Best algorithm to Encrypting / Decrypting a string

2020-08-01 05:42发布

问题:

It is not advisable to store email addresses in databases in plain text, so I would like to find out the best algorithm to do this. Options are:

(From the documentation)

  • CFMX_COMPAT: the algorithm used in ColdFusion MX and prior releases. This algorithm is the least secure option (default).

  • AES: the Advanced Encryption Standard specified by the National Institute of Standards and Technology (NIST) FIPS-197.

  • BLOWFISH: the Blowfish algorithm defined by Bruce Schneier.

  • DES: the Data Encryption Standard algorithm defined by NIST FIPS-46-3.

  • DESEDE: the "Triple DES" algorithm defined by NIST FIPS-46-3.

Another questions is where should the key be stored? In the database or in the source code? Will it be encrypted or not? If it will be encrypted, then the question raises of how the key that will encrypt the key be stored.

Should it be stored in the source code, will sourceless distribution be good?

回答1:

I would use AES. it's the fastest of those listed and the strongest.

As for where to store the key, that is the $64,000 question. You should not put it in the DB (At least not in the same DB as the data it is being used to encipher) or in your source code.

Key management is a beast of a topic. NIST has hundreds of pages of documentation on ways to do it.

http://csrc.nist.gov/groups/ST/toolkit/key_management.html

Key Management involves proper generaton, exchange, storage, rotation, and destruction of keys. You should not use the same key forever (a very common mistake) nor store it improperly.

You should take a look at the NIST guidelines and determine a strategy that works for you and adequately protects your data based on its sensitivity.



回答2:

Use AES or DESEDE - they're strong and in my experience have a lot of wide compatibility should you need to port this information for some reason.

As for the key, this isn't REAL critical data. Typically you would create a compsite key out of a unique piece of information for that data (like the userId) and a private key (salt) such as a constant in the code base:

Somewhere in your global settings / constants :

 <cfset myCodeBaseKey = "NateIsAwesome">

Then when you're ready to encrypt:

 <cfset myKey = hash(myCodeBaseKey & user.userId, "SHA")>

P.s. it works better if you use that exact salt phrase I hear. :P~