32 Replies Latest reply: Oct 30, 2010 11:18 AM by -==cfSearching==- RSS

    Decryption - Arrgghh!

    sean69 Community Member

      I'm having some difficulty trying to decrypt some passwords to move from one application to another [using different encryption] ... can anyone help with this

       

      <cfscript>
      
      rc4key = '823hjdFD00fQFSDFJweru87fsj34FS'; // plain text encryption key
      
      passhex = '668413106F51AB'; // hex encoded password [should return test123]
      
      EncryptedPassword = ToBase64(BinaryDecode(passhex, "Hex"));
      
      writeoutput(EncryptedPassword); // returns ZoQTEG9Rqw==  which is base64 ?!?!?
      
      DecryptedPassword = Decrypt( EncryptedPassword, rc4key, 'RC4','Hex'); //throws an error
      
      writeoutput(decrypted); 
      
      </cfscript>
      

       

       

      And the error I get is:

      An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "823hjdFD00fQFSDFJweru87fsj34FS"..

       

       

       

      I just don't know what is not happening here, I've tested the key and password at http://crypto.hurlant.com/demo/ and gotten what I expect are correct results....  see attached.....

       

      can anyone help?

       

      -seanscreen.jpg

       

       

       

       

       

       

        • 1. Re: Decryption - Arrgghh!
          Chiwi8888 Community Member

          What version of CF do you have?  As far as I know RC4 is not available in the standard edition.  You need either Enterprise or additional providers installed.

           

          Cheers

          • 2. Re: Decryption - Arrgghh!
            sean69 Community Member


            I'm 99.9% sure RC4 is available on my server ....  I've added the extra security provider package for [see here: http://kb2.adobe.com/cps/546/e546373d.html ] and if I tail the cfserver log I get:

             

             

            01/11 15:08:23 Information [main] - Installed JSafe JCE provider: Version 3.6 RSA Security Inc. Crypto-J JCE Security Provider (implements RSA, DSA, Diffie-Hellman, AES, DES, Triple DES, DESX, RC2, RC4, RC5, PBE, MD2, MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384, SHA512, HMAC-MD5, HMAC-RIPEMD160, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512)

             

            If I, #encrypt("killbill","RC4")#, I get "(?)Y0GXZT5_,"

             

            so I am assuming RC4 is working....

             

            -sean

             

            [CF8 Enterprise]

            • 3. Re: Decryption - Arrgghh!
              BKBK CommunityMVP

              The following test works. It may contain something for you.

               

              <cfscript>
              rc4key = generatesecretkey("RC4");
              writeoutput("CF-generated RC4 key: " & rc4key & "<br>");

              password = "test123";
              EncryptedPassword = encrypt(password,rc4key,"RC4","hex");
              writeoutput("Encrypted password: " & EncryptedPassword & "<br>");
              DecryptedPassword = Decrypt( EncryptedPassword, rc4key, 'RC4','Hex');
              writeoutput("Decrypted password: " & DecryptedPassword);
              </cfscript>

              • 4. Re: Decryption - Arrgghh!
                sean69 Community Member

                Hi;

                 

                yes - it does work, but when I substitute my existing key [ rc4key = '823hjdFD00fQFSDFJweru87fsj34FS'; ] I get the error:

                 

                An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "823hjdFD00fQFSDFJweru87fsj34FS"..

                 

                 

                ok, soooo the problemis with the key?

                 

                -sean

                • 5. Re: Decryption - Arrgghh!
                  BKBK CommunityMVP

                  sean69 wrote:

                  An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "823hjdFD00fQFSDFJweru87fsj34FS"..

                   

                   

                  ok, soooo the problemis with the key?

                   

                  Indeed, the problem is likely with the key. I would just take Coldfusion's insurance policy,

                   

                  rc4key = generatesecretkey("RC4");

                   

                  and then store the value somewhere.

                  • 6. Re: Decryption - Arrgghh!
                    sean69 Community Member

                    wherein lies the problem, I am migrating customers from one store application [Candypress - asp pages] to a completely new application since there is about 9000 of them it would be nice to be able to script the passwords.... [stored as plain text in the new application]

                     

                     

                     

                    -sean

                    • 7. Re: Decryption - Arrgghh!
                      BKBK CommunityMVP

                      sean69 wrote:

                       

                      wherein lies the problem, I am migrating customers from one store application [Candypress - asp pages] to a completely new application since there is about 9000 of them it would be nice to be able to script the passwords.... [stored as plain text in the new application

                      No problem. Just let Coldfusion generate the RC4 keys for you.

                      • 8. Re: Decryption - Arrgghh!
                        sean69 Community Member

                        I don't understand how that would help.

                         

                        I'm trying to migrate the passwords as well, not change them. all I have is the encrypted password and the key to start with.

                         

                        -sean

                        • 9. Re: Decryption - Arrgghh!
                          BKBK CommunityMVP

                           

                          I'm trying to migrate the passwords as well

                          Ah. That wasn't clear to me. In any case, I doubt whether '823hjdFD00fQFSDFJweru87fsj34FS' is an RC4 key.

                          • 10. Re: Decryption - Arrgghh!
                            sean69 Community Member

                            You can test the key at http://crypto.hurlant.com/demo/

                             

                            screenshot in first post...it seems to work so if there is a problem with it, I'm not sure what it could be??

                             

                            -sean

                            • 11. Re: Decryption - Arrgghh!
                              TLC-IT Community Member

                              It wants to "base64decode" the string.

                               

                              So... simply send it a base64-encoding of the string.  Let the parameter be a function-call which encodes the actual key so that CF can happily decode it again.

                              • 12. Re: Decryption - Arrgghh!
                                sean69 Community Member

                                nope - sorry, I don't understand your reply....

                                 

                                "It wants to "base64decode" the string." - which string, what is it?

                                 

                                "simply send it a base64-encoding of the string" ??

                                 

                                -if you are suggesting the passwords, I don't have a decrypted version of the passwords....

                                 

                                can you illustrate with a line or two of code?

                                 

                                -thanks

                                -sean

                                • 13. Re: Decryption - Arrgghh!
                                  TLC-IT Community Member

                                  What I'm saying is... I've found that a couple of the crypto functions expect to receive a base64-encoded string.  They croak if they don't get one.

                                   

                                  So, if what you've actually got is "the actual string," i.e. not base64-encoded, and you need to pass that string to the function, simply give it what it wants:  let the parameter simply be toBase64(your_known_string).  You hand the function the encoded version of your_known_string so that it can immediately decode it again ... producing your_known_string ... and everybody's happy now.

                                  • 14. Re: Decryption - Arrgghh!
                                    sean69 Community Member

                                    I still don't see what you are saying, have you tested with any code???

                                     

                                    all I have is the rc4key = '823hjdFD00fQFSDFJweru87fsj34FS' - used to originally encrypt the passwords,  and the encrypted password = '668413106F51AB'  in this one and only case I happen to know that password is 'test123'

                                     

                                    you can see in my original post that someone has figured it out, I can decode passwords one by one using that app,  just have not been able to figure oit out here...

                                     

                                     

                                    -sean

                                    • 15. Re: Decryption - Arrgghh!
                                      TLC-IT Community Member

                                      You may find that an algorithm which accepts an RC4 key expects it to be base64 encoded.  "So," all I'm saying is, "if that is the case, then base64 encode it so that CF can immediately base64 decode it again."  In this way, you pass the necessary string into the function.

                                      • 16. Re: Decryption - Arrgghh!
                                        sean69 Community Member

                                        so you are suggesting something like:

                                         

                                        passhex = '668413106F51AB';
                                        
                                        rc4key = toBase64('823hjdFD00fQFSDFJweru87fsj34FS');
                                        
                                        writeoutput(Decrypt( passhex, rc4key, 'RC4','Hex'));
                                        

                                         

                                         

                                        Which gives me an "The key  specified is not a valid key for this encryption: Illegal key size or  default parameters." error.

                                         

                                        -sean

                                        • 17. Re: Decryption - Arrgghh!
                                          TLC-IT Community Member

                                          That is indeed what I was suggesting.

                                           

                                          but ...

                                           

                                          are you sure that the fourth parameter to Decrypt() should be 'hex'?  I don't know the answer to that.  Is this supposed to represent the encoding of the data string, or of the key?

                                          • 18. Re: Decryption - Arrgghh!
                                            sean69 Community Member

                                            I really don't have a clue.....


                                            • 19. Re: Decryption - Arrgghh!
                                              nealb

                                              Sean -

                                               

                                              Did you ever happen to figure this out?  If so, what was the issue?

                                               

                                              Thanks,

                                              Neal

                                              • 20. Re: Decryption - Arrgghh!
                                                sean69 Community Member

                                                nope - never figured it out...  sorry

                                                • 21. Re: Decryption - Arrgghh!
                                                  nealb Community Member

                                                  Yeah, I gave up as well.  Decided to use this function:

                                                   

                                                  http://www.cflib.org/udf/RC4


                                                  • 22. Re: Decryption - Arrgghh!
                                                    -==cfSearching==- Community Member

                                                    I am not very familiar with RC4, but this seems to work fine for me. ie Returns the same results as the online demo.

                                                     

                                                    <cfscript>
                                                        // convert plain text key to base64
                                                        rc4key = '823hjdFD00fQFSDFJweru87fsj34FS';
                                                        keyBytes = charsetDecode(rc4key, "utf8");
                                                        keyBase64 = BinaryEncode(keyBytes, "base64");

                                                     

                                                        //encrypt it and return value as HEX...
                                                        encrypted = Encrypt("test123", keyBase64, 'RC4', 'hex');
                                                        WriteOutput("encrypted="& encrypted &"<br>");

                                                     

                                                        // decrypt value
                                                        decrypted = Decrypt( encrypted, keyBase64, 'RC4', 'Hex');
                                                        WriteOutput("decrypted="& decrypted &"<br>");
                                                    </cfscript>

                                                     

                                                    If I, #encrypt("killbill","RC4")#, I get "(?)Y0GXZT5_,

                                                     

                                                    so I am assuming RC4 is working....

                                                     

                                                    BTW: The algorithm name is in the wrong position. So it is just using the default CFMX_COMPAT.

                                                     

                                                    Message was edited by: -==cfSearching==-

                                                    • 23. Re: Decryption - Arrgghh!
                                                      sean69 Community Member

                                                      as I remember, the passwords were encrypted with asp.net, all I had was the encrypted passwords & encryption keys ...  I had no problems using CFMX > CFMX encryption ...

                                                      • 24. Re: Decryption - Arrgghh!
                                                        -==cfSearching==- Community Member

                                                        Not sure what you mean.  With a slight modification, your original example of RC4 encryption works fine.

                                                         

                                                        BTW: The last comment was to point out that one of your test cases was not actually using RC4 as you thought

                                                         

                                                        ie #encrypt("killbill","RC4")# actually uses the default CFMX_COMPAT with "RC4" as the seed.

                                                         

                                                        -Leigh

                                                        • 25. Re: Decryption - Arrgghh!
                                                          12Robots Community Member

                                                          Not RC4 as the seed, RC4 as the key.

                                                           

                                                          Jason

                                                          • 26. Re: Decryption - Arrgghh!
                                                            -==cfSearching==- Community Member

                                                            Yes, if it were really doing RC4 encryption it would be the key. But since that snippet is doing CFMX_COMPAT, the string "RC4" is just used as the seed. At least that is how I have always understood CFMX_COMPAT to work.

                                                             

                                                            ie. This snippet

                                                            #encrypt("killbill","RC4")#

                                                             

                                                            ... and not

                                                             

                                                            #encrypt("killbill", key, "RC4")#

                                                             

                                                            Message was edited by: -==cfSearching==-

                                                            • 27. Re: Decryption - Arrgghh!
                                                              nealb Community Member

                                                              cfSearching -

                                                               

                                                              <cfscript>
                                                                  // convert plain text key to base64
                                                                  rc4key = '823hjdFD00fQFSDFJweru87fsj34FS';
                                                                  keyBytes = charsetDecode(rc4key, "utf8");
                                                                  keyBase64 = BinaryEncode(keyBytes, "base64");

                                                               

                                                                  //encrypt it and return value as HEX...
                                                                  encrypted = Encrypt("test123", keyBase64, 'RC4', 'hex');
                                                                  WriteOutput("encrypted="& encrypted &"<br>");

                                                               

                                                                  // decrypt value
                                                                  decrypted = Decrypt( encrypted, keyBase64, 'RC4', 'Hex');
                                                                  WriteOutput("decrypted="& decrypted &"<br>");
                                                              </cfscript>

                                                               

                                                              I ran your snippet above on my CF 8 Standard Server and received the following error:

                                                               

                                                              The key specified is not a valid key for this encryption: Illegal key size or default parameters.
                                                              Use the generateSecretKey method to generate a valid key for this operation.

                                                               

                                                              Perhaps this is a CF Standard vs. Enterprise issue?

                                                               

                                                              The doc says that RC4 is not installed on Standard by default.

                                                               

                                                              The strange thing is that on Standard, this does work:

                                                               

                                                              <cfset testkey = GenerateSecretKey("RC4")>

                                                              <cfset encrypted = Encrypt("test123", testkey, 'RC4', 'hex');

                                                              • 28. Re: Decryption - Arrgghh!
                                                                -==cfSearching==- Community Member

                                                                >> <cfset testkey = GenerateSecretKey("RC4")>

                                                                 

                                                                Did you install the unlimited strength files? I tested the code with the CF9 developer addition and the two changes I made were

                                                                 

                                                                http://kb2.adobe.com/cps/546/e546373d.html

                                                                - Add bouncy castle as a security provider and

                                                                - Installing the unlimited strength files

                                                                 

                                                                Message was edited by: -==cfSearching==-

                                                                • 29. Re: Decryption - Arrgghh!
                                                                  12Robots Community Member

                                                                  I tested the original code with CF9 Developer edition, and with some minor changes to the code, it worked fine.  The original poster was doing more conversion than was needed.

                                                                   

                                                                   

                                                                  <cfscript>

                                                                   

                                                                  rc4key = toBase64('823hjdFD00fQFSDFJweru87fsj34FS');

                                                                  passhex = '668413106F51AB';

                                                                   

                                                                  DecryptedPassword = Decrypt( passhex, rc4key, 'RC4','HEX');

                                                                   

                                                                  writeoutput(decrypted);

                                                                   

                                                                  </cfscript>

                                                                   

                                                                  I did not need to add any additional crypto libs or providers.

                                                                   

                                                                  I do not have a copy of CF Standard to test this on, but if there is not a provider included in CF Standard or the JVM you are running it on that includes RC4, then you may need to install one. Although, it looks to me like RC4 is standard with Java JCE (which is now a standard part of the JDK).

                                                                   

                                                                  The ColdFusion encrypt docs are a little misleading, I think.  When it is referring to the algorithms that are included with Enterprise vs. Standard, it is referring to the BSafe Crypto-J library that is licensed for use and included with Enterprise. It then mentions the other algorithms that are only included with Standard.  This does NOT mean that these are the onyl algorithms availabel in Standard, they are just the only ones included.

                                                                   

                                                                  But since ColdFusion sits on Java, and tje JVM has included the JCE for some time, there are many other providers available to you. I'm not sure about Standard, but the developer edition has 11 of them.

                                                                   

                                                                  Try this out to see:

                                                                   

                                                                  <cfdump var="#createObject("java", "java.security.Security").getProviders()#">

                                                                   

                                                                  I'd say there is a good chance that there is a provider in standard that has RC4 available. And, if there really isn't one, then adding BouncyCastle as a provider is not terribly difficult.

                                                                   

                                                                  http://www.bouncycastle.org/wiki/display/JA1/Provider+Installation

                                                                   

                                                                  You can do it at runtime with the same Security object I used above, using the addProvider() method. Or you can add it through config as outlined int he above link.  Either way, you need to add the provider files to your class path.

                                                                  • 30. Re: Decryption - Arrgghh!
                                                                    -==cfSearching==- Community Member

                                                                    with some minor changes to the code, it worked fine.  The

                                                                    original poster was doing more conversion than was needed.

                                                                     

                                                                    Good catch. I thought I had tried that, but I guess not ..

                                                                     

                                                                    12Robots wrote:

                                                                    ..you may need to install one. Although, it looks to me like RC4 is standard with Java JCE (which is now a standard part of the JDK).

                                                                     

                                                                    Ah, okay. I added bouncy castle for my test because I was not sure if RC4 was available or not.

                                                                     

                                                                    I did not need to add any additional crypto libs or providers.

                                                                     

                                                                    Weird.  With the developer edition I was getting the "..key specified is not a valid key for this encryption: Illegal key size or default parameters." error. That is why I installed the unlimited strength files. After installing those, the code worked.  I do not know much about the settings, but it seemed like there were some limitations in the policy files of my original jars.

                                                                     

                                                                    ie

                                                                    permission javax.crypto.CryptoPermission "RC4", 128;

                                                                     

                                                                    Then again it could be something "wonky" with my setup. I would have to try it on a clean install to be sure.

                                                                     

                                                                    Message was edited by: -==cfSearching==-

                                                                    • 31. Re: Decryption - Arrgghh!
                                                                      nealb Community Member

                                                                      The RC4 function in CFLib worked fine for me using the external key.  The issue that had me pulling my hair out was the when I converted the string result to Base64 with the toBase64 function, it didn't come out correctly.

                                                                       

                                                                      As it turns out, the toBase64 uses the same encoding of the page that you're on.

                                                                       

                                                                      I tried the different encodings and toBase64(result,"iso-8859-1") worked fine.

                                                                      • 32. Re: Decryption - Arrgghh!
                                                                        -==cfSearching==- Community Member

                                                                        As it turns out, the toBase64 uses the same encoding of the

                                                                        page that you're on.

                                                                         

                                                                        Ooh. Yes. That would make a difference.  Glad you figured it out. (Though supposedly the docs recommend using BinaryEncode over ToBase64 these days. Not sure why ..)