generatePBKDFKey

CFML implementation of Password-Based Key-Derivation Function (PBKDF)

generatePBKDFKey(algorithm, passphrase, salt, iterations, keySize); → returns string

  1. CFDocs
  2. Functions
  3. ColdFusion 11 New Functions and Tags
  4. generatePBKDFKey
  5. CF11+
  6. Lucee5+
  7. BL 1.0.0+
  8. 0 Issue
  9. Edit
See Also:   hash   encrypt   decrypt   generateSecretKey

Argument Reference

algorithm string
Required

Hashing algorithm used for generating key
Values:
  • PBKDF2WithHmacSHA1
  • PBKDF2WithSHA1
  • PBKDF2WithSHA224
  • PBKDF2WithSHA256
  • PBKDF2WithSHA384
  • PBKDF2WithSHA512
  • PBKDF2WithHmacSHA256
  • PBKDF2WithHmacSHA384
  • PBKDF2WithHmacSHA512

passphrase string
Required

Passphrase used for the key. KEEP THIS SECRET.

salt string
Required

A string which will be added to the passphrase before encryption.
The standard recommends a salt length of at least 64 bits (8 characters). The salt needs to be generated using a pseudo-random number generator (e.g. SHA1PRNG)

iterations numeric
Required

The number of PBKDEF iterations to perform. A minimum recommended value is 1000

keySize numeric
Required

The length in bits of the key to generate

Compatibility

ColdFusion:

Version 11+ Adobe ColdFusion Enterprise includes a java crypto provider that implements these algorithms. These algorithms are available only in enterprise versions: PBKDF2WithSHA1 PBKDF2WithSHA224 PBKDF2WithSHA256 PBKDF2WithSHA384 PBKDF2WithSHA512 PBKDF2WithSHA512-224 PBKDF2WithSHA512-256

Lucee:

Version 5+ For Lucee it is up to the provider that you have installed, if using the default java crypto provider it only supports "PBKDF2WithHmacSHA1" on Java 1.7 for example. If you are using Java 8 it supports more algorithms (such as PBKDF2WithHmacSHA512) . iterations and keySize parameters are optional in Lucee.

BoxLang:

Version 1.0.0+ Requires the bx-password-encrypt module

Links more information about generatePBKDFKey

Examples
Sample code invoking the generatePBKDFKey function

The PBKDF2WithHmacSHA1 algorithm will work on older JVMs, or older versions of CF

generatePBKDFKey("PBKDF2WithHmacSHA1", "secret", "salty", 5000, 128)

Expected Result: Y0MCpCe3zb0CNJvyXNUWEQ==

// some variables
password = "top_secret";
dataToEncrypt= "the most closely guarded secret";
encryptionAlgorithm = "AES";
keysize = 128;
algorithmVersion = 512;
PBKDFalgorithm = 'PBKDF2WithHmacSHA' & algorithmVersion;
    
// Generate key as recommended in docs
length = keysize / 8;
multiplicator = 10 ^ length;
salt = Round(Randomize(5,'SHA1PRNG') * multiplicator);
    
// The magic happens here
PBKDFKey = GeneratePBKDFKey(PBKDFalgorithm, password, salt, algorithmVersion, keysize);
encryptedData = encrypt(dataToEncrypt, PBKDFKey, encryptionAlgorithm, "BASE64"); 
decryptedData = decrypt(encryptedData, PBKDFKey, encryptionAlgorithm, "BASE64");
    
//Output
writeOutput("<b>Generated PBKDFKey (Base 64)</b>: " & PBKDFKey);
writeOutput("<br /><b>Data After Encryption</b>: " & encryptedData);
writeOutput("<br /><b>Data After Decryption</b>: " & decryptedData);

Signup for cfbreak to stay updated on the latest news from the ColdFusion / CFML community. One email, every friday.

Fork me on GitHub