What is the most secure hash algorithm in ColdFusion?

3
votes

What is the most secure hash algorithm to use in ColdFusion 9 (non-Enterprise)?

According to the CF documentation, these are the options:

MD5: (default) Generates a 32-character, hexadecimal string, using the MD5 algorithm (The algorithm used in ColdFusion MX and prior releases).

SHA: Generates a 40-character string using the Secure Hash Standard SHA-1 algorithm specified by Nation Institute of Standards and Technology (NIST) FIPS-180-2.

SHA-256: Generates a 44-character string using the SHA-256 algorithm specified by FIPS-180-2.

SHA-384: Generates a 64-character string using the SHA-384 algorithm specified by FIPS-180-2.

SHA-512: Generates an 128-character string using the SHA-1 algorithm specified by FIPS-180-2.

But in this article, it says not to use MD5 or SHA-1

I am also a little skeptical about the cf documentation. It says encoding "SHA-512" uses SHA-1, but the description of "SHA-512" for the Enterprise version is "The 512-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198." And the output of SHA-512 is larger than SHA-384. Sorry, I am having a hard time getting my head around all these different encoding principles.

1
encryptionhashcoldfusioncoldfusion-9password-encryption
Did you do a search first? (Note, the topic of hashing is not really CF specific, so do not limit searches to CF only.) If you search on "hashing security" there are a number of existing threads that discuss the various aspects of hashing, such as this thread.Leigh
The article says don't use MD5 or SHA-1 for passwords. MD5 is obsolete, but there are legitimate non-password uses of SHA-1 (e.g. when being fast is important).Peter Boughton
For using bcrypt/scrypt (the algos mentioned in the link Leigh posted) with CF I have a project which aims to make it as simple as copying a few files then simply calling relevant functions.Peter Boughton
I realize this topic is not specific to CF but I only have certain options by default in CF9 and I am not sure which is the most secure.jessieloo
You've kind of answered your own question, haven't you? If you discard MD5 and SHA-1, you're left with SHA-256 and SHA-384. And all things being equal SHA-384 is better than SHA-256 in this context. Ref: en.wikipedia.org/wiki/Secure_Hash_Algorithm (which I got from googling)Adam Cameron

1 Answers

3
votes

Hashes are not secure by themselves, anything that can be hashed can be broken. So in the security world you might think, ok I need to run the hash multiple times to obscure it more, but that doesn't secure the information, it just means someone has to repeat that same process and iterate over the hash multiple times. If they know the hash algorithm you used and assume they do, it's not secure. Sha-256 should be good enough for hashing information unless you are trying to secure the information. Hashes should never ever be used by themselves to secure information. Just because it isn't human readable does not make it secure.

If you want to secure something use coldfusion a encrypt functions and make sure you use a decent algorithm, like AES because the default in coldfusion is not secure. Then you need to use some entropic data from the information you're securing to ensure you have a unique encryption key that would be hard for someone to guess or find. Do not hard code a single key in your code, this will make it easy for someone to find and utilize a pattern in all of your encryptions.

Use something like bcrypt or scyrpt for storing passwords. I know they are more work to put into use and require java integration in coldfusion but they are much more secure ways of storing information. Remember that even with bcrypt or scrypt the information can be compromised given enough time and someone willing to put the effort into decrypting it. Be paranoid when securing information.