Migrating from Cold Fusion to ASP.NET

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

csandersii — Mon, 10 Nov 2008 18:37:06 GMT

You'd have to use the same parameters in .NET that were used in CF to match the raw phrase with the encrypted phrase. This requires that the same encryption method be applied to the .NET encryption that was used to initial create the encrypted record via CF.

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

mayuresh_s — Sat, 08 Nov 2008 15:20:40 GMT

I have passwords encrypted in the database and i wanted to decrypt them. I know one password which is SRSSRS and the encrypted password is e9830a5640f8ecbf6657f34a1b093f20e1bdd8e0

Can someone tell me how I can decrypt the rest of the passwords ?

Thanks

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

fairfaxva — Thu, 22 May 2008 21:07:57 GMT

valekm, thank you for sharing your code. I am struggling to pass encrypted data between .NET 2.0 and coldfusion 6.1. In your coldfusion example above, the decrypt() has 5 parameters, but in coldfusion 6.1MX, the decrypt function has only two. Do you know how can I decrpt in CF 6.1 version? I look at the documentation of the function and it only taks the stringToDecrypt and key only. Thanks.

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

csandersii — Mon, 18 Jun 2007 14:21:58 GMT

thanks valekm, it was the padding setting in CF that was throwing me off

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

valekm — Fri, 15 Jun 2007 23:40:30 GMT

As it appeared to be replacing encrypt with decrypt did not help the problem

You should also change padding setting in coldfusion. See the reverse code below:

.NET

<html>
   <head>
   </head>

   <body>

<%@ Page Language="VB" Debug="true" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Text" %>
<%@ Import Namespace="System.Security.Cryptography" %>

<script runat=server language=vbscript>
Public Class Encryption64

    ' Use DES CryptoService with Private key pair
    Private key() As Byte = {} ' we are going to pass in the key portion in our method calls
    Private IV() As Byte = {80,108,67,75,101,121,87,83}


    Public Function DecryptFromBase64String(ByVal stringToDecrypt As String, ByVal sEncryptionKey As String) As String
        Dim inputByteArray(stringToDecrypt.Length) As Byte
        ' Note: The DES CryptoService only accepts certain key byte lengths
        ' We are going to make things easy by insisting on an 8 byte legal key length

        Try
            key = System.Text.Encoding.UTF8.GetBytes(Left(sEncryptionKey, 8))
            Dim des As New DESCryptoServiceProvider()
            ' we have a base 64 encoded string so first must decode to regular unencoded (encrypted) string
            inputByteArray = Convert.FromBase64String(stringToDecrypt)
            ' now decrypt the regular string
            Dim ms As New MemoryStream()
            Dim cs As New CryptoStream(ms, des.CreateDecryptor(key, IV), CryptoStreamMode.Write)
            cs.Write(inputByteArray, 0, inputByteArray.Length)
            cs.FlushFinalBlock()
            Dim encoding As System.Text.Encoding = System.Text.Encoding.UTF8
            Return encoding.GetString(ms.ToArray())
        Catch e As Exception
            Return e.Message
        End Try
    End Function

    Public Function EncryptToBase64String(ByVal stringToEncrypt As String, ByVal SEncryptionKey As String) As String
        Try
            key = System.Text.Encoding.UTF8.GetBytes(Left(SEncryptionKey, 8))
            Dim des As New DESCryptoServiceProvider()
            ' convert our input string to a byte array
            Dim inputByteArray() As Byte = Encoding.UTF8.GetBytes(stringToEncrypt)
            'now encrypt the bytearray
            Dim ms As New MemoryStream()
            Dim cs As New CryptoStream(ms, des.CreateEncryptor(key, IV), CryptoStreamMode.Write)
            cs.Write(inputByteArray, 0, inputByteArray.Length)
            cs.FlushFinalBlock()
            ' now return the byte array as a "safe for XMLDOM" Base64 String
            Return Convert.ToBase64String(ms.ToArray())
        Catch e As Exception
            Return e.Message
        End Try
    End Function

End Class

Function CleanString(ByVal str As String) As String
    Dim clean As String
    ' clean the pluses and forward slashes that appear in the BASE64encoding
    clean = str.replace("+", "%2B")
    clean = clean.replace("/", "%2F")
    Return clean
End Function

Function DecryptData()
    Dim enc As New Encryption64
    Dim base64encr As String = Request.QueryString("Q")
    Dim DecryptedData As String = enc.DecryptFromBase64String(base64encr, "ABCDEFGH")
    Return DecryptedData
End Function

</script>
    <%=DecryptData()%>
   </body>
</html>

ColdFusion

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
    <title>Untitled</title>
</head>

<body>
<cfscript>
    function CleanString(str) {
        str = replace(str, "+", "%2B", "all");
        str = replace(str, "/", "%2F", "all");
        return str;
    }
    theKey = ToBase64("ABCDEFGH");
    Vector = ToBase64("PlCKeyWS");
    baseVector = ToBinary(Vector);
    parameters = "Name=Valentin&Group=STU&DateTime=123014062007&URL=http://www.pymblelc.nsw.edu.au/PLC/pymble-members/sport--pymble/sports--pymble_home.cfm";
    remain = len(parameters) MOD 8;

    encrypted = encrypt(parameters, theKey, "DES/CBC/PKCS5Padding", "BASE64", baseVector);
    decrypted = decrypt(encrypted, theKey, "DES/CBC/PKCS5Padding", "BASE64", baseVector);
</cfscript>

<cfoutput>
Click <a href="http://localhost:8080/plc2.aspx?Q=#CleanString(encrypted)#">here</a> to go to a .NET site<br />
#encrypted#<br />
#decrypted#
</cfoutput>

</body>
</html>

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

csandersii — Fri, 15 Jun 2007 18:06:21 GMT

I've been able to do the decrypt on the .net side that decrypts the previous encryption, but unable to get the encryption of the coldfusion that decrypts correctly - getting "Bad Data" error.

Can you show the proper encrypt function in Coldfusion....??

Cheers

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

valekm — Thu, 14 Jun 2007 05:52:43 GMT

And yes.. I forgot.. The code I put solves the reverse problem.

Change Encrypt on Decrypt in coldfusion and FromBase64String to EncryptToBase64String to DecryptFromBase64String in .NET and adjust the code. This should solve your.

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

valekm — Thu, 14 Jun 2007 05:49:17 GMT

ASP code to place a link

<%@ Page Language="VB" Debug="true" %>

<%@ Import Namespace="System.IO" %>

<%@ Import Namespace="System.Text" %>

<%@ Import Namespace="System.Security.Cryptography" %>

Public Class Encryption64

' Use DES CryptoService with Private key pair

Private key() As Byte = {} ' we are going to pass in the key portion in our method calls

Private IV() As Byte = {80,108,67,75,101,121,87,83} 'this is the same as in the CF Code = PlCKeyWS

Public Function DecryptFromBase64String(ByVal stringToDecrypt As String, ByVal sEncryptionKey As String) As String

Dim inputByteArray(stringToDecrypt.Length) As Byte

' Note: The DES CryptoService only accepts certain key byte lengths

' We are going to make things easy by insisting on an 8 byte legal key length

Try

key = System.Text.Encoding.UTF8.GetBytes(Left(sEncryptionKey, 8))

Dim des As New DESCryptoServiceProvider()

' we have a base 64 encoded string so first must decode to regular unencoded (encrypted) string

inputByteArray = Convert.FromBase64String(stringToDecrypt)

' now decrypt the regular string

Dim ms As New MemoryStream()

Dim cs As New CryptoStream(ms, des.CreateDecryptor(key, IV), CryptoStreamMode.Write)

cs.Write(inputByteArray, 0, inputByteArray.Length)

cs.FlushFinalBlock()

Dim encoding As System.Text.Encoding = System.Text.Encoding.UTF8

Return encoding.GetString(ms.ToArray())

Catch e As Exception

Return e.Message

End Try

End Function

Public Function EncryptToBase64String(ByVal stringToEncrypt As String, ByVal SEncryptionKey As String) As String

Try

key = System.Text.Encoding.UTF8.GetBytes(Left(SEncryptionKey, 8))

Dim des As New DESCryptoServiceProvider()

' convert our input string to a byte array

Dim inputByteArray() As Byte = Encoding.UTF8.GetBytes(stringToEncrypt)

'now encrypt the bytearray

Dim ms As New MemoryStream()

Dim cs As New CryptoStream(ms, des.CreateEncryptor(key, IV), CryptoStreamMode.Write)

cs.Write(inputByteArray, 0, inputByteArray.Length)

cs.FlushFinalBlock()

' now return the byte array as a "safe for XMLDOM" Base64 String

Return Convert.ToBase64String(ms.ToArray())

Catch e As Exception

Return e.Message

End Try

End Function

End Class

Function CleanString(ByVal str As String) As String

Dim clean As String

' clean the pluses and forward slashes that appear in the BASE64encoding

clean = str.replace("+", "%2B")

clean = clean.replace("/", "%2F")

Return clean

End Function

Private enc As New Encryption64

'Private newEncryptedData As String = enc.EncryptToBase64String("32132112", "pLcWe851tEpLcWe851tEPLCW")

Private EncryptedData As String = enc.EncryptToBase64String("Name=Valentin&Group=STUDENT&DateTime=123014062007&URL=http://google.com", "ABCDEFGH")

Private b64EncryptedData = Convert.FromBase64String(EncryptedData)

Private newEncryptedData = CleanString(EncryptedData)

</script>

Logged in members can go to <a href="http://test.sneezy.gruden.int/cf8_17.cfm?P=<%=newEncryptedData%>">Sport Section</a>

Coldfusion code to decrypt the link:

theKey = ToBase64("ABCDEFGH");

Vector = ToBase64("PlCKeyWS");

baseVector = ToBinary(Vector);

decrypted = decrypt(URL.P, theKey, "DES/CBC/NoPadding", "BASE64", baseVector);

parameters = ListToArray(decrypted, "&");

</cfscript>

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

shah_a — Tue, 20 Mar 2007 12:31:33 GMT

Did anyone ever find a resolution to this problem? I'm also dealing with the same issue - moving ColdFusion encrypted passwords to an ASP.net system.

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

bigBrain — Fri, 16 Jun 2006 03:51:03 GMT

I have the same problem and I've tried all of the suggestions here, but nothing seems to work. The ColdFusion encrytion looks like this ~39:G:UM;:KB@~01~50~10 while the .Net encryption looks like this 32312kl3123119909.

Please help

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

duncan16 — Sun, 21 Aug 2005 04:50:02 GMT

I'm a mediocre ASP.NET w/ VB.NET backend experience.... Learned it via OTJT and still develop in it for fun right now. I'm just starting to learn ColdFusion MX 6.1 for a new job that I'm trying to get.

The original poster was asking about the Hash() function. The answer is that the user is having their passwords hashed in an MD5 encryption. To do this same encryption under ASP.NET with VB.NET Passwords, they should look up the "HashPasswordsForStoringInConfigFile('<Password>','<HashMethod>')" function. What happens is that this is burried about 6 levels from the main system.web..... structure.

The user will need to put the password in the password spot, and the phrase "md5" in the HashMethod spot. The generated hash strings will be exactly the same.

Let me know if this helps.

--Duncan

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

ToAoM — Thu, 16 Oct 2003 00:28:28 GMT

Encryption in Coldfusion uses DES with a user specified seed. I'm not sure if it also Xors every bit with it's position, at least that is used in some other routines within coldfusion.

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

tanya? — Thu, 04 Sep 2003 19:16:51 GMT

Encryption in ColdFusion uses the same "crypt" algorithm in Unix. I'm not sure what is the official name.

Tanya?

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

adec — Tue, 20 May 2003 08:22:12 GMT

You'll have to find out what kind of encryption is being used. If it is one of the common hash algorithms used:

MD5
SHA1
SHA256
SHA384
SHA512

then you'll have a chance of solving this. Otherwise this can become very tricky and the best (and only) solution may be to reissue passwords to the clients.

If symmetric Encryption Algorithms are use, you need to find the keys used to generate the passwords and then, maybe, you can solve.

This is the price you'll have to pay for enhanced security. I would probably drop all the old passwords and generate new encrypted ones, which you mail to the clients and urge them to change them at their first convienient opportunity.

Re: Decrypting passwords encrypted using Cold Fusion Encrypt

Felicity — Tue, 20 May 2003 00:17:38 GMT

That's the problem: I don't know the algorithm. I was told that the password is encrypted using the function <cfset password=#encrypt((password), user_id)#> and I thought that perhaps Cold Fusion has a built-in encrypt function (I have never used Cold Fusion and don't know anything about it actually).