All geek questions in one place

ColdFusion - cfusion_encrypt () and cfusion_decrypt () - C # alternative

I have a database with user passwords that are encrypted through cfusion_encrypt (). I need to make a login alternative for ColdFusion code in C #. Is there an easy way to emulate this in C # so that I can compare the encrypted values โ€‹โ€‹of user passwords and match them with ColdFusion values?

+1
source share
4 answers

The poorly named cfusion_encrypt() is not encryption at all. This is an internal, inherited obfuscation algorithm, the use of which is greatly discouraged.

In fact, these are just xor bytes, similar to the method described here (Ignore the mention of cfmx_compat , this is another obsolete algorithm). It extracts bytes of a string of plain text. It then overlays the attached string key with the same length and again extracts the bytes. Finally, it is xor two byte arrays and encodes the result as hex:

  // xor bytes byte[] result = new byte[textBytes.Length]; for (int i = 0; i < textBytes.Length; i++) { results[i] = (byte)(textBytes[i] ^ keyBytes [i]); } // encode result as hex String hexResult = BitConverter.ToString(results).Replace("-", "");

The cfusion_decrypt() function does essentially the same thing as decrypting the hexadecimal string in bytes first and returning the result "de-obfuscated" as a simple string instead of hex.

Now you can understand why its use is not recommended. As suggested by @MartyPine et al, the best option is for the CF side to back up, then run passwords via cfusion_decrypt and hash () instead. This is not only the best way to store passwords, but also the possibility of compatibility with C # or any other language that supports standard algorithms.

+8
source

This may not answer your question, but it is best to do what I can say to encode the Coldfusion loop:

  • cfusion_decrypt () passwords
  • hash passwords in C # format

I don't know any related C # equivalents for cfusion_decrypt and cfusion_encrypt, but hopefully people here can point you to one.

+3
source

If you need the built-in "cfusion_encrypt" and "cfusion_decrypt" undocumented features that Adobe tacitly deprecated in ColdFusion 11, the developer converted them to UDF back in 2005.

http://www.barneyb.com/barneyblog/2005/10/28/cfusion_encryptcfusion_decrypt-udfs/

 <cfscript> function binaryXOR(n1, n2){ n1 = formatBaseN(n1, 2); n2 = formatBaseN(n2, 2); return inputBaseN(replace(n1 + n2, 2, 0, "all"), 2); } function fusion_encrypt(string, key){ var i = ""; var result = ""; key = repeatString(key, ceiling(len(string) / len(key))); for (i=1;i LTE len(string);i=i+1) { result = result & rJustify(formatBaseN(binaryXOR(asc(mid(string, i, 1)), asc(mid(key, i, 1))), 16), 2); } return ucase(replace(result, " ", "0", "all")); } function fusion_decrypt(string, key){ var i = ""; var result = ""; key = repeatString(key, ceiling(len(string) / 2 / len(key))); for (i=2;i LTE len(string);i=i+2) { result = result & chr(binaryXOR(inputBaseN(mid(string, i - 1, 2), 16), asc(mid(key, i / 2, 1)))); } return result; } </cfscript>

Here's an example script on how to test it:

 <cfset key = "test"> <cfoutput> <table border=1 cellspacing=0> <thead> <tr><th>String</th> <th>cfusion_encrypt</th> <th>fusion_encrypt</th> <th>cfusion_decrypt</th> <th>fusion_decrypt</th> </tr> </thead> <tbody> <cfloop list="Adobe,ColdFusion,is,damn cool!" index="i"> <tr> <td>#i#</td> <td><cftry>#cfusion_encrypt(i, key)#<cfcatch>ERROR</cfcatch></cftry></td> <td><cftry>#fusion_encrypt(i, key)#<cfcatch>ERROR</cfcatch></cftry></td> <td><cftry>#cfusion_decrypt(cfusion_encrypt(i, key), key)#<cfcatch>ERROR</cfcatch></cftry></td> <td><cftry>#fusion_decrypt(fusion_encrypt(i, key), key)#<cfcatch>ERROR</cfcatch></cftry></td> </tr> </cfloop> </tbody> </table> </cfoutput>
+3
source

Probably the easiest solution is to create a ColdFusion service level that will interact with your db, but you need to work with security for this service, of course, if you want to keep the passwords as they are now.

If you do not need a CF service level, then you need to find out what encryption is used. If this is one of the common hashing algorithms: MD5 SHA1 SHA256 SHA384 SHA512, then you will have a chance to solve this.

I found an old article at www.fusionauthority.com that says:

CFusion_Encrypt () / CFusion_Decrypt () are "administrative" in ColdFusion and are not documented anywhere other than here . Allaire does not offer to use them and does not support using them.

+1
source

Source: https://habr.com/ru/post/1202321/

More articles:


All Articles