encrypted data back and forth between ColdFusion and Flex, though.
First we need to create our key, and specify some settings. Load the Crypto demo. Click "Secret Key" from the TabNavigator and set these steps:
- Encryption: AES
- Mode: ECB
- Prepend IV to Cipher: Leave Unchecked
- Key Format:Hex
- Plain Text: Text
- Cipher Text: Hex
Once your settings are set, click "Generate 128 bits" to generate a key. If you create your own key using alternate means, that's fie but you'll have to be sure it is 128 bits and in Hex format; or things may go awry when switching between systems.
Type your text: "This is a Test", then click the Encrypt button. Doing this on the fly, my key was "e1787cfc32d25355f267c53837c6062e" and the cipher text was "182f2031903e0a63ed77881b1561954c".
I'll assume you know of some manner to get this data from Flex to ColdFusion (or, really any other backed you desire).
On the ColdFusion side, there is a great knowledge base article about dealing with encryption, so you might want to start there. To decrypt, we are dealing with a handful of built in functions:
- BinaryDecode: Converts a string to a binary object. We use it to turn our Hex Key into binary format.
- ToBase64: This calculates a string representation of a binary object. We are using BinaryDecode to turn our Binary String Hex Key into a string.
- Decrypt: This one performs the decryption algorithm
The actual code will be something like his:
<cfset HexKey = "e1787cfc32d25355f267c53837c6062e">
<cfset myKey = ToBase64(BinaryDecode(HexKey, "Hex"))>
<cfset Encrypted = "182f2031903e0a63ed77881b1561954c">
<Cfset Decrypted = Decrypt( Encrypted, MyKey, 'AES','Hex')>
First we take the HexKey, binaryDecode it and Base64 it. Then we feed those values along with our encrypted text into the Decrypt function. Finally, output the results:
There is a lot of conversion going on, but I'm not quite sure why it's needed. I was able to get this working using Crypto and CF, but never ASCrypt3 and CF. I suspect the problem was in the encoding of the key + result; but never had a chance to explore it in further depth. Can anyone explain?
Your mission, if you choose to accept it is to write the CF code to encrypt data before sending it to Flex. It shouldn't take long.
If you need do something 'real world' you'll have to download Crypto and figure out how to call the encryption algorithms within Flex. :-)