HMAC Algorithms and Encoding?

[hofar...@houseoffusion.com]

I'm working on a Cybersource Authorization form, which has a PHP sample
page.



I'm trying to use the hmac() function in CF10. However, the documentation
on it is lacking to say the least.

Parameters


Parameter

Required\Optional

Description


message

Required

The message to transmit. The message can be a String or a byte array.


key

Required

The secret key to create HMAC. The key can be a String or a byte array.


algorithm

Optional

Algorithm used.


encoding

Optional

Encoding to be used.





No where can I find the algorithms or encoding options that can be used. The
example itself is of little use. Anyone have any links, lists etc, where I
can find some?



Thanks



Sandy Clark

About Web







~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359247

[hofar...@houseoffusion.com]

Sandy,

I do believe that you can use any algorithm that the hash function
supports. Take a look at the documentation for hash and you will see what
options you have.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359248

[hofar...@houseoffusion.com]

Tried that, I am now getting an error telling me that "An error occurred
while generating HMAC.
Error: Algorithm SHA-256 not available."

HASH() documentation is showing SHA-256
*sigh*

-----Original Message-----
From: Dean Lawrence [mailto:dea...@gmail.com]
Sent: Tuesday, September 9, 2014 9:53 AM
To: cf-talk
Subject: Re: HMAC Algorithms and Encoding?


Sandy,

I do believe that you can use any algorithm that the hash function supports.
Take a look at the documentation for hash and you will see what options you
have.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359249

[hofar...@houseoffusion.com]

Sandy, what are you trying to encrypt? I ran into a similar issue recently
trying to use AES 256 encryption for SFTP

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359250

[hofar...@houseoffusion.com]

Sandy,

Looking at the example in the HMAC() docs, they prefixed the algorithm type
with "HMAC". Maybe if you try "HMACSHA-256", to see if it works?

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359251

[hofar...@houseoffusion.com]

Thanks

I'm trying to encrypt payment information for a group using CyberSource.
I found documentation on encrypt() that specified using HMAC-SHAx (where x
could be 256). Got the same error.
http://help.adobe.com/livedocs/coldfusion/8/htmldocs/help.html?content=funct
ions_e-g_01.html. CF10 documentation for encrypt is not as useful

Since I don't have time to try every iteration that it could possibly be, I
finally gave up, found Ben Nadel's Crypto library and it worked out of the
box.

But really, Adobe do the documentation correctly.
HMAC
Creates Hash-based Message Authentication Code for the given string based on
the algorithm and encoding. Hash-based Message Authentication Code (HMAC) is
used to verify the data integrity and authenticity of a message transmitted.
It involves a cryptographic hash function in combination with a secret key.
The cryptographic hash function can be Message Digest 5 (MD5), Secure Hash
Algorithm (SHA), and so on.

See also
SessionInvalidate, Session Rotate.

Example
<h2>HMAC Test</h2>
<cfset x=hmac("Hi There","key1","HMACRIPEMD160")>
<cfoutput>#x#</cfoutput>

None of this tells me anything. Especially since I can't find any reference
to HMACRIPEMD160 (hoping that would lead me to something) other than that
HMAC documentation or some PDF's that are generated from the Wiki Pages and
the above mentioned CF8 page, which again lists HMAC-SHA256.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359252

[hofar...@houseoffusion.com]

I found that there are certain things that ColdFusion doesn't support 256
bit encryption for. SFTP and CFHTTP among others. The solution is to
download and install the updated encryption library from Sun. I can post
details when I'm not on my phone.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359253

[hofar...@houseoffusion.com]

Try "HMACSHA256" for the algorithm see http://cfdocs.org/hmac

--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - Is your ColdFusion Server Secure?
http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10
minutes

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359260

[hofar...@houseoffusion.com]

Thanks Pete!

-----Original Message-----
From: Pete Freitag [mailto:pe...@foundeo.com]
Sent: Tuesday, September 9, 2014 2:11 PM
To: cf-talk
Subject: Re: HMAC Algorithms and Encoding?

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359263

[hofar...@houseoffusion.com]

Does SHA256 require the Java Cryptography Extension be installed, or is
that just SHA512 and above?
-Carl V.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359264

[hofar...@houseoffusion.com]

I would take a guess that it does, I needed to do it to get AES 256 to
work for SFTP

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359265