2

I'm attempting to implement some encryption of data in .NET with a user supplied password. As I understand this, I encrypt the file with a symetric key, and encrypt this key with another key that is generated by the user. This means that a password change does not require a change to the data, just an update to the encrypted key.

When testing out the AES functions, I can encrypt my 256 bit key, but when decrypting I only get the first 16 bytes back from .NET:

public static byte[] Salt = new byte[64];
public static byte[] IV = new byte[16];
public static string Password1 = "PWD";
public static byte[] Key = new byte[32];

static void Main(string[] args)
{
    Salt = RandomNumberGenerator.GetBytes(64);
    IV = RandomNumberGenerator.GetBytes(16);
    Key = RandomNumberGenerator.GetBytes(32);
    var pwdK1 = RandomNumberGenerator.GetBytes(32);

    byte[] aKey1 = new byte[32];
    byte[] bKey1 = new byte[32];

    using (Aes aes = Aes.Create())
    {
        aes.Mode = CipherMode.CBC;
        aes.Key = pwdK1;        //use key generated by user pwd
        aes.IV = IV;

        var str = new MemoryStream(Key);

        using (var crypStr = new CryptoStream(str, aes.CreateEncryptor(), CryptoStreamMode.Read))
        {
            int i = crypStr.Read(aKey1, 0, 32);
        }
    }

    using (Aes aes = Aes.Create())
    {
        aes.Mode = CipherMode.CBC;
        aes.Key = pwdK1;        //use key generated by user pwd
        aes.IV = IV;

        var str = new MemoryStream(aKey1);

        using (var crypStr = new CryptoStream(str, aes.CreateDecryptor(), CryptoStreamMode.Read))
        {
            int i = crypStr.Read(bKey1, 0, 32);
            var p = bKey1.ToArray();
        }
    }
    //we should have Key in p/bKey1, but we only have the first 16 bytes of Key.
}

Here, pwdK1 is actually generated using a 3rd party Argon2 library, code modified for this post.

The key and IV used are the same, the mode is the same, but when reading out the decrypted key in the decrypt stage, I only see the first 16 bytes that I see in Key stored in variable p. For the first crypStr.Read I get a full 32 bytes returned, but the decrypt Read returns only 16 bytes in i. The remaining 16 bytes are all 0.

Any ideas what I could be doing wrong?

Etheraex
  • 508
  • 6
  • 17
Mdd M
  • 121
  • 1
  • 10
  • 1
    You need to loop `.Read` until you get all the bytes – Charlieface Jun 17 '22 at 00:27
  • You're right, I incorrectly assumed that AES would turn my 32 byte array into a 32 byte array of encrypted data and vice versa, but the array size returned in the first step should actually be larger. – Mdd M Jun 17 '22 at 09:51
  • 1
    There are actually two bugs, the changed `Read()` behavior because of the breaking change in .NET 6 (possible fix: Read-loop or `CopyTo()`) and the wrong handling of the padding (possible fix: for a 32 bytes key the padding can be disabled). Also, for such a short ciphertext as a 32 bytes key a `TransformFinalBlock()` instead of the streams (with all their overhead) would be a possible alternative, which would additionally simplify the code significantly. – Topaco Jun 17 '22 at 10:48
  • @Topaco I did not know about CopyTo, which you're right would simplify this. I also was not aware to changes to .Read() in .NET 6, and from a quick google I'm still not sure I understand why they changed them, but such is the way with Microsoft. As for the ```TransformFinalBlock```, I thought blocks in AES were 16 bytes, not 32? – Mdd M Jun 17 '22 at 13:35
  • 1
    The change regarding `Read()` and the reasons for this are described e.g. [here](https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/6.0/partial-byte-reads-in-streams). The AES blocksize *is* 16 bytes, but `TransformFinalBlock()` is not limited to processing only one block. – Topaco Jun 17 '22 at 14:38
  • @Topaco okay that answers my questions, if you post your first comment as an answer I'll mark it as answer. – Mdd M Jun 17 '22 at 15:04
  • @MddM - Sure, I've put my comments in an answer. – Topaco Jun 17 '22 at 17:12

1 Answers1

2

There are two bugs in the code:

  • In .NET 6, the behavior of Read() has changed. The new behavior no longer guarantees reading until the passed buffer is completely filled or the end of the stream is reached, s. here and here. Therefore, a read loop must be implemented (as already suggested in the first comment). Alternatively, CopyTo() can be used.
    With regard to the short plaintext, it is also worth considering not using streams at all, but TransformFinalBlock(), s. here. This saves the overhead associated with streams at runtime and also shortens the code significantly. For longer plaintexts, of course, the stream pattern should be applied again.

    Here are the options in comparison (for encryption). Note that as in the posted code, Key is the plaintext to be encrypted:

    Read()-loop:

    using MemoryStream str = new MemoryStream(Key);
using CryptoStream crypStr = new CryptoStream(str, aes.CreateEncryptor(), CryptoStreamMode.Read);
int i = 0;
while (i < aKey1.Length) 
    i += crypStr.Read(aKey1, i, aKey1.Length - i);

    CopyTo():

    using MemoryStream str = new MemoryStream(Key);
using CryptoStream crypStr = new CryptoStream(str, aes.CreateEncryptor(), CryptoStreamMode.Read);
using MemoryStream cpyStr = new MemoryStream();
crypStr.CopyTo(cpyStr); 
aKey1 = cpyStr.ToArray();

    TransformFinalBlock():

    aKey1 = aes.CreateEncryptor().TransformFinalBlock(Key, 0, Key.Length);

  • The Aes implementation applies PKCS#7 padding by default, i.e. in case of a plaintext of 32 bytes a full block (16 bytes with AES) is appended, so that the buffer for the ciphertext requires a size of 48 bytes. During decryption the padding is removed again, so that the buffer for the decrypted data may still correspond to the plaintext size of 32 bytes.
    Since the plaintext fulfills the size criterion, according to which the size of the plaintext must correspond to an integer multiple of the blocksize, it's also worth considering whether padding should be disabled. Then the buffer for the ciphertext may also be 32 bytes large. If the size criterion is not met, padding must of course be applied.

    Padding can be disabled with aes.Padding = PaddingMode.None;.

Full code without padding using TransformFinalBlock():

byte[] IV = RandomNumberGenerator.GetBytes(16);
byte[] Key = RandomNumberGenerator.GetBytes(32);
byte[] pwdK1 = RandomNumberGenerator.GetBytes(32);

byte[] aKey1 = new byte[32];
byte[] bKey1 = new byte[32];

using (Aes aes = Aes.Create())
{
    aes.Mode = CipherMode.CBC;
    aes.Key = pwdK1;        
    aes.IV = IV;
    aes.Padding = PaddingMode.None; // Fix: Disable padding

    aKey1 = aes.CreateEncryptor().TransformFinalBlock(Key, 0, Key.Length);  // Fix: TransformFinalBlock 
}

using (Aes aes = Aes.Create())
{
    aes.Mode = CipherMode.CBC;
    aes.Key = pwdK1;       
    aes.IV = IV;
    aes.Padding = PaddingMode.None;

    bKey1 = aes.CreateDecryptor().TransformFinalBlock(aKey1, 0, aKey1.Length);
}

Console.WriteLine(Convert.ToHexString(Key));
Console.WriteLine(Convert.ToHexString(aKey1));
Console.WriteLine(Convert.ToHexString(bKey1));

Edit: As mentioned in the comment, since .NET 6 there are also EncryptCbc() and DecryptCbc(), which makes it even a little bit more compact:

using (Aes aes = Aes.Create())
{
    aes.Key = pwdK1;
    aKey1 = aes.EncryptCbc(Key, IV, PaddingMode.None);
}

Like in the posted code, pwdK1 is the encryption key and Key is the plaintext to be encrypted.

Topaco
  • 40,594
  • 4
  • 35
  • 62
  • 1
    Or, even newer code (.NET 6): `aes.EncryptCbc(Key, IV, PaddingMode.None);` (assuming it’s encrypting `Key` as the plaintext) – bartonjs Jun 18 '22 at 04:29