0

I am rewriting an internal Coldfusion app that stores passwords in the database using Encrypt and Decrypt into C#. My Coldfusion code is using two parameters like this:

<cfset strDecrypted = decrypt(ToString(toBinary(strBase64Value)),"keycode") />

Where strDecrypted is the decrypted string returned, strBase64Value is the encrypted string in the database and "keycode" is an arbitrary key string I came up with so I don't disclose the real key here. My C# code sample is below, I get an error when I pass in the key. The error message says "The specified key is not a valid size for this algorithm. Parameter name: key"

private string ConvertString(string string1, string string2)
{
    byte[] key = ASCIIEncoding.ASCII.GetBytes(string1);
    byte[] encryptedData = Convert.FromBase64String(string2);

    Aes aes = Aes.Create();
    aes.Mode = CipherMode.ECB;

    using (var ms = new MemoryStream())
    {
        using (var cs = new CryptoStream(ms, aes.CreateDecryptor(key, null), CryptoStreamMode.Write))
        {
            cs.Write(encryptedData, 0, encryptedData.Length);
        }
        byte[] decryptedData = ms.ToArray();
        string clearText = Encoding.ASCII.GetString(decryptedData);
        return clearText;
    }
}

I'm not sure if I should post here in the Coldfusion forums or the C# forums, so I'll start here first.

Thanks,
Rick

2
Contributors
7
Replies
8
Views
5 Years
Discussion Span
Last Post by arrgh
0

decrypt(ToString(toBinary(strBase64Value)),"keycode")

If there are only 2 arguments, it's not AES. It defaults to a legacy algorithm called CFMX_COMPAT. Most CF apps don't use that anymore. I wouldn't bother trying to replicate it in c#. Better to decrypt and re-encrypt with whatever algorithm you plan to use in the new app. Anything beyond CF7 supports the standards aes, blowfish, etc...

Edited by arrgh: spelling

0

I agree, I am not replicating it, but we have 7,000+ users using the old system in Coldfusion. I am implementing a function that would update the old stored password from Coldfusion into a newer and more secured method of storing passwords, rather than asking everyone to create a new username/password again.

0

Well I was suggesting you do a one time convert on the CF side instead of trying to figure out how to replicate an outdated algorithm in .net. It's only 2 or 3 lines of CF in a loop.

  `decryptedString = decrypt(oldString, "oldKey);`
     `reEncrypted = encrypt(decryptedString, "key", "AES", ...)`

Edited by arrgh

0

I'm no Coldfusion expert but that is what I thought of doing. I probably can google looping in CF and figure it out. Thanks.

0

In theory it's a single query to get the old values:

<cfquery name="getUsers" datasource="yourDSN">
      SELECT TheUniqueID, OldPassword
      FROM   UserTableName
</cfquery>

Then a query loop to generate the new password & update the database.

<!--- untested --->
<cfloop query="getUsers">
   <cfset decryptedString = decrypt(oldPassword, "oldKey)>
   <cfset reEncrypted = encrypt(decryptedString, "newAESkey", "AES/ECB/PKCS5Padding", "base64")>
    <cfquery name="updateUsers" datasource="yourDSN">
          UPDATE UserTableName 
          SET    NewPassword = <cfqueryparam value="#reEncrypted#" cfsqltype="cf_sql_varchar">
          <!--- assumes unique ID is integer  --->
          WHERE  TheUniqueID = <cfqueryparam value="#TheUniqueID#" cfsqltype="cf_sql_integer">
    </cfquery>

</cfloop>

Until you're sure everything's working ok, I'd keep the old password around in a separate column. Since it's a lot of db updates, you may need to increase the page timeout ie yourpage.cfm?requesttimeout=7000. Normally I'd do it in batches, but it's not worth it for a one time script.

Edited by arrgh

0

That looks pretty straight-forward. I'll give that a shot in our test environment. Appreciate it!

0

You're welcome.

I doubt you'll have any problems. CF is pretty intuitive. But if you do, post back.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.