4

I am having difficulty duplicating how oracle encrypts with AES 256 + CBC + PKCS5/7 replicating it into C#. Thank you for your help in this.

I have the following function in oracle package (simplified):

--Character set used by GEN_ENCRYPT_PASSWORD and GEN_DECRYPT_PASSWORD
G_CHARACTER_SET   VARCHAR2(10) := 'AL32UTF8';    
FUNCTION GEN_ENCRYPT_PASSWORD(p_in_val      IN VARCHAR2
                                    ,p_key         IN VARCHAR2                                        
                                    ,p_iv          IN VARCHAR2 := NULL)
          RETURN RAW
       IS
          l_enc_val    RAW(4000);
          l_enc_algo   PLS_INTEGER;
          l_in         RAW(4000);
          l_iv         RAW(4000);
          l_key        RAW(4000);
          --l_ret        VARCHAR2(4000 CHAR);
          v_mod        NUMBER;
       BEGIN
          l_in         := UTL_I18N.STRING_TO_RAW(data => p_in_val, dst_charset => G_CHARACTER_SET);
          l_iv         := UTL_I18N.STRING_TO_RAW(p_iv, G_CHARACTER_SET);
          l_key        := UTL_I18N.STRING_TO_RAW(data => p_key, dst_charset => G_CHARACTER_SET);
          l_enc_algo   := DBMS_CRYPTO.encrypt_aes256;
          --chain_cbc: Cipher Block Chaining. Plaintext is XORed with the previous ciphertext block before it is encrypted.
          --pad_pkcs5: Provides padding which complies with the PKCS #5: Password-Based Cryptography Standard.
          v_mod        := (l_enc_algo + DBMS_CRYPTO.chain_cbc + DBMS_CRYPTO.pad_pkcs5);

          l_enc_val    := DBMS_CRYPTO.encrypt(src => l_in, KEY => l_key, typ => v_mod);
          --l_ret       := RAWTOHEX(l_enc_val);
          RETURN l_enc_val;
       END GEN_ENCRYPT_PASSWORD;

       FUNCTION GEN_DECRYPT_PASSWORD(p_in_val      IN RAW
                                    ,p_key         IN VARCHAR2                                        
                                    ,p_iv          IN VARCHAR2 := NULL)
          RETURN VARCHAR2
       IS
          l_enc_val    RAW(4000);
          l_enc_algo   PLS_INTEGER;
          l_in         RAW(4000);
          l_iv         RAW(4000);
          l_key        RAW(4000);
          l_ret        VARCHAR2(4000 CHAR);
          v_mod        NUMBER;
       BEGIN
          l_in         := p_in_val;            --UTL_I18N.STRING_TO_RAW(data => p_in_val, dst_charset => G_CHARACTER_SET);

          l_iv         := UTL_I18N.STRING_TO_RAW(p_iv, G_CHARACTER_SET);
          l_key        := UTL_I18N.STRING_TO_RAW(data => p_key, dst_charset => G_CHARACTER_SET);

          l_enc_algo   := DBMS_CRYPTO.encrypt_aes256;

          --chain_cbc: Cipher Block Chaining. Plaintext is XORed with the previous ciphertext block before it is encrypted.
          --pad_pkcs5: Provides padding which complies with the PKCS #5: Password-Based Cryptography Standard.
          v_mod        := (l_enc_algo + DBMS_CRYPTO.chain_cbc + DBMS_CRYPTO.pad_pkcs5);

          l_enc_val    := DBMS_CRYPTO.decrypt(src => l_in, KEY => l_key, typ => v_mod);
          l_ret        := UTL_I18N.raw_to_char(data => l_enc_val, src_charset => G_CHARACTER_SET);

          RETURN l_ret;
       END GEN_DECRYPT_PASSWORD;

Then I ran the query:

SELECT pkg_Encyption_Test.GEN_ENCRYPT_PASSWORD('Test', '12345678901234567890123456789012', '26744a68b53dd87a') Encrypted FROM DUAL;
--Result: 7D2894678D46C769B3001BD75F603E3C

And decrypt the result:

SELECT pkg_Encyption_Test.GEN_DECRYPT_PASSWORD('7D2894678D46C769B3001BD75F603E3C', '12345678901234567890123456789012', '26744a68b53dd87a') Decrypt from dual;
--Result: Test

So the above all works, the issue is how can I convert that to be used by C# to decrypt the results? Sample console application:

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

namespace SSO_EncryptionTest
{
    class Program
    {
        /* ORACLE
         * TEXT ENC: 7D2894678D46C769B3001BD75F603E3C
         * TEXT: Test
         * KEY: 12345678901234567890123456789012
         * .NET
         * ENC: EAAAADI2NzQ0YTY4YjUzZGQ4N2GfHsbuE8t1/hhwz3v9isJ1         
         */
        static void Main(string[] args)
        {
            //Use the values from Oracle
            string inputText = "Test";
            string encryptedTextValue = "7D2894678D46C769B3001BD75F603E3C";
            string encryptPrivateKey = "12345678901234567890123456789012";
            string encryptSharedIV = "26744a68b53dd87a";

            Console.WriteLine("******************** Initial values from Oracle ******************");
            Console.WriteLine("inputText: '{0}'", inputText);
            Console.WriteLine("encryptedTextValue: '{0}'", encryptedTextValue);
            Console.WriteLine("encryptPrivateKey: '{0}'", encryptPrivateKey);
            Console.WriteLine("encryptSharedIV: '{0}'", encryptSharedIV);
            Console.WriteLine();

            //This is just here to convert the Encrypted byte array to a string for viewing purposes.
            UTF8Encoding UTF = new UTF8Encoding();
            byte[] inputTextByte = UTF.GetBytes(inputText);
            byte[] encryptedTextValueByte = UTF.GetBytes(encryptedTextValue);
            byte[] encryptPrivateKeyByte = UTF.GetBytes(encryptPrivateKey);
            byte[] encryptSharedIvByte = UTF.GetBytes(encryptSharedIV);

            string Encrypted_Text;
            //string Decrypted;
            try
            {
                Console.WriteLine("********************Encryption Example******************");

                Console.WriteLine("Plain text is: '{0}'", inputText);
                Encrypted_Text = EncryptOracleAES(inputTextByte, encryptPrivateKeyByte, encryptSharedIvByte);
                Console.WriteLine("Encrypted text is: '{0}'", Encrypted_Text);               

                Console.WriteLine();

                /*Console.WriteLine("********************Decryption Example******************");
                Console.WriteLine("Input Encrypted text is '{0}'", XXXXXXXXXXXX);
                Decrypted = "";
                Console.WriteLine("Decrypted text is: '{0}'", Decrypted);*/

            }
            catch (Exception e)
            {
                Console.WriteLine("Exception: {0}", e.Message);
            }

            Console.WriteLine("Press enter to exit");

            Console.ReadLine();
        }

        public static string EncryptOracleAES(byte[] plainText, byte[] privateKey, byte[] sharedIVKey)
        {
            //select UTL_I18N.STRING_TO_RAW('Test', 'AL32UTF8') from dual;
            //54657374         

            string outStr = null;                       // Encrypted string to return
            AesManaged aesAlg = null;
            try
            {                
                aesAlg = new AesManaged();
                aesAlg.Key = privateKey;
                aesAlg.KeySize = 256;
                aesAlg.BlockSize = 128;
                aesAlg.Padding = PaddingMode.PKCS7; //Same as PKCS5/7
                aesAlg.Mode = CipherMode.CBC;
                aesAlg.IV = sharedIVKey;
                ICryptoTransform encryptor = aesAlg.CreateEncryptor(aesAlg.Key, sharedIVKey);

                using (MemoryStream msEncrypt = new MemoryStream())
                {
                    // prepend the IV
                    msEncrypt.Write(BitConverter.GetBytes(aesAlg.IV.Length), 0, sizeof(int));
                    msEncrypt.Write(aesAlg.IV, 0, aesAlg.IV.Length);

                    using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
                    {
                        using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
                        {
                            //Write all data to the stream.
                            swEncrypt.Write(plainText);
                        }
                    }
                    outStr = Convert.ToBase64String(msEncrypt.ToArray());
                }
            }
            finally
            {

                if (aesAlg != null)
                    aesAlg.Clear();
            }

            // Return the encrypted bytes from the memory stream.
            return outStr;

        }
    }
}

But my results are not consistent:

******************** Initial values from Oracle ******************
inputText: 'Test'
encryptedTextValue: '7D2894678D46C769B3001BD75F603E3C'
encryptPrivateKey: '12345678901234567890123456789012'
encryptSharedIV: '26744a68b53dd87a'

********************Encryption Example******************
Plain text is: 'Test'
Encrypted text is: 'EAAAADI2NzQ0YTY4YjUzZGQ4N2FCXNXYzo2xWZym3dNFwCSJ'

What am I missing?

AhsenBaig
  • 497
  • 4
  • 21
  • 2
    `UTF.GetBytes("AB")` would return the character codes for the chars A & B `{65, 66}` not the byte value of `0xAB` (171) you need. You need to [convert the hex string to a byte array](http://stackoverflow.com/questions/321370/how-can-i-convert-a-hex-string-to-a-byte-array) – Alex K. Oct 29 '15 at 17:22
  • Sorry I get the logic but don't see when I need to do the conversion. I used the LINQ call: public static byte[] StringToByteArray(string hex) { return Enumerable.Range(0, hex.Length) .Where(x => x % 2 == 0) .Select(x => Convert.ToByte(hex.Substring(x, 2), 16)) .ToArray(); } – AhsenBaig Oct 29 '15 at 17:54
  • 1
    You would replace the `UTF.GetBytes(XXX)` calls with the `StringToByteArray(XXX)` method in the linked answer – Alex K. Oct 29 '15 at 23:49
  • Then you will probably get an error regarding the IV, aes256 nees a 128bit IV - so 16 bytes - but your Oracle IV is only 8 bytes (16 hexadecimal digits) so I don't know why that works at all – Alex K. Oct 29 '15 at 23:50
  • 1
    In C# you are looking at base64 output, you need to look at the output as a hexadecimal string to compare so `outStr =BitConverter.ToString(msEncrypt.ToArray()).Replace("-", "")` – Alex K. Oct 29 '15 at 23:51
  • Thanks for your help it pointed me to the right direction. It was a mistake in my function call and since I was converting things to raw and utf8 I replicated that into C# and things started to work. My IV string was the proper length though. – AhsenBaig Nov 03 '15 at 17:29
  • Could you please tell me where are you using IV in the oracle package ? May be I might have missed it. Thanks in advance. @DarkS0ul – Pradip Mar 04 '16 at 11:09

1 Answers1

2

The main issue was actually my select statement was missing the parameter 'AES256' when I passed in the IV value (same with the decryption) duh moment... I blame constant annoyances by co-workers for this :).

SELECT pkg_Encyption_Test.GEN_ENCRYPT_PASSWORD('Test', '12345678901234567890123456789012', '26744a68b53dd87a') Encrypted FROM DUAL;
--Result: 7D2894678D46C769B3001BD75F603E3C

Should have been:

SELECT pkg_Encyption_Test..GEN_ENCRYPT_PASSWORD('Test'
                                       ,'12345678901234567890123456789012'
                                       ,'AES256' --Or NULL
                                       ,'26744a68b53dd87a26744a68b53dd87a')
          Encrypted
  FROM DUAL;
--Result: E320A0CABF881088A424B4F36F188029

This needs to be refactored but the general idea is there.

Class: AesEncryption

 public static AesCryptoServiceProvider AesEncryptionType(byte[] privateKeyByte, byte[] sharedIVKeyByte)
        {
            var aes = new AesCryptoServiceProvider();
            aes.BlockSize = 128;
            aes.KeySize = 256;
            aes.IV = sharedIVKeyByte;
            aes.Key = privateKeyByte;
            aes.Mode = CipherMode.CBC;
            aes.Padding = PaddingMode.PKCS7;
            return aes;
        }

Variation I went with:

public static string EncryptUsingAes(byte[] inputTextByte, byte[] privateKeyByte, byte[] sharedIVKeyByte)
        {
            using (var aesEncryption = AesEncryption.AesEncryptionType(privateKeyByte, sharedIVKeyByte))
            {
                // Convert string to byte array                
                byte[] dest = new byte[inputTextByte.Length];

                // encryption
                using (ICryptoTransform encrypt = aesEncryption.CreateEncryptor(aesEncryption.Key, aesEncryption.IV))
                {
                    dest = encrypt.TransformFinalBlock(inputTextByte, 0, inputTextByte.Length);

                    encrypt.Dispose();                        
                }
                return BitConverter.ToString(dest).Replace("-", "");
            }
        }

public static string DecryptUsingAes(byte[] inputTextByte, byte[] privateKeyByte, byte[] sharedIVKeyByte)
        {
            using (var aesDecryption = AesEncryption.AesEncryptionType(privateKeyByte, sharedIVKeyByte))
            {
                // Convert string to byte array                
                byte[] dest = new byte[inputTextByte.Length];

                // encryption
                using (ICryptoTransform decrypt = aesDecryption.CreateDecryptor(aesDecryption.Key, aesDecryption.IV))
                {
                    dest = decrypt.TransformFinalBlock(inputTextByte, 0, inputTextByte.Length);

                    decrypt.Dispose();

                }
                // Convert byte array to UTF8 string
                return Encoding.UTF8.GetString(dest); ;
            }
        }

And the main:

private static void Main(string[] args)
        {
            //Use the values from Oracle
            string inputText = "Test";
            string encryptionType = "AES256";
            string encryptPrivateKey = "12345678901234567890123456789012";
            string encryptSharedIV = "26744a68b53dd87a";//26744a68b53dd87a26744a68b53dd87a";
            string encryptedTextValue = "E320A0CABF881088A424B4F36F188029";

            Console.WriteLine("******************** Initial values from Oracle ******************");
            Console.WriteLine("inputText: '{0}'", inputText);
            Console.WriteLine("encryptionType: '{0}'", encryptionType);
            Console.WriteLine("encryptedTextValue: '{0}'", encryptedTextValue);
            Console.WriteLine("encryptPrivateKey: '{0}'", encryptPrivateKey);
            Console.WriteLine("encryptSharedIV: '{0}'", encryptSharedIV);

            //OracleRaw
            string oracleRawText = "54657374";
            string oracleRawPrivateKey = "3132333435363738393031323334353637383930313233343536373839303132";
            string oracleRawSharedIV = "32363734346136386235336464383761"; //26744a68b53dd87a - IV is 16 byte array.            

            Console.WriteLine("******************** Initial values from Oracle OracleRaw ******************");
            Console.WriteLine("oracleRawText: '{0}'", oracleRawText);
            Console.WriteLine("oracleRawPrivateKey: '{0}'", oracleRawPrivateKey);
            Console.WriteLine("oracleRawSharedIV: '{0}'", oracleRawSharedIV);
            Console.WriteLine();

            //This is just here to convert the Encrypted byte array to a string for viewing purposes.
            var utf = new UTF8Encoding();
            byte[] inputTextByte = utf.GetBytes(inputText); //byte: 4 - "Test"
            byte[] privateKeyByte = utf.GetBytes(encryptPrivateKey); //byte: 32 - "12345678901234567890123456789012"
            byte[] sharedIVByte = utf.GetBytes(encryptSharedIV); //byte: 16 - "26744a68b53dd87a"

            //string Decrypted;
            try
            {
                string encryptedText = string.Empty;

                byte[] oracleRawTextByte = StringToByteArray(oracleRawText);
                byte[] oracleRawPrivateKeyByte = StringToByteArray(oracleRawPrivateKey);
                byte[] oracleRawSharedIVByte = StringToByteArray(oracleRawSharedIV);

                encryptedText = EncryptUsingAes(oracleRawTextByte, oracleRawPrivateKeyByte, oracleRawSharedIVByte);
                Console.WriteLine("********************Encryption Example EncryptUsingAes(OracleRaw) ******************");
                Console.WriteLine("Plain text is: '{0}'", inputText);
                Console.WriteLine("Encrypted text is: '{0}'", encryptedText);
                Console.WriteLine();

                encryptedText = EncryptUsingAes(inputTextByte, privateKeyByte, sharedIVByte);
                Console.WriteLine("********************Encryption Example EncryptUsingAes******************");
                Console.WriteLine("Plain text is: '{0}'", inputText);
                Console.WriteLine("Encrypted text is: '{0}'", encryptedText);
                Console.WriteLine();

                Console.WriteLine("********************Encryption Example DecryptUsingAes******************");
                Console.WriteLine("Encrypted text is: '{0}'", encryptedText);

                byte[] cypherText = StringToByteArray(encryptedText);

                encryptedText = DecryptUsingAes(cypherText, privateKeyByte, sharedIVByte);

                Console.WriteLine("Plain text is: '{0}'", encryptedText);
                Console.WriteLine();                    
            }
            catch (Exception e)
            {
                Console.WriteLine("Exception: {0}", e.Message);
            }

            Console.WriteLine("Press enter to exit");
            Console.ReadLine();
        }
    }
AhsenBaig
  • 497
  • 4
  • 21
  • 1
    ?Why did you use -- return BitConverter.ToString(dest).Replace("-", ""); – Pradip Mar 04 '16 at 11:43
  • 1
    If you do --- return BitConverter.ToString(dest).Replace("-", ""); then you get an error while decrypting. Just use Convert.ToBase64String() and it will be fine. Thanks for this wonderful solution though. – Pradip Mar 04 '16 at 12:31