How do I decrypt passwords (using ASP .NET ) that have been encrypted using the Cold Fusion Encrypt function and stored in a database? I need to do that in order to authenticate a user.

thanks!

Which Algorithm is used to Encrypt your passwords? (SHA1 etc)

That's the problem: I don't know the algorithm. I was told that the password is encrypted using the function <cfset password=#encrypt((password), user_id)#> and I thought that perhaps Cold Fusion has a built-in encrypt function (I have never used Cold Fusion and don't know anything about it actually).

You'll have to find out what kind of encryption is being used. If it is one of the common hash algorithms used:

MD5
SHA1
SHA256
SHA384
SHA512

then you'll have a chance of solving this. Otherwise this can become very tricky and the best (and only) solution may be to reissue passwords to the clients.

If symmetric Encryption Algorithms are use, you need to find the keys used to generate the passwords and then, maybe, you can solve.

This is the price you'll have to pay for enhanced security. I would probably drop all the old passwords and generate new encrypted ones, which you mail to the clients and urge them to change them at their first convienient opportunity.

Encryption in ColdFusion uses the same "crypt" algorithm in Unix. I'm not sure what is the official name.

Tanya?

Encryption in Coldfusion uses DES with a user specified seed. I'm not sure if it also Xors every bit with it's position, at least that is used in some other routines within coldfusion.

I'm a mediocre ASP.NET w/ VB.NET backend experience.... Learned it via OTJT and still develop in it for fun right now.  I'm just starting to learn ColdFusion MX 6.1 for a new job that I'm trying to get.


The original poster was asking about the Hash() function.  The answer is that the user is having their passwords hashed in an MD5 encryption.  To do this same encryption under ASP.NET with VB.NET Passwords, they should look up the "HashPasswordsForStoringInConfigFile('<Password>','<HashMethod>')" function.  What happens is that this is burried about 6 levels from the main system.web..... structure.

The user will need to put the password in the password spot, and the phrase "md5" in the HashMethod spot.  The generated hash strings will be exactly the same.

Let me know if this helps.

--Duncan

I have the same problem and I've tried all of the suggestions here, but nothing seems to work.  The ColdFusion encrytion looks like this ~39:G:UM;:KB@~01~50~10 while the .Net encryption looks like this 32312kl3123119909.

Please help

Did anyone ever find a resolution to this problem? I'm also dealing with the same issue - moving ColdFusion encrypted passwords to an ASP.net system.

ASP code to place a link

<%@ Page Language="VB" Debug="true" %>

<%@ Import Namespace="System.IO" %>

<%@ Import Namespace="System.Text" %>

<%@ Import Namespace="System.Security.Cryptography" %>

<script runat=server language=vbscript>

Public Class Encryption64

' Use DES CryptoService with Private key pair

Private key() As Byte = {} ' we are going to pass in the key portion in our method calls

Private IV() As Byte = {80,108,67,75,101,121,87,83} 'this is the same as in the CF Code = PlCKeyWS

Public Function DecryptFromBase64String(ByVal stringToDecrypt As String, ByVal sEncryptionKey As String) As String

Dim inputByteArray(stringToDecrypt.Length) As Byte

' Note: The DES CryptoService only accepts certain key byte lengths

' We are going to make things easy by insisting on an 8 byte legal key length

Try

key = System.Text.Encoding.UTF8.GetBytes(Left(sEncryptionKey, 8))

Dim des As New DESCryptoServiceProvider()

' we have a base 64 encoded string so first must decode to regular unencoded (encrypted) string

inputByteArray = Convert.FromBase64String(stringToDecrypt)

' now decrypt the regular string

Dim ms As New MemoryStream()

Dim cs As New CryptoStream(ms, des.CreateDecryptor(key, IV), CryptoStreamMode.Write)

cs.Write(inputByteArray, 0, inputByteArray.Length)

cs.FlushFinalBlock()

Dim encoding As System.Text.Encoding = System.Text.Encoding.UTF8

Return encoding.GetString(ms.ToArray())

Catch e As Exception

Return e.Message

End Try

End Function

Public Function EncryptToBase64String(ByVal stringToEncrypt As String, ByVal SEncryptionKey As String) As String

Try

key = System.Text.Encoding.UTF8.GetBytes(Left(SEncryptionKey, 8))

Dim des As New DESCryptoServiceProvider()

' convert our input string to a byte array

Dim inputByteArray() As Byte = Encoding.UTF8.GetBytes(stringToEncrypt)

'now encrypt the bytearray

Dim ms As New MemoryStream()

Dim cs As New CryptoStream(ms, des.CreateEncryptor(key, IV), CryptoStreamMode.Write)

cs.Write(inputByteArray, 0, inputByteArray.Length)

cs.FlushFinalBlock()

' now return the byte array as a "safe for XMLDOM" Base64 String

Return Convert.ToBase64String(ms.ToArray())

Catch e As Exception

Return e.Message

End Try

End Function

End Class

Function CleanString(ByVal str As String) As String

Dim clean As String

' clean the pluses and forward slashes that appear in the BASE64encoding

clean = str.replace("+", "%2B")

clean = clean.replace("/", "%2F")

Return clean

End Function

Private enc As New Encryption64

'Private newEncryptedData As String = enc.EncryptToBase64String("32132112", "pLcWe851tEpLcWe851tEPLCW")

Private EncryptedData As String = enc.EncryptToBase64String("Name=Valentin&Group=STUDENT&DateTime=123014062007&URL=http://google.com", "ABCDEFGH")

Private b64EncryptedData = Convert.FromBase64String(EncryptedData)

Private newEncryptedData = CleanString(EncryptedData)

</script>

Logged in members can go to <a href="http://test.sneezy.gruden.int/cf8_17.cfm?P=<%=newEncryptedData%>">Sport Section</a>

 

Coldfusion code to decrypt the link:

<cfscript>

theKey = ToBase64("ABCDEFGH");

Vector = ToBase64("PlCKeyWS");

baseVector = ToBinary(Vector);

decrypted = decrypt(URL.P, theKey, "DES/CBC/NoPadding", "BASE64", baseVector);

parameters = ListToArray(decrypted, "&");

</cfscript>

<cfdump var="#parameters#">

And yes.. I forgot.. The code I put solves the reverse problem.

Change Encrypt on Decrypt in coldfusion and  FromBase64String to EncryptToBase64String to DecryptFromBase64String in .NET and adjust the code. This should solve your.

I've been able to do the decrypt on the .net side that decrypts the previous encryption, but unable to get the encryption of the coldfusion that decrypts correctly - getting "Bad Data" error.

 Can you show the proper encrypt function in Coldfusion....??
 

 

 Cheers
 

As it appeared to be replacing encrypt with decrypt did not help the problem

You should also change padding setting in coldfusion. See the reverse code below:

.NET

 

<html>
   <head>
   </head>

   <body>

<%@ Page Language="VB" Debug="true" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Text" %>
<%@ Import Namespace="System.Security.Cryptography" %>

<script runat=server language=vbscript>
Public Class Encryption64

    ' Use DES CryptoService with Private key pair
    Private key() As Byte = {} ' we are going to pass in the key portion in our method calls
    Private IV() As Byte = {80,108,67,75,101,121,87,83}
   

    Public Function DecryptFromBase64String(ByVal stringToDecrypt As String, ByVal sEncryptionKey As String) As String
        Dim inputByteArray(stringToDecrypt.Length) As Byte
        ' Note: The DES CryptoService only accepts certain key byte lengths
        ' We are going to make things easy by insisting on an 8 byte legal key length

        Try
            key = System.Text.Encoding.UTF8.GetBytes(Left(sEncryptionKey, 8))
            Dim des As New DESCryptoServiceProvider()
            ' we have a base 64 encoded string so first must decode to regular unencoded (encrypted) string
            inputByteArray = Convert.FromBase64String(stringToDecrypt)
            ' now decrypt the regular string
            Dim ms As New MemoryStream()
            Dim cs As New CryptoStream(ms, des.CreateDecryptor(key, IV), CryptoStreamMode.Write)
            cs.Write(inputByteArray, 0, inputByteArray.Length)
            cs.FlushFinalBlock()
            Dim encoding As System.Text.Encoding = System.Text.Encoding.UTF8
            Return encoding.GetString(ms.ToArray())
        Catch e As Exception
            Return e.Message
        End Try
    End Function

    Public Function EncryptToBase64String(ByVal stringToEncrypt As String, ByVal SEncryptionKey As String) As String
        Try
            key = System.Text.Encoding.UTF8.GetBytes(Left(SEncryptionKey, 8))
            Dim des As New DESCryptoServiceProvider()
            ' convert our input string to a byte array
            Dim inputByteArray() As Byte = Encoding.UTF8.GetBytes(stringToEncrypt)
            'now encrypt the bytearray
            Dim ms As New MemoryStream()
            Dim cs As New CryptoStream(ms, des.CreateEncryptor(key, IV), CryptoStreamMode.Write)
            cs.Write(inputByteArray, 0, inputByteArray.Length)
            cs.FlushFinalBlock()
            ' now return the byte array as a "safe for XMLDOM" Base64 String
            Return Convert.ToBase64String(ms.ToArray())
        Catch e As Exception
            Return e.Message
        End Try
    End Function

End Class

Function CleanString(ByVal str As String) As String
    Dim clean As String
    ' clean the pluses and forward slashes that appear in the BASE64encoding
    clean = str.replace("+", "%2B")
    clean = clean.replace("/", "%2F")
    Return clean
End Function

Function DecryptData()
    Dim enc As New Encryption64
    Dim base64encr As String = Request.QueryString("Q")
    Dim DecryptedData As String = enc.DecryptFromBase64String(base64encr, "ABCDEFGH")
    Return DecryptedData
End Function

</script>
    <%=DecryptData()%>
   </body>
</html>

ColdFusion

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
    <title>Untitled</title>
</head>

<body>
<cfscript>
    function CleanString(str) {
        str = replace(str, "+", "%2B", "all");
        str = replace(str, "/", "%2F", "all");
        return str;
    }
    theKey = ToBase64("ABCDEFGH");
    Vector = ToBase64("PlCKeyWS");
    baseVector = ToBinary(Vector);
    parameters = "Name=Valentin&Group=STU&DateTime=123014062007&URL=http://www.pymblelc.nsw.edu.au/PLC/pymble-members/sport--pymble/sports--pymble_home.cfm";
    remain = len(parameters) MOD 8;
   
    encrypted = encrypt(parameters, theKey, "DES/CBC/PKCS5Padding", "BASE64", baseVector);
    decrypted = decrypt(encrypted, theKey, "DES/CBC/PKCS5Padding", "BASE64", baseVector);
</cfscript>

<cfoutput>
Click <a href="http://localhost:8080/plc2.aspx?Q=#CleanString(encrypted)#">here</a> to go to a .NET site<br />
#encrypted#<br />
#decrypted#
</cfoutput>

</body>
</html>

 

 thanks valekm, it was the padding setting in CF that was throwing me off

valekm, thank you for sharing your code.  I am struggling to pass encrypted data between .NET 2.0 and coldfusion 6.1.  In your coldfusion example above, the decrypt() has 5 parameters, but in coldfusion 6.1MX, the decrypt function has only two.   Do you know how can I decrpt in CF 6.1 version?  I look at the documentation of the function and it only taks the stringToDecrypt and key only.  Thanks.