PHP MD5 Crypt equivalent in ColdFusion ?

Hello, I am trying to use CF to compare a password encrypted with MD5 in PHP using: crypt($password, $user_salt) // where user_salt is a 12-character string like "$1$ISzYi6zf$" This results in a string like: "$1$ISzYi6zf$prff0mAKPVBHNKOlRradj1" So far, nothing I have tried in CF has allowed me to "rebuild" the result 34-character string so that I can compare them to what's in the database, ie. I am looking to take user input, add the known salt to it, and come up with a 34 character string in order to compare them. Many thanks for any insights! Oli

How did the cf hash() function's output differ from the PHP one? mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ----- Excess quoted text cut - see Original Post for more -----

----- Excess quoted text cut - see Original Post for more -----

The CF and PHP hash functions of the same string actually return the same result; it's in combination with the salt that the string changes substantially.

> So far, nothing I have tried in CF has allowed me to "rebuild" the result > 34-character string so that I can compare them to what's in the database, > ie. You'll have to find out how PHP combines the input with the salt (append ? prepend ? XOR ? ... ?) and do that before calling CF's hash(). -- Helping to vitalistically morph fifth-generation intuitive advanced killer e-services as part of the IT team of the year, '09 and '08 **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word ?partner? to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co

when you look at the result of a PHP crypt(string,salt) function that uses MD5, the entire 12-character user salt ends up prepended to the resulting string, which is the one that ends up in the DB, and I am trying to rebuild/compare in CF. So, in PHP: user password: sydney user salt: $1$ISzYi6zf$ evaluates to: $1$ISzYi6zf$prff0mAKPVBHNKOlRradj1 in CF: hash('sydney','MD5') evaluates to: A8113A9B4F61B178CD1FEA4EFA5BF4C8 Any resources on MD5 and its particular flavors would be appreciated! Thanks, Oli > You'll have to find out how PHP combines the input with the salt > (append ? > prepend ? XOR ? ... ?) and do that before calling CF's hash().

> when you look at the result of a PHP crypt(string,salt) function that uses > MD5, the entire 12-character user salt ends up prepended to the resulting > string, So what calculates the salt ? -- Helping to appropriately deploy killer customized environments as part of the IT team of the year, '09 and '08 **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word ?partner? to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co

On original input in the PHP system, the salt is generated by a unique, 8-digit user code, prepended by "$1$" and appended with "$" for the 12 digits necessary for MD5 encryption.  The user code is stored in the database, so what I was hoping to do was take the user code, recreate the stored password by combining user input and the salt/user code, and compare the two strings. > > So what calculates the salt ? >

You need to ask a PHP list how the crypt function applies the salt when MD5ing the input. mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ----- Excess quoted text cut - see Original Post for more -----

> On original input in the PHP system, the salt is generated by a unique, 8-digit user code, prepended by "$1$" and appended with "$" for the 12 digits necessary for MD5 encryption. There is no requirement for a salt being 12 byte. What you are really seeing is the algorithm identifier being prepended and a separator appended per the Modular Crypt Format. The length of the hash is most likely caused by using a base64 representation with the trailing = dropped. Jochem -- Jochem van Dieten http://jochem.vandieten.net/