問題描述

我有一個包含通過 cfusion_encrypt() 加密的用戶密碼的數(shù)據(jù)庫.我需要為 C# 中的 ColdFusion 代碼做一個登錄替代.有沒有什么簡單的方法可以在 C# 中模擬這一點，以便我能夠比較用戶密碼的加密值并將它們與 ColdFusion 值匹配?

I have a database with user passwords that are encrypted via cfusion_encrypt(). I need to do a login alternative for the ColdFusion code in C#. Is there any easy way how to emulate this in C# so I will be able to compare encrypted values of user passwords and match them to the ColdFusion values?

推薦答案

名字不好的cfusion_encrypt()不是加密.它是一種內部的遺留混淆算法，強烈建議不要使用它.

The poorly named cfusion_encrypt() is not encryption at all. It is an internal, legacy obfuscation algorithm, whose use is strongly discouraged.

基本上它只是對字節(jié)進行異或，類似于 這里描述的方法(忽略 cfmx_compat，這是一種不同的傳統(tǒng)算法).它提取純文本字符串的字節(jié).然后 墊提供的 key 字符串長度相同，然后再次提取字節(jié).最后它對兩個字節(jié)數(shù)組進行異或，并將結果編碼為十六進制:

Essentially it just xor's the bytes, similar to the method described here (Ignore the mention of cfmx_compat, that is a different legacy algorithm). It extracts the bytes of a plain text string. Then pads the supplied key string to the same length, and again extracts the bytes. Finally it xor's the two byte arrays and encodes the result as hex:

 // xor bytes
 byte[] result = new byte[textBytes.Length];
 for (int i = 0; i < textBytes.Length; i++) {
      results[i] = (byte)(textBytes[i] ^ keyBytes [i]);
 } 
 // encode result as hex
 String hexResult = BitConverter.ToString(results).Replace("-", "");

cfusion_decrypt() 函數(shù)的作用基本相同，只是先將十六進制字符串解碼為字節(jié)，然后將去混淆"結果作為純字符串而不是十六進制返回.

The cfusion_decrypt() function does essentially the same thing only decoding the hex string into bytes first, and returns the "de-obfuscated" result as a plain string instead of hex.

現(xiàn)在您可以了解為什么不鼓勵使用它了.正如@MartyPine 和其他人所建議的那樣，更好的選擇是讓 CF 端進行備份，然后通過 cfusion_decrypt 和 hash() 代替它們.它不僅是一種更好的密碼存儲方式，而且還具有與 C# 或任何其他支持標準算法的語言兼容的優(yōu)勢.

Now you can see why its use is discouraged. As @MartyPine and others suggested, the better option is to have the CF side make a backup, then run the passwords through cfusion_decrypt and hash() them instead. Not only is it a better way to store passwords, it also has the benefit of being compatible with C#, or any other language that supports the standard algorithms.

這篇關于ColdFusion - cfusion_encrypt() 和 cfusion_decrypt() - C# 替代方案的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！