7

I wrote some AES encryption code in C# and I am having trouble getting it to encrypt and decrypt properly. If I enter "test" as the passphrase and "This data must be kept secret from everyone!" I receive the following exception:

System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.
   at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
   at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
   at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
   at System.Security.Cryptography.CryptoStream.Dispose(Boolean disposing)
   at System.IO.Stream.Close()
   at System.IO.Stream.Dispose()
   ...

And if I enter something less than 16 characters I get no output.

I believe I need some special handling in the encryption since AES is a block cipher, but I'm not sure exactly what that is, and I wasn't able to find any examples on the web showing how. Here is my code:

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

public static class DatabaseCrypto
{
    public static EncryptedData Encrypt(string password, string data)
    {
        return DatabaseCrypto.Transform(true, password, data, null, null) as EncryptedData;
    }

    public static string Decrypt(string password, EncryptedData data)
    {
        return DatabaseCrypto.Transform(false, password, data.DataString, data.SaltString, data.MACString) as string;
    }

    private static object Transform(bool encrypt, string password, string data, string saltString, string macString)
    {
        using (AesManaged aes = new AesManaged())
        {
            aes.Mode = CipherMode.CBC;
            aes.Padding = PaddingMode.PKCS7;
            int key_len = aes.KeySize / 8;
            int iv_len = aes.BlockSize / 8;
            const int salt_size = 8;
            const int iterations = 8192;

            byte[] salt = encrypt ? new byte[salt_size] : Convert.FromBase64String(saltString);
            if (encrypt)
            {
                new RNGCryptoServiceProvider().GetBytes(salt);
            }

            byte[] bc_key = new Rfc2898DeriveBytes("BLK" + password, salt, iterations).GetBytes(key_len);
            byte[] iv = new Rfc2898DeriveBytes("IV" + password, salt, iterations).GetBytes(iv_len);
            byte[] mac_key = new Rfc2898DeriveBytes("MAC" + password, salt, iterations).GetBytes(16);

            aes.Key = bc_key;
            aes.IV = iv;

            byte[] rawData = encrypt ? Encoding.UTF8.GetBytes(data) : Convert.FromBase64String(data);

            using (ICryptoTransform transform = encrypt ? aes.CreateEncryptor() : aes.CreateDecryptor())
            using (MemoryStream memoryStream = encrypt ? new MemoryStream() : new MemoryStream(rawData))
            using (CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, encrypt ? CryptoStreamMode.Write : CryptoStreamMode.Read))
            {
                if (encrypt)
                {
                    cryptoStream.Write(rawData, 0, rawData.Length);

                    return new EncryptedData(salt, mac_key, memoryStream.ToArray());
                }
                else
                {
                    byte[] originalData = new byte[rawData.Length];
                    int count = cryptoStream.Read(originalData, 0, originalData.Length);

                    return Encoding.UTF8.GetString(originalData, 0, count);
                }
            }
        }
    }
}

public class EncryptedData
{
    public EncryptedData()
    {
    }

    public EncryptedData(byte[] salt, byte[] mac, byte[] data)
    {
        this.Salt = salt;
        this.MAC = mac;
        this.Data = data;
    }

    public EncryptedData(string salt, string mac, string data)
    {
        this.SaltString = salt;
        this.MACString = mac;
        this.DataString = data;
    }

    public byte[] Salt
    {
        get;
        set;
    }

    public string SaltString
    {
        get { return Convert.ToBase64String(this.Salt); }
        set { this.Salt = Convert.FromBase64String(value); }
    }

    public byte[] MAC
    {
        get;
        set;
    }

    public string MACString
    {
        get { return Convert.ToBase64String(this.MAC); }
        set { this.MAC = Convert.FromBase64String(value); }
    }

    public byte[] Data
    {
        get;
        set;
    }

    public string DataString
    {
        get { return Convert.ToBase64String(this.Data); }
        set { this.Data = Convert.FromBase64String(value); }
    }
}

    static void ReadTest()
    {
        Console.WriteLine("Enter password: ");
        string password = Console.ReadLine();

        using (StreamReader reader = new StreamReader("aes.cs.txt"))
        {
            EncryptedData enc = new EncryptedData();
            enc.SaltString = reader.ReadLine();
            enc.MACString = reader.ReadLine();
            enc.DataString = reader.ReadLine();

            Console.WriteLine("The decrypted data was: " + DatabaseCrypto.Decrypt(password, enc));
        }
    }

    static void WriteTest()
    {
        Console.WriteLine("Enter data: ");
        string data = Console.ReadLine();
        Console.WriteLine("Enter password: ");
        string password = Console.ReadLine();

        EncryptedData enc = DatabaseCrypto.Encrypt(password, data);

        using (StreamWriter stream = new StreamWriter("aes.cs.txt"))
        {
            stream.WriteLine(enc.SaltString);
            stream.WriteLine(enc.MACString);
            stream.WriteLine(enc.DataString);

            Console.WriteLine("The encrypted data was: " + enc.DataString);
        }
    }
Jake Petroules
  • 23,472
  • 35
  • 144
  • 225

1 Answers1

14

When using a block cipher like AES in a mode that requires padding, like CBC, you must be aware that the output will always be a multiple of the block size. To accomplish this, padding modes like PKCS7 will add some bytes to the cipher at the end of the encryption process. But you have to let the encryptor know when the end occurs. To do so, all you have to do is insert the statement 

cryptoStream.FlushFinalBlock();

after 

cryptoStream.Write(rawData, 0, rawData.Length);

PS:

Perhaps it is just for debugging, but your salt generation method generates the exact same salt every time.

President James K. Polk
  • 40,516
  • 21
  • 95
  • 125
  • Wow, simple as that, eh? I thought it might have been something to do with FlushFinalBlock but I wasn't sure. I think I added it before but maybe I was just entering the wrong password. I should generate some random unit tests. :) Also I know the salt is the same - I wasn't sure how to generate a random one yet but I found `RNGCryptoServiceProvider` after writing that code. Thanks for pointing it out though. – Jake Petroules Dec 28 '10 at 23:35
  • So many examples in msdn and stackoverflow are not so healthy, and this answer saved my day. FlushFinalBlock(). Wow. – ZZZ Jul 18 '13 at 04:35
  • Was wrapping the CryptoStream in a StreamWriter... `cryptoStream.FlushFinalBlock();` needs to be called regardless. Thanks - this was a huge time-saver! – trousyt Jun 06 '14 at 16:44
  • For some reason that approach did not work for me in C# 4.0/4.5 - had to put curly braces after each `using( )`. Than no `.FlushFinalBlock( )` call is needed. See http://stackoverflow.com/questions/29809687/#29835039. – Astrogator Apr 24 '15 at 14:32
  • 1
    @Astrogator: When execution passes out of the `using` block the CryptoStream object's `Dispose` method is called, which eventually causes the`Close` method and then the `FlushFinalBlock` method to be called. – President James K. Polk Apr 24 '15 at 22:26