An existing coldfusion website is to be converted to dot net.
In the coldfusion code, the password is hashed using its hash() function with no algorithm:
SomePassword = '#hash(fldPassword)#'
I found this document, saying the default encryption is
CFMX_COMPAT: Generates a hash string identical to that generated by
ColdFusion MX and ColdFusion MX 6.1 (default).
There are some articles actually telling me how to decrypt.
According to Macromedia, The ColdFusion Encrypt function uses an
XOR-based algorithm that utilizes a pseudo random 32-bit key based on
a seed passed by the user as a parameter to the function. The
resulting data is UUencoded.
You'll need to uudecode the encoded value first
http://www.eggheadcafe.com/printsear...asp?linkid=351
and then XOR it using the key it was encrypted with.
http://www.java2s.com/Code/CSharp/La...deamessage.htm
If you dont have the key - your wasting yuor time.
But, how to make it work? I don't think there is any key. All I can see is '#hash(fldPassword)#'. Please help. Thanks.
There are some articles actually telling me how to decrypt.
Hashing and encryption are not the same thing. Encryption can be reversed. You can recover the original value if you have the right key, etectera. Whereas hashing is a one way trip. Once hashed, the original value cannot be recovered. (Well .. in theory. Some of the weaker hashing algorithms have been broken.) So you cannot "decrypt" a hashed value. But you can duplicate the obfuscated result string.
I found this document, saying the default encryption is CFMX_COMPAT
Actually it refers to the default algorithm. However, I am not so sure that description is correct. (Edit: As Rasmus correctly points out, it does say the default is MD5) However, CF9/7 default to MD5 anyway. Even when the algorithm is CFMX_COMPAT. So in either case, a simple MD5 hash in C# would give you the same result.
ie These all produce identical results ie 098F6BCD4621D373CADE4E832627B4F6.
#hash("test")#
#hash("test", "cfmx_compat")#
#hash("test", "md5")#
If I read the documentation correctly, CFMX_COMPAT hashing is just MD5.
So:
byte[] hash = MD5.Create().ComputeHash(fldPassword);
It should be easy to verify if you have access to a ColdFusion installation.
Related
in my program I create a AES 128 encrypted key. To do so, first I use a masterkey, thats only written inside of the Code, I write that string directly through the AES 128 function. No var is set for that. After that I salt it with another uniq/random key.
My Question is, is there a safer way for masterkey? Would it be possible to extract that key from compiled program? Of course the Function for AES have to store the value in a string to handle it. Is there some sort of "best practice"?
I am implementing my own version of RSA-OAEP with SHA-256. I want to test it by comparing it to the output of the Cipher class in Java using RSA-OAEP and SHA-256. According to PKCS #1, RSA-OAEP requires a label, which by default is an empty string. However, I can't find a way to input a label in the built-in class. My implementation seems to work correctly for both encryption and decryption, but Cipher class produces different output. Is there a default label which the Cipher class uses?
What is called label L in PKCS1v2.1 RSAES-OAEP was called encoding parameters P in v2.0; see the description of pSourceAlgorithm in A.2.1. The Java API keeps the old terminology, presumably for compatibility, and the default is indeed an empty octet string, implemented in Java as a byte array of length 0. See https://docs.oracle.com/javase/7/docs/api/javax/crypto/spec/PSource.PSpecified.html . Note that even when P-call-me-L is empty, its hash which goes in DB before masking is not empty.
When you say 'different output', you do realize that OAEP is randomized (in a way that provably does not leak information to the adversary) and every encryption of the same plaintext should produce a unique ciphertext, but all of them should decrypt back to the same plaintext, right?
I would like to read Key value from a KEY/Data object of PKCS11 into a local variable.
I observe that Key is stored in CKA_VALUE of Key object.
Which is the ideal function to be used to get this value to my local variable?
I have used C_GetAttributeValue it but doesn't help.
Please guide me.
Thanks
Harsha
Private keys of assymmetric algorithms and symmetric keys usually can not be extracted from the hardware device. This is a protection measure. That's why you can't get the value.
There exist exceptions (some implementations allow you to add the key and explicitly mark it as not protected, in which case the key can be read later) but this reduces security and other user benefits, so this not popular.
In some implementation, if you set the CKA.CKA_SENSITIVE to false, yes you can read the value.
If CKA_EXTRACTABLE is set to CK_FALSE on a key then the value cannot be extracted using PKCS#11.
IF CKA_SENSITIVE is set to CK_TRUE then a key cannot be extracted in plain text.
However,
If CKA_EXTRACTABLE is CK_TRUE, and CKA_SENSITIVE is CK_FALSE the key can be extracted using CKA_VALUE.
If CKA_EXTRACTABLE is CK_TRUE, and CKA_SENSITIVE is CK_TRUE the key can be extracted by wrapping the key using C_WrapKey, then unwrapping the wrapped key outside the unit.
I use following class to encrypt/decrypt my texts.
http://code.google.com/p/iphonebits/source/browse/trunk/src/Encryption/NSData-AES.m?r=2
This works perfectly. But when I decrypt the encrypted text with an invalid key (any one other than encryption key) this returns some text and its not in the actual length of the decrypted text. What can be the reason (is this supposed to return nil)? Is this the better way? Does libraries supposed to return errors for invalid decryption keys? Is it a must or not?
Thank you
Well, the algorithm will not know if the key that you are providing is the right one. To know if the key is right the algorithm would have to have it's copy, which is unsafe. Although it could have the copy of it's hash, but that would still apply that the encryption and decryption algorithms would work for only one key. Your current decryption accepts the key and put's it to work in the decoding algorithm. The result should reflect the original text but if the key was wrong it will give you the text generated according to the wrong key. It's all working properly.
I have requests like
5|0|7|http://localhost:8080/testproject/|29F4EA1240F157649C12466F01F46F60|com.test.client.GreetingService|greetServer|java.lang.String|myInput1|myInput2|1|2|3|4|2|5|5|6|7|
I would like to know how GWT generates the md5 value 29F4EA1240F157649C12466F01F46F60? Is it based on the client ip and date? Can anyone point me to the correct code? I just find stuff regarding the history token, but that looks different to me.
OK, after some research I think I found the answer.
The keywords you should have been looking for are "strong name" (or "strongName") and/or permutation, since it seems that with the RPC request they send out the permuatation strong name (that MD5 hash), so that you can possibly distinguish on the server side from which permutation the request was send.
The core function is Util.computeStrongName, it computes an MD5 hash (d'oh) of the provided byte array, with the added catch:
/*
* Include the lengths of the contents components in the hash, so that the
* hashed sequence of bytes is in a one-to-one correspondence with the
* possible arguments to this method.
*/
From there, I tracked back to the linkers and then to PermutationResult which is feeding Util.computeStrongName via this function:
/**
* The compiled JavaScript code as UTF8 bytes.
*/
byte[][] getJs();
Eh, I hope that was at least a bit helpful ;) If this still doesn't answer your question (or you were looking for something different), try in trunk/user/src/com/google/gwt/user/client/rpc (start in RpcRequestBuilder.java).
As Igor said, GWT uses MD5 hashes of your application code to produce unique names for each permutation of each version of your application. The specific hash you referenced is a part of the GWT RPC request payload that identifies a .gwt.rpc serialization policy file on the server. That policy file says which Java objects can be serialized as part of the request, response, or thrown exceptions in the GWT RPC service.