ansaurus

Question

compare password hashes between c# and coldfusion

Answer 1

+3 A:

MD5 is the default hashing algorithm for the hash(). I'm not a C# programmer, but it shouldn't be too hard to create an MD5 hash to compare to your ColdFusion result.

As for encrypt(), is there a reason you're encrypting the username before hashing it? I can't think of any benefit to doing this, but that doesn't mean there isn't one. I would simply do:

Hash( UCase( GetPass.username ) )

Which should be easier to replicate in C#.

mwc 2010-04-26 14:52:44

I agree, the encryption is trivial, at best.

Ian P 2010-04-26 15:05:59

But, his data already includes it, so he's looking for an answer where he can utilize is already "encrypted" data.

Edward M Smith 2010-04-26 15:08:58

yeah - the data is already there, so I am just trying to use it.

czuroski 2010-04-26 15:19:31

Answer 2

+1 A:

One of the solutions would be to have the DB do the hashing and encription, could be easier...

intnick 2010-04-26 14:56:34

yeah - that would be easier. unfortunately, I didn't write the initial application, and don't want to change it.

czuroski 2010-04-26 15:20:07

Answer 3

+2 A:

The default "encryption" in CF is simply an XOR:

ciphertext = base64_encode(plaintext ^ key)

So, to decrypt:

plaintext = base64_decode(ciphertext) ^ key

The default hash, as mentioned, is md5.

Edit:

Well, further research shows this is not true - just one of those pervasive myths.

I can't find any documentation of the actual algorithm for the CFMX_COMPAT encryption method.

Sorry about the wild goose chase.

Edward M Smith 2010-04-26 15:04:08

I guess it all boils down to the value of the variable `EnCode`.

mwc 2010-04-26 17:14:45

Right, that's just the key. I'm sure the OP has access to it in his CF source code.

Edward M Smith 2010-04-26 17:46:34

I can't seem to get this to match up. I tried narrowing it down on a test CF page to just do the encrypt (and ignore the hash), but I still can't get the encrypted CF value to match up to my encrypted c# value. I used a straight base64 encrypt in my c# app. I saw somewhere that CF also performs a uuencode as part of the encryption - is there any truth to this?

czuroski 2010-04-27 13:17:28

You're doing the XOR in the C#, and not getting the same result?

Edward M Smith 2010-04-27 19:59:54

Answer 4

+2 A:

To build on the answer by Edward Smith, and the follow-up comments by czuroski, here is my solution.

First, you need an XOR function in C#, which I've taken from here and modified slightly.

using System;
using System.Collections.Generic;
using System.Text;

namespace SimpleXOREncryption
{    
    public static class EncryptorDecryptor
    {
        public static string EncryptDecrypt(string textToEncrypt, int key)
        {            
            StringBuilder inSb = new StringBuilder(textToEncrypt);
            StringBuilder outSb = new StringBuilder(textToEncrypt.Length);
            char c;
            for (int i = 0; i < textToEncrypt.Length; i++)
            {
                c = inSb[i];
                c = (char)(c ^ key);
                outSb.Append(c);
            }
            return outSb.ToString();
        }   
    }
}

Then, take the result of the XOR and base-64 encode it. After you have that string, MD5 hash it. The result should match the result from the original code snippet:

#Hash(Encrypt(Form.UserPassword,GetSiteVars.EnCode))#

Adam Tuttle 2010-04-27 16:47:01

Thanks - I have tried this but it still isn't working. Actually, the key that I have is actually a string - not an int, so I don't know if that is throwing it off, or if I have to use the key for the base-64 encoding. to base-64 encode it, am I able to simply use Convert.ToBase64String, or not?

czuroski 2010-04-28 11:31:42

According to the [docs](http://goo.gl/zGbJ), the string passed in is used as a random seed to generate the integer key value. Unfortunately, I don't have any more information on exactly how it gets that value. If I were in your shoes, I might consider (1) removing the encryption from existing passwords (simple enough with a one-time script), and (2) rewriting the existing CF code to no longer use encryption. Hashing is sufficient, and encryption is wasting cpu in this case, in my opinion.

Adam Tuttle 2010-04-28 17:22:18

yeah - I agree that it is wasting cpu, but this is a suppoted application and I am not able to change that right now. So I have to attempt to decrypt it myself, but have been having no luck.

czuroski 2010-04-28 19:25:53

If you really have to do this, take a look at the Railo source code (and licensing info). It has CFMX_COMPAT algorithm you may be able to port to C#.

Leigh 2010-04-29 06:09:39

Good idea, Leigh. @czuroski: The download link for Railo Open Source (the source, not the binary) is [at the bottom of this page](http://www.getrailo.org/index.cfm/download/).

Adam Tuttle 2010-04-29 11:32:31

I will check that out - thanks.

czuroski 2010-04-29 11:55:43

For anyone reading, I emailed with czuroski offline and we did get a C# port of the Railo classes working.

Leigh 2010-05-18 21:37:11

As Leigh stated above, he was able to help me get a port of the Railo classes working successfully.

czuroski 2010-05-28 13:16:47

ansaurus

tags:

views:

answers:

compare password hashes between c# and coldfusion

related questions