patterncsharpMinor
Symmetrical encryption in C#
Viewed 0 times
encryptionsymmetricalstackoverflow
Problem
I'm trying to symmetrically encrypt some data using C#, and there seems to be a lot of misleading or incorrect information out there on the subject.
I created a project on GitHub to act as some sort of standard for encrypting and decrypting data in C#: Encryptamajig on Github
It would be great if you guys could review the code below for any security holes, but also, please check out the verbiage in the README on Github. I tried to do some research and be as accurate as possible, but I'm sure that there are some things I'm missing.
If you do find anything, don't hesitate to send me a pull request.
```
namespace Encryptamajig
{
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;
using System.Diagnostics;
using System.IO;
///
/// A simple wrapper to the AesManaged class and the AES algorithm.
/// To create a new Key and IV simple "new up" an AesManaged object and grab the Key and IV from that.
/// Make sure to save the Key and IV if you want to decrypt your data later!
///
public class AesEncryptamajig
{
public static byte[] EncryptStringToBytes(string plainText, byte[] key, byte[] iv)
{
// Check arguments.
if (string.IsNullOrEmpty(plainText))
throw new ArgumentNullException("plainText");
if (key == null || key.Length <= 0)
throw new ArgumentNullException("key");
if (iv == null || iv.Length <= 0)
throw new ArgumentNullException("iv");
MemoryStream memoryStream = null;
AesManaged aesAlg = null;
try
{
// Create the encryption algorithm object with the specified key and IV.
aesAlg = new AesManaged();
aesAlg.Key = key;
aesAlg.IV = iv;
// Create an encryptor to perform the stream transform.
I created a project on GitHub to act as some sort of standard for encrypting and decrypting data in C#: Encryptamajig on Github
It would be great if you guys could review the code below for any security holes, but also, please check out the verbiage in the README on Github. I tried to do some research and be as accurate as possible, but I'm sure that there are some things I'm missing.
If you do find anything, don't hesitate to send me a pull request.
```
namespace Encryptamajig
{
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;
using System.Diagnostics;
using System.IO;
///
/// A simple wrapper to the AesManaged class and the AES algorithm.
/// To create a new Key and IV simple "new up" an AesManaged object and grab the Key and IV from that.
/// Make sure to save the Key and IV if you want to decrypt your data later!
///
public class AesEncryptamajig
{
public static byte[] EncryptStringToBytes(string plainText, byte[] key, byte[] iv)
{
// Check arguments.
if (string.IsNullOrEmpty(plainText))
throw new ArgumentNullException("plainText");
if (key == null || key.Length <= 0)
throw new ArgumentNullException("key");
if (iv == null || iv.Length <= 0)
throw new ArgumentNullException("iv");
MemoryStream memoryStream = null;
AesManaged aesAlg = null;
try
{
// Create the encryption algorithm object with the specified key and IV.
aesAlg = new AesManaged();
aesAlg.Key = key;
aesAlg.IV = iv;
// Create an encryptor to perform the stream transform.
Solution
I wouldn't have the IV passed in either routine. There is two much potential for it to be used incorrectly. I've seen lots of examples out there which will either reuse the IV all the time or just use the same IV per Key. If your IV is predictable there are possible exploits for an adversary to get your plain text, such as a padding oracle since your above uses CBC.
The best practice would be to use
The best practice would be to use
aesAlg.GenerateIV() and then prepend the iv to the cipher text. When you decrypt you just read that block out first before you decrypt the rest.Context
StackExchange Code Review Q#8452, answer score: 6
Revisions (0)
No revisions yet.