Member Avatar for RickCJ7

I am rewriting an internal Coldfusion app that stores passwords in the database using Encrypt and Decrypt into C#. My Coldfusion code is using two parameters like this:

<cfset strDecrypted = decrypt(ToString(toBinary(strBase64Value)),"keycode") />

Where strDecrypted is the decrypted string returned, strBase64Value is the encrypted string in the database and "keycode" is an arbitrary key string I came up with so I don't disclose the real key here. My C# code sample is below, I get an error when I pass in the key. The error message says "The specified key is not a valid size for this algorithm. Parameter name: key"

private string ConvertString(string string1, string string2)
{
    byte[] key = ASCIIEncoding.ASCII.GetBytes(string1);
    byte[] encryptedData = Convert.FromBase64String(string2);

    Aes aes = Aes.Create();
    aes.Mode = CipherMode.ECB;

    using (var ms = new MemoryStream())
    {
        using (var cs = new CryptoStream(ms, aes.CreateDecryptor(key, null), CryptoStreamMode.Write))
        {
            cs.Write(encryptedData, 0, encryptedData.Length);
        }
        byte[] decryptedData = ms.ToArray();
        string clearText = Encoding.ASCII.GetString(decryptedData);
        return clearText;
    }
}

I'm not sure if I should post here in the Coldfusion forums or the C# forums, so I'll start here first.

Thanks,
Rick

  • 2 Contributors
  • 7 Replies
  • 490 Views
  • 19 Hours Discussion Span
  • Latest Post Latest Post by arrgh

Recommended Answers

All 7 Replies

Member Avatar for arrgh

decrypt(ToString(toBinary(strBase64Value)),"keycode")

If there are only 2 arguments, it's not AES. It defaults to a legacy algorithm called CFMX_COMPAT. Most CF apps don't use that anymore. I wouldn't bother trying to replicate it in c#. Better to decrypt and re-encrypt with whatever algorithm you plan to use in the new app. Anything beyond CF7 supports the standards aes, blowfish, etc...

Edited by arrgh because: spelling
Member Avatar for RickCJ7

I agree, I am not replicating it, but we have 7,000+ users using the old system in Coldfusion. I am implementing a function that would update the old stored password from Coldfusion into a newer and more secured method of storing passwords, rather than asking everyone to create a new username/password again.

Member Avatar for arrgh

Well I was suggesting you do a one time convert on the CF side instead of trying to figure out how to replicate an outdated algorithm in .net. It's only 2 or 3 lines of CF in a loop.

  `decryptedString = decrypt(oldString, "oldKey);`
     `reEncrypted = encrypt(decryptedString, "key", "AES", ...)`
Edited by arrgh
Member Avatar for RickCJ7

I'm no Coldfusion expert but that is what I thought of doing. I probably can google looping in CF and figure it out. Thanks.

Member Avatar for arrgh

In theory it's a single query to get the old values:

<cfquery name="getUsers" datasource="yourDSN">
      SELECT TheUniqueID, OldPassword
      FROM   UserTableName
</cfquery>

Then a query loop to generate the new password & update the database.

<!--- untested --->
<cfloop query="getUsers">
   <cfset decryptedString = decrypt(oldPassword, "oldKey)>
   <cfset reEncrypted = encrypt(decryptedString, "newAESkey", "AES/ECB/PKCS5Padding", "base64")>
    <cfquery name="updateUsers" datasource="yourDSN">
          UPDATE UserTableName 
          SET    NewPassword = <cfqueryparam value="#reEncrypted#" cfsqltype="cf_sql_varchar">
          <!--- assumes unique ID is integer  --->
          WHERE  TheUniqueID = <cfqueryparam value="#TheUniqueID#" cfsqltype="cf_sql_integer">
    </cfquery>

</cfloop>

Until you're sure everything's working ok, I'd keep the old password around in a separate column. Since it's a lot of db updates, you may need to increase the page timeout ie yourpage.cfm?requesttimeout=7000. Normally I'd do it in batches, but it's not worth it for a one time script.

Edited by arrgh
Member Avatar for RickCJ7

That looks pretty straight-forward. I'll give that a shot in our test environment. Appreciate it!

Member Avatar for arrgh

You're welcome.

I doubt you'll have any problems. CF is pretty intuitive. But if you do, post back.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.