ColdFusion - cfusion_encrypt() 和 cfusion_decrypt() - C# 替代方案 [英] ColdFusion - cfusion_encrypt() and cfusion_decrypt() - C# alternative

问题描述

我有一个包含通过 cfusion_encrypt() 加密的用户密码的数据库.我需要为 C# 中的 ColdFusion 代码做一个登录替代.有没有什么简单的方法可以在 C# 中模拟这一点，以便我能够比较用户密码的加密值并将它们与 ColdFusion 值匹配?

I have a database with user passwords that are encrypted via cfusion_encrypt(). I need to do a login alternative for the ColdFusion code in C#. Is there any easy way how to emulate this in C# so I will be able to compare encrypted values of user passwords and match them to the ColdFusion values?

推荐答案

名字不好的cfusion_encrypt()不是加密.它是一种内部的遗留混淆算法，强烈建议不要使用它.

The poorly named cfusion_encrypt() is not encryption at all. It is an internal, legacy obfuscation algorithm, whose use is strongly discouraged.

基本上它只是对字节进行异或，类似于 这里描述的方法(忽略 cfmx_compat，这是一种不同的传统算法).它提取纯文本字符串的字节.然后 垫提供的 key 字符串长度相同，然后再次提取字节.最后它对两个字节数组进行异或，并将结果编码为十六进制:

Essentially it just xor's the bytes, similar to the method described here (Ignore the mention of cfmx_compat, that is a different legacy algorithm). It extracts the bytes of a plain text string. Then pads the supplied key string to the same length, and again extracts the bytes. Finally it xor's the two byte arrays and encodes the result as hex:

 // xor bytes
 byte[] result = new byte[textBytes.Length];
 for (int i = 0; i < textBytes.Length; i++) {
      results[i] = (byte)(textBytes[i] ^ keyBytes [i]);
 } 
 // encode result as hex
 String hexResult = BitConverter.ToString(results).Replace("-", "");

cfusion_decrypt() 函数的作用基本相同，只是先将十六进制字符串解码为字节，然后将去混淆"结果作为纯字符串而不是十六进制返回.

The cfusion_decrypt() function does essentially the same thing only decoding the hex string into bytes first, and returns the "de-obfuscated" result as a plain string instead of hex.

现在您可以了解为什么不鼓励使用它了.正如@MartyPine 和其他人所建议的那样，更好的选择是让 CF 端进行备份，然后通过 cfusion_decrypt 和 hash() 代替它们.它不仅是一种更好的密码存储方式，而且还具有与 C# 或任何其他支持标准算法的语言兼容的优势.

Now you can see why its use is discouraged. As @MartyPine and others suggested, the better option is to have the CF side make a backup, then run the passwords through cfusion_decrypt and hash() them instead. Not only is it a better way to store passwords, it also has the benefit of being compatible with C#, or any other language that supports the standard algorithms.

这篇关于ColdFusion - cfusion_encrypt() 和 cfusion_decrypt() - C# 替代方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！