0

As the title says, I am getting:

Invalid length for a Base-64 char array.

So what I am doing is that i construct the email for delivery using the below method:

smsg += "<br><b>To complete your registration, verify your email</b>" + "<a href=" + siteurl + "?usenamw=" + Encrypt(username.Trim()) + "><br>HERE!</a>";

The Encrypt method looks like this:

private static string Encrypt(string clearText)
{
    string EncryptionKey = "MAKV2SPBNI99212";
    byte[] clearBytes = Encoding.Unicode.GetBytes(clearText);
    using (Aes encryptor = Aes.Create())
    {
        Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
        encryptor.Key = pdb.GetBytes(32);
        encryptor.IV = pdb.GetBytes(16);
        using (MemoryStream ms = new MemoryStream())
        {
            using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write))
            {
                cs.Write(clearBytes, 0, clearBytes.Length);
                cs.Close();
            }
            clearText = Convert.ToBase64String(ms.ToArray());
        }
    }
    return clearText;
}

Here is what the HTML looks like in hotmail:

http://localhost:30850/Activation.aspx?username=9mQkc5vEebsl2Qg6hbxL+r3KVNhOEsig32oP6eb6rd0=

On the receiving end, the Activation.aspx.cs page has the line:

String username = Request.QueryString["username"].ToString();
    Label1.Text = Decrypt(username);

And also the Decryption Method:

private string Decrypt(string cipherText)
{
    string EncryptionKey = "MAKV2SPBNI99212";
    byte[] cipherBytes = Convert.FromBase64String(cipherText);
    using (Aes encryptor = Aes.Create())
    {
        Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
        encryptor.Key = pdb.GetBytes(32);
        encryptor.IV = pdb.GetBytes(16);
        using (MemoryStream ms = new MemoryStream())
        {
            using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateDecryptor(), CryptoStreamMode.Write))
            {

                cs.Write(cipherBytes, 0, cipherBytes.Length);
                cs.Close();
            }
            cipherText = Encoding.Unicode.GetString(ms.ToArray());
        }
    }
    return cipherText;
}

So basically when I input username like foe example Jonathan it have no problem displaying Jonathan on the receiving end label. However, if i input anything that is not a multiple of 4 i get error. I understand that Base64 takes in multiple of 4, if it has 7 characters it will add space to it. Is there any solution to this? Thank you very much.

Jonathan ZeroRebirth
  • 1
  • 1
  • 1
  • Is `usenamw` a typo? – Yacoub Massad Jan 05 '16 at 22:42
  • 2
    http://localhost is not useful too the wide audience. :) -- Please update your question. – kfunk Jan 05 '16 at 22:43
  • @kfunk the address is absolutely irrelevant here. What's important is the encrypted username parameter. Jonathan, is the error happening on Encrypt or Decrypt? – Camilo Terevinto Jan 05 '16 at 22:44
  • @cFrozenDeath The text is still misleading, it suggests there's useful info behind that link -- "Here is what the HTML looks like in hotmail: ..." – kfunk Jan 05 '16 at 22:50
  • It is irrelevant, he could have just posted "username=....." and would still be as useful to determine the encrypted text length. – Camilo Terevinto Jan 05 '16 at 22:51
  • Can you show us an example of an input that *doesn't* work? It doesn't appear to be due to the input being a multiple of `4`. I was able to Encrypt/Decrypt `Rob` without any issues – Rob Jan 05 '16 at 22:54
  • Please show us **where** you are getting “Invalid length”? – Dour High Arch Jan 05 '16 at 22:55
  • 1
    Actually, I'm almost positive it's because you haven't url-encoded the value, so it's being incorrectly read as the get parameter. See here: http://stackoverflow.com/questions/1374753/passing-base64-encoded-strings-in-url – Rob Jan 05 '16 at 22:57
  • When i tried Rob it also have error under here byte[] cipherBytes = Convert.FromBase64String(cipherText); – Jonathan ZeroRebirth Jan 05 '16 at 22:58

2 Answers2

4

The base64 username string is padded with an '=' at the end; this is ignored when the URL query string is being interpreted. ie:

username => "9mQkc5vEebsl2Qg6hbxL+r3KVNhOEsig32oP6eb6rd0="

becomes:

username => 9mQkc5vEebsl2Qg6hbxL+r3KVNhOEsig32oP6eb6rd0

in the request handler.

You need to URL encode the string before using it in a URL.

ChrisC73
  • 1,833
  • 14
  • 14
1

Default set of Base64 characters is not safe to use in Url, especially + (space) and = (name/value separator for query params).

You can use modified set (manually replace some characters with other once) or carefully encode your data to make sure each character is preserved (+ in particular as ASP.Net treats it as space).

See Base64 on Wikipedia for links to specifications and Passing base64 encoded strings in URL for similar question in PHP.

Community
  • 1
  • 1
Alexei Levenkov
  • 98,904
  • 14
  • 127
  • 179