Do you want ColdFusion to support HMAC hashing natively?

Vote it up! http://cfbugs.adobe.com/cfbugreport/flexbugui/cfbugtracker/main.html#bugId=86654

What is HMAC? http://en.wikipedia.org/wiki/HMAC

Where is HMAC needed? Amazon Web Services, Credit Card Gateways, Twitter, etc...

Which CFer has used HMAC successfully with ColdFusion?

• Dave Delbridge
• Ben Nadel

What can we use today?

• HMAC_SHA1() <-- would the author please post to cflib or adobe cookbooks?

"SHA" in hash() is not SHA-1 in CF8/9, it is SHA-0! (according to CFWACK)

UPDATE: I wasn't intend to promote the use of SHA-1 for hashing password, or hashing anything using SHA-1 in general.  This post is here to point out the highly used "SHA" param for hash() is actually SHA-0.  For those who intended to compute a valid SHA-1 hash, please use "SHA-1" as the algorithm param.


Do you know "SHA" algorithm in ColdFusion is actually the broken flawed "SHA-0"?

According to wikipedia

A retronym applied to the original version of the 160-bit hash function published in 1993 under the name "SHA". It was withdrawn shortly after publication due to an undisclosed "significant flaw" and replaced by the slightly revised version SHA-1.

And according to owasp.org

SHA-0 has been conclusively broken. It should no longer be used for any sensitive applications.

So please use "SHA-1" instead of the flawed "SHA" if you want a SHA-1 hash.  It is available in ColdFusion Standard Edition.  Somehow it is not in CFBuilder's code assist for hash().

I cannot believe how error-ridden is the CF 9's documentation on hash().  Many errors are carried over from CF 8 documentation and this is unacceptable.  Just read the comments section and you will see that all the returned lengths are stated incorrectly, and many algorithms that are available in Standard Edition are listed under Enterprise Edition only.

Please use Adobe ColdFusion 9 Web Application Construction Kit (block-quoted below).  The list is applicable to CF 8 as well, but I'm not sure about CF7 or earlier.  Also, please read the comments of this post.

.... In ColdFusion 9, the Hash() function also leverages the message digests supplied by the SunJCE provider. 

...

algorithm

Optional. This is the algorithm used to hash the string. ColdFusion includes a backward-compatible algorithm, as well as the default algorithms supported by the SunJCE provider:

• CFMX_COMPAT (default). Algorithm used in ColdFusion versions prior to MX 7; this is the least-secure option (same as MD5 algorithm)
• MD2. The MD2 algorithm; generates a 32-byte, hexadecimal string
• MD5 (default). The MD5 algorithm; generates a 32-byte, hexadecimal string (same as CFMX_COMPAT algorithm)
• SHA. The original Secure Hash Standard (SHA-0) algorithm specified by NIST FIPS-180; generates a 40-character string
• SHA-1. The SHA-1 algorithm specified by NIST FIPS-180-2; generates a 40-character string
• SHA-256. Uses SHA-256 algorithm specified by FIPS-180-2; generates a 64-character string
• SHA-384. Uses SHA-256 algorithm specified by FIPS-180-2; generates a 96-character string
• SHA-512. Uses SHA-256 algorithm specified by FIPS-180-2; generates a 128-character string

ColdFusion 9 Enterprise edition includes the following RSA BSafe Crypto-J library algorithms for use with hash():

• SHA-224. The 224-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198
• HMAC-MD5. The hash message authentication code calculated using the MD5 hash algorithm
• HMAC-RIPEMD160. The hash message authentication code calculated using the RACE Integrity Primitives Evaluation Message Digest 160-bit message digest algorithm and cryptographic hash function
• HMAC-SHA1. The hash message authentication code calculated using the 160-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198
• HMAC-SHA224. The hash message authentication code calculated using the 224-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198
• HMAC-SHA256. The hash message authentication code calculated using the 256-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198
• HMAC-SHA384. The hash message authentication code calculated using the 384-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198
• HMAC-SHA512. The hash message authentication code calculated using the 512-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198

Tip

If an algorithm is in both the Sun JCE and Crypto-J, ColdFusion will use the one provided by Crypto-J.

jQuery was named jSelect, Yahoo didn't hire John Resig, who'd have known?

Don't believe me?  Listen to This Developer's Life 1.0.7 here

MAX 2010 SESSIONS on Adobe TV !!!

Recorded sessions available here!

I'm so gonna watch them all this weekend! Hurray!

Terrence Ryan taught me why <cfhtmlfoot> is not needed

I guess most of you have heard of or used <cfhtmlhead> for injecting things in between <head></head> in html, right?

Today I came across a blog post which talks about frontend performance tips, and one of them is to include script tags in the bottom of the page to avoid blocking (for more tips, see http://code.google.com/speed/articles/ ).  I know this tip for a while now, but I found myself hard to implement it with most MVC frameworks I used (i.e. MG2, ColdBox, FW/1).  For a second I really wish there's a <cfhtmlfoot> tag.  So I asked on the tweeter, and @tpryan replied:

@henrylearn2rock I use the request scope for this. Inject code into request.footer, then in the closing of my view, check for and publish.

Nice!  I guess we don't need <cfhtmlfoot> after all.  Thanks Terrence.

edit: gosh blogger, html encode post title and body ALREADY! And why are URL's not turned into hyperlinks automatically? You suck! It's 2010!!!

update: wow! look at this reply from @mach_ii!

@henrylearn2rock M2 supports this on OpenBD. cfhtmlbody: http://is.gd/esh24 & htmlbody(): http://is.gd/esh0Z Railo tix: http://is.gd/esh7x

update: oh, my man tpryan also blogged about this: Injecting JavaScript to the foot of a ColdFusion Page