Previous Entry | Next Entry

glacier2014
Prompted by a question on StackOverflow, I came across http://support.microsoft.com/kb/307010. It's about how to use symmetric encryption under C#.

The symmetric encryption requires a key and an initialization vector (IV) to encrypt the data. To decrypt the data, you must have the same key and the same IV. You must also use the same encryption algorithm. You can generate the keys by using either of the following methods:

Method 1. You can prompt the user for a password. Then, use the password as the key and the IV. [...]


Wait. What?

For those of you who aren't up to speed with symmetric crypto, deriving a key from a password is a common requirement, but using the same thing as the IV is a really bad idea. The whole point of symmetric encryption in CBC mode is that you use a different IV every time you encrypt using that key; this makes the ciphertext look different every time. If you encrypt two or more messages using the same key/IV combination, you get ciphertexts which will, whilst appearing gibberish, will be susceptible to traffic analysis. (What this actually means for your system depends on what messages you're sending; the consequences could be anywhere from no impact, to a trivial break of all your plaintexts.)

In short: this article and its sample code are leading people to use an unsound cipher setup.

I've submitted feedback on the article, but I somehow doubt anything will happen. The paranoid in me wonders whether the bogus info might have been carefully planted by three-letter government agencies; the pragmatist prefers the simple notion that the article was written by somebody who just didn't know what they were doing with crypto. Trouble is, for the average person, good crypto looks just the same as bad crypto...

Tags:

Comments

( 4 comments — Leave a comment )
gerald_duck
Apr. 1st, 2010 09:37 am (UTC)
It doesn't matter much, though, because C# has higher-level cryptographic functions to generate keys from passphrases, encipher blocks using various chaining modes, etc.

…right?
crazyscot
Apr. 1st, 2010 01:41 pm (UTC)
*hollow laughter* ... At least, if there are, that kb article doesn't mention them.
mdw [distorted.org.uk]
Apr. 2nd, 2010 10:46 am (UTC)
Ahh. If only that was the only problem, or even the worst one.

The suggested way of generating a key involves getting the default DESCryptoServiceProvider to make one up (sensible) and then decoding the resulting bytes as ASCII to get a character string.

The documentation I have here for System.Text.ASCIIEncoding.GetString tells me that
Any byte greater than hexadecimal 0x7F is decoded as the Unicode question mark ("?").

Approximately half of the bytes will be clobbered in this way.
crazyscot
Apr. 3rd, 2010 07:23 am (UTC)
Fantastic 8-)
( 4 comments — Leave a comment )

Latest Month

November 2014
S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
30      

linkblast

Tags

Powered by LiveJournal.com
Designed by Tiffany Chow