This presentation was given last year at NVCFUG and covers topics of login/authentication security, obfuscation, encryption and more.

1. Securing Your ColdFusion Web Applications NVCFUG December 2010

2. HTTP Basic Authentication First HTTP authentication mechanism Easy to implement with .htaccess Highly unsecure mechanism Username and password sent in clear text for each request to the server Multiple brute-force applications are widely available to break HTTP Basic Authentication

3. Web Based Basic Authentication Uses HTML form to gather login information Easy to implement Highly unsecure mechanism Username and password sent in clear text

4. Secure Authentication Uses HTML form and Javascript Hash() to gather login information Easy to implement Slightly more secure mechanism Username sent in clear text (or MD5 hashed) Password sent as MD5 hash Hashed password protects password disclosure but can still be used to force authentication

5. Federated Secure Authentication Uses HTML form, random seed and Javascript Hash() to gather login information Forces a pre-authentication cookie and/or referrer data to ensure login from proper site Hashes the password with random seed Protects password hash from recovery Uses random session ID’s for each request Highly secure mechanism

6. Encryption Algorithms CFMX-COMPAT (default) Basically a Crypt() function Easy to decipher/break DES Very Basic Encryption Easy to decipher/break AES/DESEDE Basic Encryption Moderately difficult to decipher/break BLOWFISH Enhanced Encryption Very difficult to decipher/break

7. Encryption Encodings Base64 ASCII encoding Good choice for binary storage/transfer Requires URL encoding HEX HEX encoding Better choice for passing GET/POST data Requires no URL encoding UU UUEncode – default CFML encoding A good choice for backwards compatibility with older applications and technologies

8. Advanced Encryption Java Cryptography Extensions Sun Unlimited Strength Jurisdiction Policy Files The Legion of the Bouncy Castle extensions Twofish, Skipjack, Serpent, S/MIME, HMAC-SHA1 encryptions MD2, MD4, RipeMDxxx, SHA-224 and Tiger hashes

9. Obfuscation Techniques Hash() One-way encryption MD5 SHA1 Implementation GET/POST of data FORM and URL parameter names Database table and column names

10. Maintaining State HTTP is a stateless protocol State maintains key data for each unique session Required for authentication mechanisms Randomizing state session ID’s Session (State) Management SESSION variables COOKIES

11. Built-In Routines CFML authentication framework Uses SESSION variables for state management OOP techniques easily implemented <cflogin> Defines code to execute for session login <cfloginuser> Defines user and role information for current session <cflogout> Logs a user out of the system IsUserInRole() Checks the user’s role(s) getAuthUser() Queries the user’s session information

12. Other Considerations Use email addresses as usernames Password generation, recovery and change management Use multiple encryption algorithms for different areas of the application Use combined encryption algorithms for highly secure data storage Apply secure/federated authentication to non-form based interactions (e.g. Webservices, Flex/AIR RIA’s)

13. Putting It All Together The login form Username and password MD5 Javascript hash()ing with random seed The authenticator Compare user/pass with encrypted database entries The session manager Handesuser information from the authenticator Manages sessions and maintains state User management Change password Admin user management Password recovery