Thursday, January 28, 2010

CF: Flex: PGP Implementation for ColdFusion

Pretty Good Privacy (PGP) is a computer program that provides cryptographic privacy and authentication.
PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications. It was created by Philip Zimmermann in 1991.

The use of PGP in file exchanges has increased over the years and has become a common way of securing file contents. Thus, encountering this in more and varied projects is not unusual.

There are several implementations for popular platforms such as Java and .net; I classified them into brought camps of heavy commercial, or hard to use open source; thus the availability of easy to
implement PGP solutions for ColdFusions is limited. In particular, I found existing implementation rather difficult to use.
Thus, I embarked on this project. To make a long story short, I ended up using the underlying work of the
league of bouncy castle folks. The complete source code for those libraries can be downloaded from there.

I implemented the most common scenarios (generate keys or key rings, encrypt and decrypt) and exposed all this through a ColdFusion component to the world. Thus the effort to use of PGP is reduced to one liners of code (which I like).

Along the same lines, if you use Flex and needed a library to encrypt/decrypt this implementation can easily used as backend for that kind of scenario. A few tweaks to the main component should allow you to call on all the functions, read, write, generate keys etc.

Of course, there is so much more that can be done with PGP. Time permitting I may expand this implementation to expose other functionality.

You can download this from RIAForge (pgp.riaforge.com).

Cheers,
-Bilal

5 comments:

Dorie said...

Thanks, very useful!

Would it be possible to encrypt a string and not an entire file?

bman said...

Dorie,
you could certainly only encrypt simple strings. As the more common scenario that I faced was to handle large files, I built this to initially do whole file encryption/decryption.
You can still work with this to handle simple strings though; you would need to save them to a file using the CFFILE tag first and, then, call on the routines.
For example, you could extend the existing component to handle all this for you transparently by adding your own functions or create a new component that calls on the PGP component. You would pass the string to your function, your function would save it to a file, call the PGP routines, pick up the file content and return it to you.

I will put direct string encryption on the list of things to look at for future changes.

Best,
B.

Dorie said...

Thanks B,
Yeah, I'm using the cffile now, but since it's sensitive content I was thinking that it would be ideal if I could avoid ever having to write it to the server. Just for kicks I also tried writing to CF9's virtual file system, but it seems that doesn't translate into the java.
Anyway, thanks for building this cool CFC!

John said...

Was this updated to encrypt strings rather than stored files?

Thanks

bman said...

John,
Have not made a change to it yet.
Hopefully, I will revisit this project mid summer and do some requested revisions.

Thanks,
B.