Decryption - Arrgghh!

Report · Feb 25, 2010

I'm having some difficulty trying to decrypt some passwords to move from one application to another [using different encryption] ... can anyone help with this

<cfscript>

rc4key = '823hjdFD00fQFSDFJweru87fsj34FS'; // plain text encryption key

passhex = '668413106F51AB'; // hex encoded password [should return test123]

EncryptedPassword = ToBase64(BinaryDecode(passhex, "Hex"));

writeoutput(EncryptedPassword); // returns ZoQTEG9Rqw==  which is base64 ?!?!?

DecryptedPassword = Decrypt( EncryptedPassword, rc4key, 'RC4','Hex'); //throws an error

writeoutput(decrypted); 

</cfscript>

And the error I get is:

An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "823hjdFD00fQFSDFJweru87fsj34FS"..

I just don't know what is not happening here, I've tested the key and password at http://crypto.hurlant.com/demo/ and gotten what I expect are correct results.... see attached.....

can anyone help?

-sean

Report · Feb 26, 2010

What version of CF do you have? As far as I know RC4 is not available in the standard edition. You need either Enterprise or additional providers installed.

Cheers

Report · Feb 26, 2010

I'm 99.9% sure RC4 is available on my server .... I've added the extra security provider package for [see here: http://kb2.adobe.com/cps/546/e546373d.html ] and if I tail the cfserver log I get:

01/11 15:08:23 Information [main] - Installed JSafe JCE provider: Version 3.6 RSA Security Inc. Crypto-J JCE Security Provider (implements RSA, DSA, Diffie-Hellman, AES, DES, Triple DES, DESX, RC2, RC4, RC5, PBE, MD2, MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384, SHA512, HMAC-MD5, HMAC-RIPEMD160, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512)

If I, #encrypt("killbill","RC4")#, I get "(?)Y0GXZT5_,"

so I am assuming RC4 is working....

-sean

[CF8 Enterprise]

Report · Feb 27, 2010

The following test works. It may contain something for you.

<cfscript>
rc4key = generatesecretkey("RC4");
writeoutput("CF-generated RC4 key: " & rc4key & "<br>");

password = "test123";
EncryptedPassword = encrypt(password,rc4key,"RC4","hex");
writeoutput("Encrypted password: " & EncryptedPassword & "<br>");
DecryptedPassword = Decrypt( EncryptedPassword, rc4key, 'RC4','Hex');
writeoutput("Decrypted password: " & DecryptedPassword);
</cfscript>

Report · Feb 27, 2010

Hi;

yes - it does work, but when I substitute my existing key [ rc4key = '823hjdFD00fQFSDFJweru87fsj34FS'; ] I get the error:

An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "823hjdFD00fQFSDFJweru87fsj34FS"..

ok, soooo the problemis with the key?

-sean

Report · Feb 27, 2010

sean69 wrote:
An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "823hjdFD00fQFSDFJweru87fsj34FS"..
ok, soooo the problemis with the key?

Indeed, the problem is likely with the key. I would just take Coldfusion's insurance policy,

rc4key = generatesecretkey("RC4");

and then store the value somewhere.

Report · Feb 27, 2010

wherein lies the problem, I am migrating customers from one store application [Candypress - asp pages] to a completely new application since there is about 9000 of them it would be nice to be able to script the passwords.... [stored as plain text in the new application]

-sean

Report · Feb 28, 2010

sean69 wrote:
wherein lies the problem, I am migrating customers from one store application [Candypress - asp pages] to a completely new application since there is about 9000 of them it would be nice to be able to script the passwords.... [stored as plain text in the new application

No problem. Just let Coldfusion generate the RC4 keys for you.

Report · Feb 28, 2010

I don't understand how that would help.

I'm trying to migrate the passwords as well, not change them. all I have is the encrypted password and the key to start with.

-sean

Report · Feb 28, 2010

I'm trying to migrate the passwords as well

Ah. That wasn't clear to me. In any case, I doubt whether '823hjdFD00fQFSDFJweru87fsj34FS' is an RC4 key.

Report · Feb 28, 2010

You can test the key at http://crypto.hurlant.com/demo/

screenshot in first post...it seems to work so if there is a problem with it, I'm not sure what it could be??

-sean

Report · Mar 08, 2010

It wants to "base64decode" the string.

So... simply send it a base64-encoding of the string. Let the parameter be a function-call which encodes the actual key so that CF can happily decode it again.

Report · Mar 08, 2010

nope - sorry, I don't understand your reply....

"It wants to "base64decode" the string." - which string, what is it?

"simply send it a base64-encoding of the string" ??

-if you are suggesting the passwords, I don't have a decrypted version of the passwords....

can you illustrate with a line or two of code?

-thanks

-sean

Report · Mar 11, 2010

What I'm saying is... I've found that a couple of the crypto functions expect to receive a base64-encoded string. They croak if they don't get one.

So, if what you've actually got is "the actual string," i.e. not base64-encoded, and you need to pass that string to the function, simply give it what it wants: let the parameter simply be toBase64(your_known_string). You hand the function the encoded version of your_known_string so that it can immediately decode it again ... producing your_known_string ... and everybody's happy now.

Report · Mar 11, 2010

I still don't see what you are saying, have you tested with any code???

all I have is the rc4key = '823hjdFD00fQFSDFJweru87fsj34FS' - used to originally encrypt the passwords, and the encrypted password = '668413106F51AB' in this one and only case I happen to know that password is 'test123'

you can see in my original post that someone has figured it out, I can decode passwords one by one using that app, just have not been able to figure oit out here...

-sean

Report · Mar 15, 2010

You may find that an algorithm which accepts an RC4 key expects it to be base64 encoded. "So," all I'm saying is, "if that is the case, then base64 encode it so that CF can immediately base64 decode it again." In this way, you pass the necessary string into the function.

Report · Mar 15, 2010

so you are suggesting something like:

passhex = '668413106F51AB';

rc4key = toBase64('823hjdFD00fQFSDFJweru87fsj34FS');

writeoutput(Decrypt( passhex, rc4key, 'RC4','Hex'));

Which gives me an "The key specified is not a valid key for this encryption: Illegal key size or default parameters." error.

-sean

Report · Mar 16, 2010

That is indeed what I was suggesting.

but ...

are you sure that the fourth parameter to Decrypt() should be 'hex'? I don't know the answer to that. Is this supposed to represent the encoding of the data string, or of the key?

Report · Mar 16, 2010

I really don't have a clue.....

Report · Oct 13, 2010

Sean -

Did you ever happen to figure this out? If so, what was the issue?

Thanks,

Neal

Report · Oct 14, 2010

nope - never figured it out... sorry

Report · Oct 14, 2010

Yeah, I gave up as well. Decided to use this function:

http://www.cflib.org/udf/RC4

Report · Oct 17, 2010

I am not very familiar with RC4, but this seems to work fine for me. ie Returns the same results as the online demo.

<cfscript>
    // convert plain text key to base64
    rc4key = '823hjdFD00fQFSDFJweru87fsj34FS';
    keyBytes = charsetDecode(rc4key, "utf8");
    keyBase64 = BinaryEncode(keyBytes, "base64");

    //encrypt it and return value as HEX...
    encrypted = Encrypt("test123", keyBase64, 'RC4', 'hex');
    WriteOutput("encrypted="& encrypted &"<br>");

    // decrypt value
    decrypted = Decrypt( encrypted, keyBase64, 'RC4', 'Hex');
    WriteOutput("decrypted="& decrypted &"<br>");
</cfscript>

If I, #encrypt("killbill","RC4")#, I get "(?)Y0GXZT5_,
so I am assuming RC4 is working....

BTW: The algorithm name is in the wrong position. So it is just using the default CFMX_COMPAT.

Message was edited by: -==cfSearching==-

Report · Oct 18, 2010

as I remember, the passwords were encrypted with asp.net, all I had was the encrypted passwords & encryption keys ... I had no problems using CFMX > CFMX encryption ...

Report · Oct 18, 2010

Not sure what you mean. With a slight modification, your original example of RC4 encryption works fine.

BTW: The last comment was to point out that one of your test cases was not actually using RC4 as you thought

ie #encrypt("killbill","RC4")# actually uses the default CFMX_COMPAT with "RC4" as the seed.

-Leigh

Decryption - Arrgghh!

An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "823hjdFD00fQFSDFJweru87fsj34FS"..

An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "823hjdFD00fQFSDFJweru87fsj34FS"..

An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "823hjdFD00fQFSDFJweru87fsj34FS"..

Photos