Encrypted string changes on different application domain

Question

Following encryption and decryption algorithms are called via powershell and in a sharepoint application page:

    public static string Encrypt(string dataToEncrypt, string password, string salt)
    {
        AesManaged aes = null;
        MemoryStream memoryStream = null;
        CryptoStream cryptoStream = null;

        try
        {
            Rfc2898DeriveBytes rfc2898 = new Rfc2898DeriveBytes(password, Encoding.UTF8.GetBytes(salt), 10000);

            aes = new AesManaged();
            aes.Key = rfc2898.GetBytes(32);
            aes.IV = rfc2898.GetBytes(16);

            memoryStream = new MemoryStream();
            cryptoStream = new CryptoStream(memoryStream, aes.CreateEncryptor(), CryptoStreamMode.Write);

            byte[] data = Encoding.UTF8.GetBytes(dataToEncrypt);
            cryptoStream.Write(data, 0, data.Length);
            cryptoStream.FlushFinalBlock();

            return Convert.ToBase64String(memoryStream.ToArray());
        }
        finally
        {
            if (cryptoStream != null)
                cryptoStream.Close();

            if (memoryStream != null)
                memoryStream.Close();

            if (aes != null)
                aes.Clear();
        }
    }

Why the encrypted string changes? Is it about application domain?

Probably because random padding is added to avoid MITM attacks. — Oded, May 04 '12 at 11:17
I tried you code and it seems to generate the same result regardless of the application domain. Are you sure there are no other transformations? — Cristian Lupascu, May 04 '12 at 11:23
@Oded: When i define the padding as none, the problem remains. — onatm, May 04 '12 at 11:23

score 1 · Answer 1 · edited May 23 '17 at 11:48

When I run the questions code, with the same data, password, and salt, it produces the same result each time. You should make sure the dataToEncrypt and the Salt are the same each time if even one byte changes the rest of it changes.

However that said, for semantic security, that is not what you want. You want a random salt to make it harder to brute force the password, and a random nonsecret IV set so that two identical plaintexts don't have the same ciphertext.

Here is an example of best practices for encrypting and decrypting string, using the encryption algorithms security features as they are designed. The SimpleEncryptWithPassword is analogous to what you are doing, although in the example the iterations for the derived key are variable and for performance reasons you'd probably want to hard code it.

score 1 · Accepted Answer · edited Dec 06 '13 at 11:17

1

The encrypted string differs because of the $ character. $ should be escaped while the function is called via powershell.

edited Dec 06 '13 at 11:17

BenMorel

34,448
50
182
322

answered May 09 '12 at 20:28

onatm

816
1
11
29

Encrypted string changes on different application domain

2 Answers2