P
Phil C.
Hi. I testing some asp.net code that generates a 256 bit Aes Symmetric Key
and a 256 bit entropy value.
I encrypt the Aes key(without storing it as Base64) with the host's dpapi
using the entropy value(without storing it as Base64),
and then store the encrypted Aes key value and the entropy value in some
SHARED VARIABLES AS BYTE ARRAYS(not Base64).
I then decrypt the stored encrypted Aes value with the dpapi using the
stored entropy value.
I am declaring the default padding when generating the key as:
aesProvider.Padding = PaddingMode.PKCS7
After the encryption, for my comparison purposes, I display the unencrypted
Aes key as a Base 64 value. Since 32 bytes is a multiple
of three, one would not expect any BASE64 padding characters in the
displayed value, yet I always get a value that ends in the Base64
padding symbol of '=' which means a base64 padded group of 3 zeroes.
When I decrypt the encrypted Aes key value, and convert it to Base64 for
display, it always shows up as having the last character
being an 'A' which is the base64 value for '0' or 'zero'
I first suspected that the PKCS7 mode is causing my problems, but reading
the PKCS7 help implies that the padding is used in the cipher blocks,
not in the key generation. For convenience, I used the
RijndaelManaged.GenerateKey() function to generate the key, BUT perhaps I
might as well
as used the RNGCryptoServiceProvider.GetBytes() to do this. Indeed, I used
the RNGCryptoServiceProvider.GetBytes() to generate a 32 byte entropy
value,
yet when I convert it to base64 for viewing, it has an '=' as the last
character, meaning that it too is incorrectly being padded.
Below is a summary of what I get during the generate and encryption:
Generate and Encrypt:
Generated Aes Base64 Encoded String Symmetric Key:
wzHp7M3tRpXiWw4SWkMzEmorBHTNEjENDgSeGi8B6Ns=
Generated Aes Base64 Encoded String Symmetric Key Encrypted with Dpapi:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAYfcANKBCn0WrzhCNlOn8SwQAAAACAAAAAAADZgAAqAAAABAAAABVt1GQd/7tXNI/sKRdwGmzAAAAAASAAACgAAAAEAAAAEzxv5pzWw2v2H4cSVVoK2woAAAAMc609Ix8n4QMFy44PHRsInDD44lvwZPL04uZg19szbnPJskt4gA5LhQAAABvMuTkmeSa2dv3BkXdJA4eHQxgGwA=
Using Entropy
Generated Entropy As Base64 Encoded String:
WCXGLrtx1SN81b5e8aI11ntBvjRR11UmwSiqj2+9vaA=
After Decryption, I get:
Decrypt and Compare:
Generated Aes Base64 Encoded String Symmetric Key:
wzHp7M3tRpXiWw4SWkMzEmorBHTNEjENDgSeGi8B6Ns=
Dpapi Decrypted Aes Base64 Encoded String Symmetric Key:
wzHp7M3tRpXiWw4SWkMzEmorBHTNEjENDgSeGi8B6NsA
The code behind is as follows (Sorry I could not color code the code):
Imports System.Security.Cryptography
Public Class EncryptDecryptWithDpapiBase64EncodedStrings
Inherits System.Web.UI.Page
'Public Shared entropyValueAsByte() As Byte
'Public Shared dpapiEncryptedAesKeyAsByte() As Byte
'Have to have shared variables because new page is emitted
'on postback with new instance of page
Private Shared _entropyValueAsByte(31) As Byte
Protected WithEvents generatedB64AesKey As
System.Web.UI.WebControls.TextBox
Private Shared _dpapiEncryptedAesKeyAsByte() As Byte
Public Shared Property entropyValueAsByte() As Byte()
Get
Return _entropyValueAsByte
End Get
Set(ByVal Value As Byte())
_entropyValueAsByte = Value
End Set
End Property
Public Shared Property dpapiEncryptedAesKeyAsByte() As Byte()
Get
Return _dpapiEncryptedAesKeyAsByte
End Get
Set(ByVal Value As Byte())
_dpapiEncryptedAesKeyAsByte = Value
End Set
End Property
#Region " Web Form Designer Generated Code "
'This call is required by the Web Form Designer.
<System.Diagnostics.DebuggerStepThrough()> Private Sub
InitializeComponent()
End Sub
Protected WithEvents cleartextTextBox As
System.Web.UI.WebControls.TextBox
Protected WithEvents ciphertextTextBox As
System.Web.UI.WebControls.TextBox
Protected WithEvents entropyCheckBox As
System.Web.UI.WebControls.CheckBox
Protected WithEvents encryptButton As System.Web.UI.WebControls.Button
Protected WithEvents decryptButton As System.Web.UI.WebControls.Button
Protected WithEvents generatedEntropyTextBox As
System.Web.UI.WebControls.TextBox
'NOTE: The following placeholder declaration is required by the Web Form
Designer.
'Do not delete or move it.
Private designerPlaceholderDeclaration As System.Object
Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Init
'CODEGEN: This method call is required by the Web Form Designer
'Do not modify it using the code editor.
InitializeComponent()
End Sub
#End Region
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
'Put user code to initialize the page here
End Sub
Public Enum Store
USE_MACHINE_STORE
USE_USER_STORE
End Enum
Friend Function CreateKey() As Byte()
'Create a new AES Service Provider
Dim aesProvider As New RijndaelManaged
'Declare the key size
aesProvider.KeySize = 256
aesProvider.BlockSize = 256
aesProvider.Padding = PaddingMode.PKCS7
aesProvider.GenerateKey()
Return aesProvider.Key
End Function
Friend Function CreateEntropyValue() As Byte()
Dim rng As New RNGCryptoServiceProvider
Dim rng256EntropyByteValue(31) As Byte
rng.GetBytes(rng256EntropyByteValue)
Return rng256EntropyByteValue
End Function
Private Sub encryptButton_Click(ByVal sender As System.Object, ByVal e
As System.EventArgs) Handles encryptButton.Click
Dim dp As New RindjaelTest.Microsoft.Win32.DPAPI.DataProtector
Dim AesKeyValueInBytes(31) As Byte
AesKeyValueInBytes = CreateKey()
generatedB64AesKey.Text = Convert.ToBase64String(AesKeyValueInBytes)
If entropyCheckBox.Checked Then
entropyValueAsByte = CreateEntropyValue()
dpapiEncryptedAesKeyAsByte = dp.Encrypt(AesKeyValueInBytes,
entropyValueAsByte, Store.USE_MACHINE_STORE)
ciphertextTextBox.Text =
Convert.ToBase64String(dpapiEncryptedAesKeyAsByte)
generatedEntropyTextBox.Text =
Convert.ToBase64String(entropyValueAsByte)
Else
dpapiEncryptedAesKeyAsByte = dp.Encrypt(AesKeyValueInBytes,
Nothing, Store.USE_MACHINE_STORE)
ciphertextTextBox.Text =
Convert.ToBase64String(dpapiEncryptedAesKeyAsByte)
End If
ciphertextTextBox.Text.TrimEnd()
End Sub
Private Sub decryptButton_Click(ByVal sender As System.Object, ByVal e
As System.EventArgs) Handles decryptButton.Click
If Not dpapiEncryptedAesKeyAsByte Is Nothing Then
Dim dp As New RindjaelTest.Microsoft.Win32.DPAPI.DataProtector
If entropyCheckBox.Checked Then
cleartextTextBox.Text =
Convert.ToBase64String(dp.Decrypt(dpapiEncryptedAesKeyAsByte,
entropyValueAsByte, Store.USE_MACHINE_STORE))
Else
cleartextTextBox.Text =
Convert.ToBase64String(dp.Decrypt(dpapiEncryptedAesKeyAsByte, Nothing,
Store.USE_MACHINE_STORE))
End If
cleartextTextBox.Text.TrimEnd()
End If
End Sub
End Class
and a 256 bit entropy value.
I encrypt the Aes key(without storing it as Base64) with the host's dpapi
using the entropy value(without storing it as Base64),
and then store the encrypted Aes key value and the entropy value in some
SHARED VARIABLES AS BYTE ARRAYS(not Base64).
I then decrypt the stored encrypted Aes value with the dpapi using the
stored entropy value.
I am declaring the default padding when generating the key as:
aesProvider.Padding = PaddingMode.PKCS7
After the encryption, for my comparison purposes, I display the unencrypted
Aes key as a Base 64 value. Since 32 bytes is a multiple
of three, one would not expect any BASE64 padding characters in the
displayed value, yet I always get a value that ends in the Base64
padding symbol of '=' which means a base64 padded group of 3 zeroes.
When I decrypt the encrypted Aes key value, and convert it to Base64 for
display, it always shows up as having the last character
being an 'A' which is the base64 value for '0' or 'zero'
I first suspected that the PKCS7 mode is causing my problems, but reading
the PKCS7 help implies that the padding is used in the cipher blocks,
not in the key generation. For convenience, I used the
RijndaelManaged.GenerateKey() function to generate the key, BUT perhaps I
might as well
as used the RNGCryptoServiceProvider.GetBytes() to do this. Indeed, I used
the RNGCryptoServiceProvider.GetBytes() to generate a 32 byte entropy
value,
yet when I convert it to base64 for viewing, it has an '=' as the last
character, meaning that it too is incorrectly being padded.
Below is a summary of what I get during the generate and encryption:
Generate and Encrypt:
Generated Aes Base64 Encoded String Symmetric Key:
wzHp7M3tRpXiWw4SWkMzEmorBHTNEjENDgSeGi8B6Ns=
Generated Aes Base64 Encoded String Symmetric Key Encrypted with Dpapi:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAYfcANKBCn0WrzhCNlOn8SwQAAAACAAAAAAADZgAAqAAAABAAAABVt1GQd/7tXNI/sKRdwGmzAAAAAASAAACgAAAAEAAAAEzxv5pzWw2v2H4cSVVoK2woAAAAMc609Ix8n4QMFy44PHRsInDD44lvwZPL04uZg19szbnPJskt4gA5LhQAAABvMuTkmeSa2dv3BkXdJA4eHQxgGwA=
Using Entropy
Generated Entropy As Base64 Encoded String:
WCXGLrtx1SN81b5e8aI11ntBvjRR11UmwSiqj2+9vaA=
After Decryption, I get:
Decrypt and Compare:
Generated Aes Base64 Encoded String Symmetric Key:
wzHp7M3tRpXiWw4SWkMzEmorBHTNEjENDgSeGi8B6Ns=
Dpapi Decrypted Aes Base64 Encoded String Symmetric Key:
wzHp7M3tRpXiWw4SWkMzEmorBHTNEjENDgSeGi8B6NsA
The code behind is as follows (Sorry I could not color code the code):
Imports System.Security.Cryptography
Public Class EncryptDecryptWithDpapiBase64EncodedStrings
Inherits System.Web.UI.Page
'Public Shared entropyValueAsByte() As Byte
'Public Shared dpapiEncryptedAesKeyAsByte() As Byte
'Have to have shared variables because new page is emitted
'on postback with new instance of page
Private Shared _entropyValueAsByte(31) As Byte
Protected WithEvents generatedB64AesKey As
System.Web.UI.WebControls.TextBox
Private Shared _dpapiEncryptedAesKeyAsByte() As Byte
Public Shared Property entropyValueAsByte() As Byte()
Get
Return _entropyValueAsByte
End Get
Set(ByVal Value As Byte())
_entropyValueAsByte = Value
End Set
End Property
Public Shared Property dpapiEncryptedAesKeyAsByte() As Byte()
Get
Return _dpapiEncryptedAesKeyAsByte
End Get
Set(ByVal Value As Byte())
_dpapiEncryptedAesKeyAsByte = Value
End Set
End Property
#Region " Web Form Designer Generated Code "
'This call is required by the Web Form Designer.
<System.Diagnostics.DebuggerStepThrough()> Private Sub
InitializeComponent()
End Sub
Protected WithEvents cleartextTextBox As
System.Web.UI.WebControls.TextBox
Protected WithEvents ciphertextTextBox As
System.Web.UI.WebControls.TextBox
Protected WithEvents entropyCheckBox As
System.Web.UI.WebControls.CheckBox
Protected WithEvents encryptButton As System.Web.UI.WebControls.Button
Protected WithEvents decryptButton As System.Web.UI.WebControls.Button
Protected WithEvents generatedEntropyTextBox As
System.Web.UI.WebControls.TextBox
'NOTE: The following placeholder declaration is required by the Web Form
Designer.
'Do not delete or move it.
Private designerPlaceholderDeclaration As System.Object
Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Init
'CODEGEN: This method call is required by the Web Form Designer
'Do not modify it using the code editor.
InitializeComponent()
End Sub
#End Region
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
'Put user code to initialize the page here
End Sub
Public Enum Store
USE_MACHINE_STORE
USE_USER_STORE
End Enum
Friend Function CreateKey() As Byte()
'Create a new AES Service Provider
Dim aesProvider As New RijndaelManaged
'Declare the key size
aesProvider.KeySize = 256
aesProvider.BlockSize = 256
aesProvider.Padding = PaddingMode.PKCS7
aesProvider.GenerateKey()
Return aesProvider.Key
End Function
Friend Function CreateEntropyValue() As Byte()
Dim rng As New RNGCryptoServiceProvider
Dim rng256EntropyByteValue(31) As Byte
rng.GetBytes(rng256EntropyByteValue)
Return rng256EntropyByteValue
End Function
Private Sub encryptButton_Click(ByVal sender As System.Object, ByVal e
As System.EventArgs) Handles encryptButton.Click
Dim dp As New RindjaelTest.Microsoft.Win32.DPAPI.DataProtector
Dim AesKeyValueInBytes(31) As Byte
AesKeyValueInBytes = CreateKey()
generatedB64AesKey.Text = Convert.ToBase64String(AesKeyValueInBytes)
If entropyCheckBox.Checked Then
entropyValueAsByte = CreateEntropyValue()
dpapiEncryptedAesKeyAsByte = dp.Encrypt(AesKeyValueInBytes,
entropyValueAsByte, Store.USE_MACHINE_STORE)
ciphertextTextBox.Text =
Convert.ToBase64String(dpapiEncryptedAesKeyAsByte)
generatedEntropyTextBox.Text =
Convert.ToBase64String(entropyValueAsByte)
Else
dpapiEncryptedAesKeyAsByte = dp.Encrypt(AesKeyValueInBytes,
Nothing, Store.USE_MACHINE_STORE)
ciphertextTextBox.Text =
Convert.ToBase64String(dpapiEncryptedAesKeyAsByte)
End If
ciphertextTextBox.Text.TrimEnd()
End Sub
Private Sub decryptButton_Click(ByVal sender As System.Object, ByVal e
As System.EventArgs) Handles decryptButton.Click
If Not dpapiEncryptedAesKeyAsByte Is Nothing Then
Dim dp As New RindjaelTest.Microsoft.Win32.DPAPI.DataProtector
If entropyCheckBox.Checked Then
cleartextTextBox.Text =
Convert.ToBase64String(dp.Decrypt(dpapiEncryptedAesKeyAsByte,
entropyValueAsByte, Store.USE_MACHINE_STORE))
Else
cleartextTextBox.Text =
Convert.ToBase64String(dp.Decrypt(dpapiEncryptedAesKeyAsByte, Nothing,
Store.USE_MACHINE_STORE))
End If
cleartextTextBox.Text.TrimEnd()
End If
End Sub
End Class