How can I encrypt a string with RSA using a given public key - using ColdFusion 7?

I will receive from a 3rd Party website a public key (exponent and modulus) and I need to encrypt a string with the given key to send the data encrypted.

The Production environment is ColdFusion 7.

I need to use RSA

I'm having some trouble to do this, I don´t know how to encrypt using the key.
Any suggestions of a reliable 3rd party custom tag or alternative?

Note: The 3rd party site has provided the following documentation but it is for PHP.

PHP

This sample requires the use of phpseclib
Ensure that prior to encoding with the RSA algorithm your string is encoded as Unicode (UTF-16 Little Endian).


01 require_once('Crypt/RSA.php');
02       
03      function EncryptMyQueryString($accountLoginType, $userName, $password) {
04          return RSAEncrypt($accountLoginType . "|" . $userName . "|" . $password);
05      }
06      function RSAEncrypt($dataToEncrypt) {
07          $publicKey = '<RSAKeyValue>
08                            <Modulus>uno9DsYcaZ1yAqY20nIM+YjYjjFsGx0DYm7lBGxbmVLLZTYc9MaI0Br+
09                            8ElcuZVVNRmGeVBlkcHT3JpMDf/fiWSho6o0pRhQZmnG4RZtCWnGjFTV+
10                            QWBYcuTGoQFKOtsrGqG16XwL2hPxqYW/7nzBVgAGe6myG3hMou8P4DSpjk=</Modulus>
11                            <Exponent>AQAB</Exponent>
12                            </RSAKeyValue>';
13             $xml = new DOMDocument();
14             $xml->loadXML($publickey);
15       
16             $modulus = new Math_BigInteger(base64_decode($xml->getElementsByTagName('Modulus')->item(0)->nodeValue), 256);
17             $exponent = new Math_BigInteger(base64_decode($xml->getElementsByTagName('Exponent')->item(0)->nodeValue), 256);
18             $key = array('modulus' => $modulus, 'publicExponent' => $exponent);
19       
20             $rsa = new Crypt_RSA();
21       
22             $rsa->loadkey($key, CRYPT_RSA_PUBLIC_FORMAT_RAW);
23             $rsa->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1);
24       
25             $plainbytes = mb_convert_encoding($dataToEncrypt,"UTF-16LE", "auto");
26             $res = $rsa->encrypt($plainbytes);
27       
28             return  base64_encode ( $res );
29      }
30       
31      echo EncryptMyQueryString('loginTypeName', 'userName', 'p@s$w0rd1@');
peter1967Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SidFishesCommented:
CF7 didn't support RSA and later versions only support it in the Enterprise edition ($$$) so you're probably out of luck.

You might look at this https://github.com/ggfx/coldfusion-rsa which supports CF8+ but more importantly, Railo, which could replace your old version of CF and do RSA. I'm not vouching for implementation (and implementation in encryption is probably more important than algorithms) but it's worth a look.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
_agx_Commented:
True, though in theory it should be possible by installing the right java library. As long as its compatible with java 1.4. I haven't done it, but the github project mentions this article which says:

"In addition to the algorithms supplied with ColdFusion, you can install 3rd-party Java Security Providers to use additional algorithms"

I assume they mean makes additional algorithms available to the encrypt/decrypt() functions.  If that doesn't work, you could do it yourself w/createObject using either the BSAFE or BouncyCastle libraries:

http://www.12robots.com/index.cfm/2010/7/19/Using-Asymmetric-Cryptography-in-your-ColdFusion-Application--Security-Series-1610

more importantly, Railo, which could replace your old version of CF

Yeah, if possible, I'd recommend looking into Railo. CF7 is a bit long in the tooth and no longer supported.
0
SidFishesCommented:
ya, I just am not a fan of messing with too much 3rd party encryption addon-y bits, especially if you don't really know what you're doing...that implementation thing...

but certainly those are options to look at. Railo is still the better option as there are very likely security issues with CF7 that are no longer being fixed.

on the other hand, we found out last week that it's all a pointless anyways right ;P
0
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

_agx_Commented:
Well I'm no expert, but I'm less hesitant about using java libs since that's ultimately what CF functions are doing anyway.   (Edit: I don't mean it to sound like I  take it lightly. But most of these algorithms and libraries are established well documented. So there's a greater range of resources available when it comes to questions, than there are for questions on CF's encrypt/decrypt functions.)   Agreed the bigger problem is people using any encryption without understanding what they're doing (...or not doing).  It's very easy to get encryption wrong, or do things insecurely, no matter what tool you're using.


> Railo is still the better option

100% agreed on that.  I'm just throwing out options if they absolutely can't switch.

> we found out last week that it's all a pointless anyways right ;P

I've been living under a rock for the past week.  What did I miss?
0
peter1967Author Commented:
Thanks to all who have posted. It looks I have quite a bit of research to do and will need to see what the client is willing to pursue. Not sure how to reward points
0
SidFishesCommented:
Living under a rock? More like living under a rock 3 miles underground...it's been everywhere :0

http://www.newyorker.com/online/blogs/elements/2013/09/the-nsa-versus-encryption.html

(of course still doesn't mean we shouldn't be -trying- to keep things secure...)
0
_agx_Commented:
Lol, ohh ... *that* pointless.  Yeah, I'd read about that.  

(Phew.. I'm not so out of touch I don't know the year ... it's 1984 ;-)
0
peter1967Author Commented:
Getting the go ahead for the upgrade and or migration over to Railo  :-)
0
_agx_Commented:
Good choice!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.