A salt is simply a value used to increase the security of the encrypted value.
So, let's say you are encrypting the string "password" and you have set the salt value to "xyz123", the encryption algorithm basically combines the two values together and encrypts the result. This reduces the possibility that something like a dictionary attack would be successful to breach the encryption - even if "password" is a dictionary word, the combination of "password" + salt is very unlikely to be. You can often use whatever you like for the salt, but some encryption tools require you to use some companion function to generate the value. If you ever want to decrypt the result (or, if a one way hash, do a compare), you need to retain the salt value used in the encryption, and in a cross-system scenario like yours, you need to be able to share that value with the other system. On 5/7/07, Christine Davis <[EMAIL PROTECTED]> wrote: > > Dude, I'm sorry I was not clearer. I'm in an application where I need to > encrypt a piece of data and store it. When encrypting that data I need to > use a specific salt value and a specific number of iterations, I'm trying to > get a better understanding of what a salt value is and how it should be > created. > > In this instance it does not make sense to have the other application do > the work instead of my application. If it did make sense to do that, I'd > delete my application and be done with it > > Thanks! > > Christine Davis > ColdFusion Lead > Nations Technical Services > Prairie Village, KS > 913-748-8044 ext 4703 > [EMAIL PROTECTED] > > -----Original Message----- > From: Andrew Scott [mailto:[EMAIL PROTECTED] > Sent: Monday, May 07, 2007 11:55 AM > To: CF-Talk > Subject: Re: PBEWithMD5AndDES > > Then go back to your java developer an find out what methods of > communicatuon are open to you, whether it be through a url or webservices. > Otherwise if it is convenient to you you could bring the java library down > to you and install it on your server, provided you only use it for > decryption an encryption. > > On 5/8/07, Christine Davis <[EMAIL PROTECTED]> wrote: > > > > Unfortunately, the app where the code is in Java is separate from my > > application. I'm trying to communicate with it. It is not an > application > > on my server. > > > > Christine Davis > > ColdFusion Lead > > Nations Technical Services > > Prairie Village, KS > > 913-748-8044 ext 4703 > > [EMAIL PROTECTED] > > -----Original Message----- > > From: Andrew Scott [mailto:[EMAIL PROTECTED] > > Sent: Monday, May 07, 2007 11:41 AM > > To: CF-Talk > > Subject: Re: PBEWithMD5AndDES > > > > If the code is already written in Java, why not look at CreateObject to > > use > > it rather than rewrite it in CF? > > > > On 5/8/07, Christine Davis <[EMAIL PROTECTED]> wrote: > > > > > > Hello everyone, > > > > > > > > > > > > I'm entering the brave new world (for me) of encrypting and sharing > data > > > between a couple of different applications. We are attempting to > > encrypt a > > > password using PBEWithMD5AndDES. The Java Developer sent me the > > following > > > information: > > > > > > > > > > > > If cleartext (password) is nations1 > > > > > > then PBE encrypted is ÷ Yu5+Tpô?__ E > > > > > > and Base64 encoded is hfcJiVl1NStUcPQ/EBwgRQ== ** > > > > > > ** This (Base64) is the value to store in the external_password field > of > > > correspondence_recipient. > > > > > > > > > > > > For the example, we're using C1F9J9V5 for the password and IVorSalt > > thing > > > and iterations are as follows in Java: > > > > > > > > > > > > byte[] salt = { > > > > > > (byte)0xc7, (byte)0x73, (byte)0x21, (byte)0x8c, > > > > > > (byte)0x7e, (byte)0xc8, (byte)0xee, (byte)0x99 > > > > > > }; > > > > > > int count = 20; > > > > > > > > > > > > > > > > > > We've gotten this far: > > > > > > > > > > > > <cfscript> > > > > > > theEncrytString = "nations1"; > > > > > > thePassword = "C1F9J9V5"; > > > > > > theMethod = "PBEWithMD5AndDES"; > > > > > > theEncoding = "Base64"; > > > > > > theSalt = "???????"; //WHAT IS THIS???? HOW DO WE DO IT??? > > > > > > theIterations = 20; > > > > > > test = Encrypt(theEncrytString, thePassword, theMethod, > > theEncoding); > > > > > > //test = Encrypt(theEncrytString, thePassword, theMethod, > > > theEncoding, theSalt, theIterations); > > > > > > </cfscript> > > > > > > <cfoutput>#test#</cfoutput> > > > > > > > > > > > > Could someone please explain the IVorSalt variable, the Java code > above > > > that generates the salt byte array and what iterations are used > > for? Also, > > > I believe we need to recreate the Java code in ColdFusion for this to > be > > > shared between the two apps, how do we do that? > > > > > > > > > > > > Thanks! > > > > > > Christine Davis > > > ColdFusion Lead > > > Nations Technical Services > > > Prairie Village, KS > > > 913-748-8044 ext 4703 > > > [EMAIL PROTECTED] <blocked::mailto:[EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277170 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
