4
votes

We are having difficulty decrypting a string in ColdFusion that was previously encrypted with 3DES and C#. Here is the code we used to encrypt the string initially:

    public static string EncryptTripleDES(string plaintext, string key)
    {
    TripleDESCryptoServiceProvider DES = new TripleDESCryptoServiceProvider();
    MD5CryptoServiceProvider hashMD5 = new MD5CryptoServiceProvider();
    DES.Key = hashMD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(key));
    DES.Mode = CipherMode.ECB;
    ICryptoTransform DESEncrypt = DES.CreateEncryptor();
    byte[] Buffer = ASCIIEncoding.ASCII.GetBytes(plaintext);

    string EncString = Convert.ToBase64String(DESEncrypt.TransformFinalBlock(Buffer, 0, Buffer.Length));
    EncString = EncString.Replace("+", "@@12");

    return EncString;
    }

We have tried using the suggestions here:

TripleDES Encryption - .NET and ColdFusion not playing nice

..with no luck. Here is our CF code and the error:

  <cfset variables.theKey = "blahblah" />
  <cfset variables.theAlgorithm = "DESede/CBC/PKCS5Padding">
  <cfset variables.theEncoding = "Base64">
  <cfset strTest = decrypt(#DB.PASSWORD#, variables.theKey, variables.theAlgorithm, variables.theEncoding)>

Error returned: An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string "blahblah"

So, it looks like it's trying to decrypt the key and not the string, but that's not how the decrypt function is outlined in ColdFusion. Any ideas?

UPDATE: Attempted to use the following CF code, but the error returned is still "An error occurred while trying to encrypt or decrypt your input string: Given final block not properly padded."

<cfset dbPassword  = "Hx41SYUrmnFPa31QCH1ArCHN1YOF8IAL">
<cfset finalText   = replace(dbPassword, "@@12", "+", "all")>
<cfset theKey      = "abcdefgh">
<cfset theKeyInBase64 = toBase64(theKey)>
<cfset hashedKey   = hash( theKeyInBase64, "md5" )>
<cfset padBytes    = left( hashedKey, 16 )>
<cfset keyBytes    = binaryDecode( hashedKey & padBytes , "hex" )>
<cfset finalKey    = binaryEncode( keyBytes, "base64" )>
<cfset decrypted = decrypt( finalText, finalKey, "DESede/ECB/PKCS5Padding", "base64" )>
Decrypted String: <cfdump var="#decrypted#">

UPDATE:

The solution if you follow the comments was to change:

<cfset hashedKey   = hash( theKeyInBase64, "md5" )>

To:

<cfset hashedKey   = hash( theKey, "md5" )>

The final code is this:

<cfset dbPassword  = "Hx41SYUrmnFPa31QCH1ArCHN1YOF8IAL">
<cfset finalText   = replace(dbPassword, "@@12", "+", "all")>
<cfset theKey      = "abcdefgh">
<cfset hashedKey   = hash( theKey, "md5" )>
<cfset padBytes    = left( hashedKey, 16 )>
<cfset keyBytes    = binaryDecode( hashedKey & padBytes , "hex" )>
<cfset finalKey    = binaryEncode( keyBytes, "base64" )>
<cfset decrypted = decrypt( finalText, finalKey, "DESede/ECB/PKCS5Padding", "base64" )>
Decrypted String: <cfdump var="#decrypted#">
1
DESede/CBC/PKCS5Padding is not a valid algorithm. If you have ColdFusion Standard Edition installed then you have the following available to you, CFMX_COMPAT, AES, BLOWFISH, DES and DESEDE. If you have Enterprise then you additionally have DES-EDE, DESX, RC2, RC4, RC5 and PBE. So I would try DESEDE instead.baynezy
If that doesn't work then try encrypting it in CF and see if that creates the same as the C# as sometimes these issues are white space or capitalisation, as the algorithms are definitely the same as I have got C# and CF to communicate encrypted strings many times.baynezy
When we substitute in DESEDE we get the exact same error unfortunately.Rob Lauer
@baynezy - "DESede/CBC/PKCS5Padding" is perfectly valid. CF allows either algorithm name alone, or algorithm + feedback mode + padding scheme.Leigh

1 Answers

6
votes

Looks like there a few extra twists in your c# function you need to handle to achieve compatibility:

  1. The .NET function modifies the encrypted string. You need to reverse those changes so decrypt will recognize it as valid base64:

    <!--- reverse replacements in encrypted text ie #DB.Password# --->
    <cfset dbPassword = "uAugP@@12aP4GGBOLCLRqxlNPL1PSHfTNEZ">
    <cfset finalText = replace(dbPassword, "@@12", "+", "all")>
    
  2. The function also uses a hash which creates a 16 byte key. CF/java require a 24 byte key for that algorithm. So you must first hash the key and pad it to the proper length. Otherwise, decrypt() will complain the key is too small.

    Note: CF also expects the final key to be base64 encoded. The error Can not decode string "blahblah" suggests your input key is not in base64.

    <!--- hash and pad the key (ie "blahblah"), then convert to base64 for CF --->
    <cfset theKeyInBase64 = "rpaSPvIvVLlrcmtzPU9/c67Gkj7yL1S5">
    <cfset hashedKey   = hash( theKeyInBase64, "md5" )>
    <cfset padBytes    = left( hashedKey, 16 )>
    <cfset keyBytes    = binaryDecode( hashedKey & padBytes , "hex" )>
    <cfset finalKey    = binaryEncode( keyBytes, "base64" )>
    
  3. Finally, the feedback modes must match. Since the .NET code uses the less secure ECB mode, the CF code must use that mode as well.

    <!--- .net code uses the less secure ECB mode --->
    <cfset decrypted = decrypt( finalText, finalKey, "DESede/ECB/PKCS5Padding", "base64" )>
    Decrypted String: <cfdump var="#decrypted#">
    
  4. One other issue to watch out for is encoding. In CF, encrypt/decrypt always interpret the input string as UTF8, whereas the .NET function uses ASCII. For full compatibility, both sides should use the same encoding, in this case UTF8.


Update:

I tested the above with an arbitrary 8 character key (instead of a base64 string) and CF9 still decrypted the string properly.

// .NET Code
String text = "some text to encrypt";
String key = "abcdefgh";
String encrypted = EncryptTripleDES(text, key);
// result: encrypted=Hx41SYUrmnFPa31QCH1ArCHN1YOF8IAL
Console.WriteLine("encrypted={0}", encrypted);

<!--- same code, only the encrypted text and key changed ---> 
<cfset dbPassword  = "Hx41SYUrmnFPa31QCH1ArCHN1YOF8IAL">
<cfset finalText   = replace(dbPassword, "@@12", "+", "all")>
<cfset theKey      = "abcdefgh">
<cfset hashedKey   = hash( theKey, "md5" )>
....