0
 using (RijndaelManaged rijAlg = new RijndaelManaged())  
        rijAlg.Key = Key;
        rijAlg.IV = IV;

This gives me an error "Specified key is not a valid size for this algorithm."

to get Key and IV

    string checkPass = "select password from UserName where Username = '" + TBLoginUser.Text + "'";
    SqlCommand pass = new SqlCommand(checkPass, conn);
    string password = pass.ExecuteScalar().ToString();

    string checkKey = "select encKey from UserName where Username = '" + TBLoginUser.Text + "'";
    SqlCommand k = new SqlCommand(checkKey, conn);
    string key = k.ExecuteScalar().ToString();

    string checkIV = "select encIV from UserName where Username = '" + TBLoginUser.Text + "'";
    SqlCommand x = new SqlCommand(checkIV, conn);
    string iv = x.ExecuteScalar().ToString();



    byte[] keyByte = Encoding.ASCII.GetBytes(key);
    byte[] ivByte = Encoding.ASCII.GetBytes(iv);

Anyone can help?

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
user3450582
  • 1
  • 2
  • Well, what are the contents of `key` and `iv`? – Artjom B. Feb 26 '16 at 20:57
  • 2
    I'm so naming my username ';drop table UserName – Ondrej Svejdar Feb 26 '16 at 20:58
  • `using (RijndaelManaged rijAlg = new RijndaelManaged()) rijAlg.Key = Key; rijAlg.IV = IV;` are you missing a brackets `using (..) {... }` – Valentin Feb 26 '16 at 20:58
  • The error is very clear, the size of the key is invalid, Rijndael key must be 128, 192 or 256 bits length – Gusman Feb 26 '16 at 21:01
  • 1
    What @OndrejSvejdar is trying to say is that you should use prepared statements to prevent SQL injections, because your current code is vulnerable to them. – Artjom B. Feb 26 '16 at 21:02
  • How do change the size of the key? @Gusman – user3450582 Feb 26 '16 at 21:02
  • 1
    Passwords should be hashed not encrypted. If you can decrypt them, so can a Bad Guy – Ňɏssa Pøngjǣrdenlarp Feb 26 '16 at 21:03
  • Ehm... create an array of 16, 24 or 32 bytes... *byte[] keyByte = Encoding.ASCII.GetBytes(key);* key for sure is not 16, 24 or 32 chars length, ant thus keyByte is not 16, 24 or 32 bytes length. – Gusman Feb 26 '16 at 21:05
  • byte[] keyByte = new byte[32]; keyByte = Encoding.ASCII.GetBytes(key); @Gusman – user3450582 Feb 26 '16 at 21:09
  • No, that will write keyByte with the result, it will not preserve the size, you should hash the key string which will yield a 16 or 32 bytes result – Gusman Feb 26 '16 at 21:12
  • @Gusman can you give me an example? I am not so sure how to do so. – user3450582 Feb 26 '16 at 21:15
  • Of course, open your browser, navigate to google and type "C# hashing" (return). – Gusman Feb 26 '16 at 21:16
  • 1
    You should use a password based key derivation function to go from a string to a key. Options would be PBKDF2 and bcrypt. [PBKDF2 has an implementation in .NET](https://msdn.microsoft.com/en-us/library/system.security.cryptography.rfc2898derivebytes%28v=vs.110%29.aspx). – Maarten Bodewes Feb 29 '16 at 18:54
  • Building on @MaartenBodewes comments, it's best not to try to "roll your own" security. Check out something like: http://securitydriven.net/inferno/ – CodingGorilla Feb 29 '16 at 19:00

0 Answers0