Skip navigation
Currently Being Moderated

Decryption - Arrgghh!

Feb 25, 2010 4:41 PM

I'm having some difficulty trying to decrypt some passwords to move from one application to another [using different encryption] ... can anyone help with this

 

<cfscript>

rc4key = '823hjdFD00fQFSDFJweru87fsj34FS'; // plain text encryption key

passhex = '668413106F51AB'; // hex encoded password [should return test123]

EncryptedPassword = ToBase64(BinaryDecode(passhex, "Hex"));

writeoutput(EncryptedPassword); // returns ZoQTEG9Rqw==  which is base64 ?!?!?

DecryptedPassword = Decrypt( EncryptedPassword, rc4key, 'RC4','Hex'); //throws an error

writeoutput(decrypted); 

</cfscript>

 

 

And the error I get is:

An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "823hjdFD00fQFSDFJweru87fsj34FS"..

 

 

 

I just don't know what is not happening here, I've tested the key and password at http://crypto.hurlant.com/demo/ and gotten what I expect are correct results....  see attached.....

 

can anyone help?

 

-seanscreen.jpg

 

 

 

 

 

 

 
Replies
  • Currently Being Moderated
    Feb 26, 2010 6:03 AM   in reply to sean69

    What version of CF do you have?  As far as I know RC4 is not available in the standard edition.  You need either Enterprise or additional providers installed.

     

    Cheers

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 27, 2010 6:15 AM   in reply to sean69

    The following test works. It may contain something for you.

     

    <cfscript>
    rc4key = generatesecretkey("RC4");
    writeoutput("CF-generated RC4 key: " & rc4key & "<br>");

    password = "test123";
    EncryptedPassword = encrypt(password,rc4key,"RC4","hex");
    writeoutput("Encrypted password: " & EncryptedPassword & "<br>");
    DecryptedPassword = Decrypt( EncryptedPassword, rc4key, 'RC4','Hex');
    writeoutput("Decrypted password: " & DecryptedPassword);
    </cfscript>

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 27, 2010 6:48 AM   in reply to sean69

    sean69 wrote:

    An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "823hjdFD00fQFSDFJweru87fsj34FS"..

     

     

    ok, soooo the problemis with the key?

     

    Indeed, the problem is likely with the key. I would just take Coldfusion's insurance policy,

     

    rc4key = generatesecretkey("RC4");

     

    and then store the value somewhere.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 28, 2010 3:10 AM   in reply to sean69

    sean69 wrote:

     

    wherein lies the problem, I am migrating customers from one store application [Candypress - asp pages] to a completely new application since there is about 9000 of them it would be nice to be able to script the passwords.... [stored as plain text in the new application

    No problem. Just let Coldfusion generate the RC4 keys for you.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 28, 2010 1:20 PM   in reply to sean69

     

    I'm trying to migrate the passwords as well

    Ah. That wasn't clear to me. In any case, I doubt whether '823hjdFD00fQFSDFJweru87fsj34FS' is an RC4 key.

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 8, 2010 8:45 AM   in reply to sean69

    It wants to "base64decode" the string.

     

    So... simply send it a base64-encoding of the string.  Let the parameter be a function-call which encodes the actual key so that CF can happily decode it again.

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 11, 2010 7:28 AM   in reply to sean69

    What I'm saying is... I've found that a couple of the crypto functions expect to receive a base64-encoded string.  They croak if they don't get one.

     

    So, if what you've actually got is "the actual string," i.e. not base64-encoded, and you need to pass that string to the function, simply give it what it wants:  let the parameter simply be toBase64(your_known_string).  You hand the function the encoded version of your_known_string so that it can immediately decode it again ... producing your_known_string ... and everybody's happy now.

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 15, 2010 9:06 AM   in reply to sean69

    You may find that an algorithm which accepts an RC4 key expects it to be base64 encoded.  "So," all I'm saying is, "if that is the case, then base64 encode it so that CF can immediately base64 decode it again."  In this way, you pass the necessary string into the function.

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 16, 2010 9:31 AM   in reply to sean69

    That is indeed what I was suggesting.

     

    but ...

     

    are you sure that the fourth parameter to Decrypt() should be 'hex'?  I don't know the answer to that.  Is this supposed to represent the encoding of the data string, or of the key?

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 13, 2010 9:29 PM   in reply to sean69

    Sean -

     

    Did you ever happen to figure this out?  If so, what was the issue?

     

    Thanks,

    Neal

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 14, 2010 10:43 AM   in reply to sean69

    Yeah, I gave up as well.  Decided to use this function:

     

    http://www.cflib.org/udf/RC4


     
    |
    Mark as:
  • Currently Being Moderated
    Oct 17, 2010 8:49 PM   in reply to nealb

    I am not very familiar with RC4, but this seems to work fine for me. ie Returns the same results as the online demo.

     

    <cfscript>
        // convert plain text key to base64
        rc4key = '823hjdFD00fQFSDFJweru87fsj34FS';
        keyBytes = charsetDecode(rc4key, "utf8");
        keyBase64 = BinaryEncode(keyBytes, "base64");

     

        //encrypt it and return value as HEX...
        encrypted = Encrypt("test123", keyBase64, 'RC4', 'hex');
        WriteOutput("encrypted="& encrypted &"<br>");

     

        // decrypt value
        decrypted = Decrypt( encrypted, keyBase64, 'RC4', 'Hex');
        WriteOutput("decrypted="& decrypted &"<br>");
    </cfscript>

     

    If I, #encrypt("killbill","RC4")#, I get "(?)Y0GXZT5_,

     

    so I am assuming RC4 is working....

     

    BTW: The algorithm name is in the wrong position. So it is just using the default CFMX_COMPAT.

     

    Message was edited by: -==cfSearching==-

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 18, 2010 9:59 AM   in reply to sean69

    Not sure what you mean.  With a slight modification, your original example of RC4 encryption works fine.

     

    BTW: The last comment was to point out that one of your test cases was not actually using RC4 as you thought

     

    ie #encrypt("killbill","RC4")# actually uses the default CFMX_COMPAT with "RC4" as the seed.

     

    -Leigh

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 18, 2010 1:14 PM   in reply to -==cfSearching==-

    Not RC4 as the seed, RC4 as the key.

     

    Jason

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 18, 2010 3:32 PM   in reply to 12Robots

    Yes, if it were really doing RC4 encryption it would be the key. But since that snippet is doing CFMX_COMPAT, the string "RC4" is just used as the seed. At least that is how I have always understood CFMX_COMPAT to work.

     

    ie. This snippet

    #encrypt("killbill","RC4")#

     

    ... and not

     

    #encrypt("killbill", key, "RC4")#

     

    Message was edited by: -==cfSearching==-

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 18, 2010 4:45 PM   in reply to -==cfSearching==-

    cfSearching -

     

    <cfscript>
        // convert plain text key to base64
        rc4key = '823hjdFD00fQFSDFJweru87fsj34FS';
        keyBytes = charsetDecode(rc4key, "utf8");
        keyBase64 = BinaryEncode(keyBytes, "base64");

     

        //encrypt it and return value as HEX...
        encrypted = Encrypt("test123", keyBase64, 'RC4', 'hex');
        WriteOutput("encrypted="& encrypted &"<br>");

     

        // decrypt value
        decrypted = Decrypt( encrypted, keyBase64, 'RC4', 'Hex');
        WriteOutput("decrypted="& decrypted &"<br>");
    </cfscript>

     

    I ran your snippet above on my CF 8 Standard Server and received the following error:

     

    The key specified is not a valid key for this encryption: Illegal key size or default parameters.
    Use the generateSecretKey method to generate a valid key for this operation.

     

    Perhaps this is a CF Standard vs. Enterprise issue?

     

    The doc says that RC4 is not installed on Standard by default.

     

    The strange thing is that on Standard, this does work:

     

    <cfset testkey = GenerateSecretKey("RC4")>

    <cfset encrypted = Encrypt("test123", testkey, 'RC4', 'hex');

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 18, 2010 5:10 PM   in reply to nealb

    >> <cfset testkey = GenerateSecretKey("RC4")>

     

    Did you install the unlimited strength files? I tested the code with the CF9 developer addition and the two changes I made were

     

    http://kb2.adobe.com/cps/546/e546373d.html

    - Add bouncy castle as a security provider and

    - Installing the unlimited strength files

     

    Message was edited by: -==cfSearching==-

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 18, 2010 5:48 PM   in reply to -==cfSearching==-

    I tested the original code with CF9 Developer edition, and with some minor changes to the code, it worked fine.  The original poster was doing more conversion than was needed.

     

     

    <cfscript>

     

    rc4key = toBase64('823hjdFD00fQFSDFJweru87fsj34FS');

    passhex = '668413106F51AB';

     

    DecryptedPassword = Decrypt( passhex, rc4key, 'RC4','HEX');

     

    writeoutput(decrypted);

     

    </cfscript>

     

    I did not need to add any additional crypto libs or providers.

     

    I do not have a copy of CF Standard to test this on, but if there is not a provider included in CF Standard or the JVM you are running it on that includes RC4, then you may need to install one. Although, it looks to me like RC4 is standard with Java JCE (which is now a standard part of the JDK).

     

    The ColdFusion encrypt docs are a little misleading, I think.  When it is referring to the algorithms that are included with Enterprise vs. Standard, it is referring to the BSafe Crypto-J library that is licensed for use and included with Enterprise. It then mentions the other algorithms that are only included with Standard.  This does NOT mean that these are the onyl algorithms availabel in Standard, they are just the only ones included.

     

    But since ColdFusion sits on Java, and tje JVM has included the JCE for some time, there are many other providers available to you. I'm not sure about Standard, but the developer edition has 11 of them.

     

    Try this out to see:

     

    <cfdump var="#createObject("java", "java.security.Security").getProviders()#">

     

    I'd say there is a good chance that there is a provider in standard that has RC4 available. And, if there really isn't one, then adding BouncyCastle as a provider is not terribly difficult.

     

    http://www.bouncycastle.org/wiki/display/JA1/Provider+Installation

     

    You can do it at runtime with the same Security object I used above, using the addProvider() method. Or you can add it through config as outlined int he above link.  Either way, you need to add the provider files to your class path.

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 18, 2010 7:22 PM   in reply to 12Robots

    with some minor changes to the code, it worked fine.  The

    original poster was doing more conversion than was needed.

     

    Good catch. I thought I had tried that, but I guess not ..

     

    12Robots wrote:

    ..you may need to install one. Although, it looks to me like RC4 is standard with Java JCE (which is now a standard part of the JDK).

     

    Ah, okay. I added bouncy castle for my test because I was not sure if RC4 was available or not.

     

    I did not need to add any additional crypto libs or providers.

     

    Weird.  With the developer edition I was getting the "..key specified is not a valid key for this encryption: Illegal key size or default parameters." error. That is why I installed the unlimited strength files. After installing those, the code worked.  I do not know much about the settings, but it seemed like there were some limitations in the policy files of my original jars.

     

    ie

    permission javax.crypto.CryptoPermission "RC4", 128;

     

    Then again it could be something "wonky" with my setup. I would have to try it on a clean install to be sure.

     

    Message was edited by: -==cfSearching==-

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 29, 2010 5:17 PM   in reply to -==cfSearching==-

    The RC4 function in CFLib worked fine for me using the external key.  The issue that had me pulling my hair out was the when I converted the string result to Base64 with the toBase64 function, it didn't come out correctly.

     

    As it turns out, the toBase64 uses the same encoding of the page that you're on.

     

    I tried the different encodings and toBase64(result,"iso-8859-1") worked fine.

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 30, 2010 11:18 AM   in reply to nealb

    As it turns out, the toBase64 uses the same encoding of the

    page that you're on.

     

    Ooh. Yes. That would make a difference.  Glad you figured it out. (Though supposedly the docs recommend using BinaryEncode over ToBase64 these days. Not sure why ..)

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points