Coldfusion Encryption and Perl Decryption

Question

I have a situation where I need to encrypt content in Coldfusion and then decrypt in Perl. Here's a sample Coldfusion code:

<cfscript>
  input = "Amidst the roar of liberated Rome, Of nations freed, and the world overjoy'd";
  encryptionKey = "8kbD1Cf8TIMvm8SRxNNfaQ==";
  encryptedInput = encrypt( input, encryptionKey, "AES/ECB/PKCS5Padding", "hex" );
  writeOutput( "Encrypted Input: #encryptedInput# <br />" );
</cfscript>

This produces:

27B0F3EB1286FFB462BDD3F14F5A41724DF1ED888F1BEFA7174CA981C7898ED2EF841A15CDE4332D030818B9923A2DBA0C68C8352E128A0744DF5F9FA955D3C72469FEFDAE2120DE5D74319ED666DDD0

And the Perl:

use 5.24.1;
use Crypt::ECB qw(encrypt_hex);

my $input = "Amidst the roar of liberated Rome, Of nations freed, and the world overjoy'd";
my $encryption_key = "8kbD1Cf8TIMvm8SRxNNfaQ==";
my $encrypted_input = encrypt_hex($encryption_key, 'Rijndael', $input);
say $encrypted_input;

This produces:

e220ff2efe5d41e92237622ba969f35158d20e2c9c44995d44136d928d517462980321d4d6193fe62dc942fd717128442972524207777366954e5ceb2d1812ac997e06767a27d6a0145176d717c3836b

Why is the encrypted content different? Does anyone have any insights into this?

Next, ColdFusion uses your base64 key as a literal string value and not a base64 value. As @mob noted below, PERL is decoding the base64 encryption key. — WilGeno, Jan 10 '19 at 01:36
For the ColdFusion code, "AES/ECB/PKCS5Padding" is not a documented encryption type for the encrypt() in ColdFusion. Though using this value, ColdFusion does use AES. (AES: NIST FIPS-197) Here's a list of valid parameters in ColdFusion for encrypt() https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-e-g/encrypt.html — WilGeno, Jan 10 '19 at 01:39
@WilGeno - Actually it is the opposite :-). CF *does* treat it as base64 encoded. PERL does not. Also, though the latest CF docs don't enumerate all of the types, AES/ECB/PKCS5Padding is valid for the underlying java lib. It used to be documented somewhere in the old Adobe docs. Can't recall where though. — SOS, Jan 10 '19 at 01:47
Note that your code uses seriously broken encryption since you don't use an IV (which should be completely random each time) — ikegami, Jan 10 '19 at 03:43
True. Like @ikegami suggested, you should use CBC and a different IV each time for better security. — SOS, Jan 10 '19 at 15:19
See for details https://stackoverflow.com/questions/1220751/how-to-choose-an-aes-encryption-mode-cbc-ecb-ctr-ocb-cfb#22958889 — SOS, Jan 10 '19 at 18:37

mob · Accepted Answer · 2019-01-09T23:26:03.117

2

Your encryption key is base64 encoded, but Crypt::ECB expects a raw byte string (this isn't clear from the docs, though).

use Convert::Base64;
...

my $encryption_key = decode_base64("8kbD1Cf8TIMvm8SRxNNfaQ==");
...

New output:

27b0f3eb1286ffb462bdd3f14f5a41724df1ed888f1befa7174ca981c7898ed2ef841a15cde4332d030818b9923a2dba0c68c8352e128a0744df5f9fa955d3c72469fefdae2120de5d74319ed666ddd0

edited Jan 09 '19 at 23:26

answered Jan 09 '19 at 22:51

mob

117,087
18
149
283

@DonJuanInHeaven - Also note, CF always returns hex in upper case. Though both should decode to the same value. – SOS Jan 10 '19 at 01:43
Thank you @mob, that was indeed the problem. – Don Juan in Heaven Jan 10 '19 at 15:12
@mob - I'm not famliar with Perl. Does it support CBC mode too, like ikegami mentioned above? – SOS Jan 10 '19 at 20:15

Coldfusion Encryption and Perl Decryption

1 Answers1