4

I have a Coldfusion page that includes a section of code that encrypts a variable like this:

<cfset data64 = toBase64(key)>
<cfset encryptedID = encrypt(getUser.ID, data64, "BLOWFISH", "Base64")>

We're moving the site to a .NET-based CMS, and I need to convert this page to C#, but I'm running into trouble.

I've successfully converted the first line to this:

byte[] keyBytes = System.Text.Encoding.UTF8.GetBytes(key);
string keyBase64 = System.Convert.ToBase64String(keyBytes);

I've also added the blowfish.cs class found at https://defuse.ca/blowfish.htm, but I'm a little fuzzy on how to use this with the key (and whether I want to be using ECB, CBC, or CTR). I'm also not sure what the analog is to using the base64 encoding in Coldfusion... this is what I'm currently trying, which is not producing the same results as the original code:

BlowFish b = new BlowFish(keyBase64);
byte[] idBytes = System.Text.Encoding.UTF8.GetBytes(thisUser["ID"].ToString());
byte[] idBytesEncrypted = b.Encrypt_ECB(idBytes);
string idBase64 = System.Convert.ToBase64String(idBytesEncrypted);

I don't have much experience with encryption in general, and the Coldfusion code was set up with the help of another developer who doesn't have C# experience. Any suggestions would be much appreciated. Thank you!

user3562286
  • 91
  • 7
  • The code comments mention the key is expected to be in hex, rather than base64. However, despite running a few tests with a hex key, I could still could get the results to match exactly - close - but no cigar. Might be related to padding scheme. Granted, I did not look through the code too deeply, so it is possible I overlooked something obvious. – Leigh Jan 09 '15 at 03:04

1 Answers1

2

You might want to try the BouncyCastle C# API. I ran a few tests, for POC, and it seemed to produce the same results as your CF code.

A few things to keep in mind: If you read Strong Encryption in ColdFusion it explains that ColdFusion uses ECB mode and PKCS5Padding by default. So when specifying the shorthand Blowfish, you are actually saying use Blowfish/ECB/PKCS5Padding. In order to duplicate the encryption in C# (or any language), you must to use those same settings.

There does not seem to be a lot of documentation for the C# port, but from what I can tell the BlowfishEngine defaults to ECB mode. So if you wrap it in a PaddedBufferedBlockCipher the result should be PKCS5 padded. That should give you the same result as your CF code:

    byte[] inputBytes = System.Text.Encoding.UTF8.GetBytes(userIDString);
    byte[] keyBytes = System.Convert.FromBase64String(keyInBase64);

    // initialize for ECB mode and PKCS5/PKCS7 padding
    PaddedBufferedBlockCipher cipher = new PaddedBufferedBlockCipher(new BlowfishEngine());
    KeyParameter param = new KeyParameter(keyBytes);
    cipher.Init(true, param);

    // encrypt and encode as base64
    byte[] encryptedBytes =  cipher.DoFinal(inputBytes);
    string idBase64 = System.Convert.ToBase64String(encryptedBytes);

NB: I am not an expert on encryption, but will say that use of "ECB" mode is discouraged. See wiki for a good illustration of why. So you should seriously consider choosing a different mode.

Community
  • 1
  • 1
Leigh
  • 28,424
  • 10
  • 49
  • 96
  • Thank you so much, that worked perfectly! I was starting to wonder if it had something to do with padding, but I'm sure I would have been bogged down in that for a while, and you saved me much time and aggravation. This code is part of an sso that we developed in conjunction with a third party, and they were actually the ones who suggested this method. What you said about discouraging ECB mode makes a lot of sense though, so I'll bring that up with them and see if we can adjust things. – user3562286 Jan 09 '15 at 17:09
  • (Edit) Glad it helped. I got the impression it was something more than *just* a padding difference, but did not have time to explore it further. With regard to ECB, my theory is people recommend it for two reasons: 1) They know better and are just using it as a simple example for others. Since it has less moving pieces it is a little easier to follow OR 2) They are not aware there is any difference. – Leigh Jan 09 '15 at 21:57