解密时C＃加密代码错误！

Question

A bit more background info as suggested: I'm finsihing of an Intranet CMS web app where I have to use the products API (ASP.NET based). Because of time constraints and issues with Windows authen' I need another way to ensure staff do not need to re login everytime they visit the site to view personalised content. The way it works is that once a user logs in (username/password), a Session ID storing a new different Security context value is generated that is used to display the personalised content. The API login method called uses the username and password as parameters. The only way I can think of automatically logging in the next time the staff visits the site is by storing the password in a enrypted cookie and checking of its existing when the site is visited and then calling the API login method using the username and decrypted password cookie values.

Any other ideas as an alternative welcomed.

Mo

Hi, I'm using some code found on the web to encrypt and decrypt a password string. It encrypts fine but when it calls the code below to decrypt the string it throws the error " Length of the data to decrypt is invalid " How can I resolve this?

Thanks in advance.

Mo

System.Text.Encoding enc = System.Text.Encoding.ASCII;
            byte[] myByteArray = enc.GetBytes(_pword);


            SymmetricAlgorithm sa = DES.Create();
            MemoryStream msDecrypt = new MemoryStream(myByteArray);
            CryptoStream csDecrypt = new CryptoStream(msDecrypt, sa.CreateDecryptor(), CryptoStreamMode.Read);
            byte[] decryptedTextBytes = new Byte[myByteArray.Length];
            csDecrypt.Read(decryptedTextBytes, 0, myByteArray.Length);
            csDecrypt.Close();
            msDecrypt.Close();

            string decryptedTextString = (new UnicodeEncoding()).GetString(decryptedTextBytes);

Answer 1

A couple of things here...

1. You shouldn't encrypt passwords usually. You should hash them.

If you decide to continue down the road of encryption..

1. You are using the DES algorithm. This is considered insecure and flawed. I'd recommend looking at the AES algorithm.
2. Depending on how much data you are working with, the CryptoStream might be overkill.
3. Using the ASCII encoding can cause loss of data that isn't ASCII, like Cyrillic letters. The recommended fix is to use something else, like UTF8.

Here is an example:

string text = "Hello";
using (var aes = new AesManaged())
{
    var bytes = System.Text.Encoding.UTF8.GetBytes(text);
    byte[] encryptedBytes;
    using (var encrypt = aes.CreateEncryptor())
    {
        encryptedBytes = encrypt.TransformFinalBlock(bytes, 0, bytes.Length);
    }
    byte[] decryptedBytes;
    using (var decrypt = aes.CreateDecryptor())
    {
        decryptedBytes = decrypt.TransformFinalBlock(encryptedBytes, 0, encryptedBytes.Length);
    }
    var decryptedText = System.Text.Encoding.UTF8.GetString(decryptedBytes);
    Console.Out.WriteLine("decryptedText = {0}", decryptedText);
}

This will use a random key every time. It is likely that you will need to encrypt some data, then decrypt it at a later time. When you create the AesManaged object, you can store the Key and IV property. You can re-use the same Key if you'd like, but different data should always be encrypted with a different IV (Initialization Vector). Where you store that key, is up to you. That's why hashing might be a better alternative: there is no key, and no need to worry about storing the key safely.

If you want to go down the hashing route, here is a small example:

var textToHash = "hello";
using (SHA1 sha = new SHA1Managed())
{
    var bytesToHash = System.Text.Encoding.UTF8.GetBytes(textToHash);
    var hash = sha.ComputeHash(bytesToHash);
    string base64hash = Convert.ToBase64String(hash);
}

This uses the SHA1 algorithm, which should work fine for passwords, however you may want to consider SHA256 .

The concept is simple: a hash will produce a (mostly) unique output for an input, however the output cannot be converted back to the input - it's destructive. Whenever you want to check if a user should be authenticated, check hash the password they gave you, and check it against the hash of the correct password. That way you aren't storing anything sensitive.

Answer 2

I've actually had this error before and it took me 3 days to figure out the solution. The issue will be the fact that the machine key you need for descryption needs to be registered on your machine itself.

Read fully up on DES encryption, it works by an application key, and a machine-level key. The error you're getting is likely because of the machine key missing.

Answer 3

Compare the bytes used to create the _pword string (in the encryption method) to the bytes retrieved with GetBytes. Probably you will notice a change in the data there.

To store the encrypted bytes, I think you should use Convert.ToBase64String and Convert.FromBase64String turn the encrypted password to/from a string.

I also do not see the code where you set the Key and IV. So I guess you are using a different key to encrypt and decrypt the password.

If the current Key property is null, the GenerateKey method is called to create a new random Key. If the current IV property is null, the GenerateIV method is called to create a new random IV.

Answer 4

DES is a block based cipher - only certain lengths of buffers are valid. If I remember correctly, the block size for DES is 64 bits, so you need to ensure that your byte array is a multiple of 8 bytes long.

(That should fix your immediate problem, but I'd reference other peoples advice here - you really ought not to be using DES for any new code, and for passwords it's usually more appropriate to hash than to encrypt).