发表新帖
发表新帖

Why does a bad password cause “Padding is invalid and cannot be removed”?

前端 未结
关注
9 1557
醉酒成梦
醉酒成梦 2020-11-29 07:24

I needed some simple string encryption, so I wrote the following code (with a great deal of \"inspiration\" from here):

    // create and initialize a crypto
相关标签:
9条回答
  • 不知归路
    2020-11-29 07:34

    If you've ruled out key-mismatch, then besides FlushFinalBlock() (see Yaniv's answer), calling Close() on the CryptoStream will also suffice.

    If you are cleaning up resources strictly with using blocks, be sure to nest the block for the CryptoStream itself:

    using (MemoryStream ms = new MemoryStream())
using (var enc = RijndaelAlg.CreateEncryptor())
{
  using (CryptoStream encStream = new CryptoStream(ms, enc, CryptoStreamMode.Write))
  {
    encStream.Write(bar2, 0, bar2.Length);
  } // implicit close
  byte[] encArray = ms.ToArray();
}

    I've been bitten by this (or similar):

    using (MemoryStream ms = new MemoryStream())
using (var enc = RijndaelAlg.CreateEncryptor())
using (CryptoStream encStream = new CryptoStream(ms, enc, CryptoStreamMode.Write))
{
  encStream.Write(bar2, 0, bar2.Length);
  byte[] encArray = ms.ToArray();
} // implicit close -- too late!
    0 讨论(0)
  • 眼角桃花
    2020-11-29 07:35

    Another reason of the exception might be a race condition between several threads using decryption logic - native implementations of ICryptoTransform are not thread-safe (e.g. SymmetricAlgorithm), so it should be put to exclusive section, e.g. using lock. Please refer here for more details: http://www.make-awesome.com/2011/07/system-security-cryptography-and-thread-safety/

    0 讨论(0)
  • 失恋的感觉
    2020-11-29 07:43

    I had a similar problem, the issue in decrypt method was initializing an empty memory stream. when it worked when I initialized it with the cipher text byte array like this:

    MemoryStream ms = new MemoryStream(cipherText)
    0 讨论(0)
  • 無奈伤痛
    2020-11-29 07:43

    The answer updated by the user "atconway" worked for me.

    The problem was not with the padding but the key which was different during encryption and decryption. The key and iv should be same during encypting and decrypting the same value.

    0 讨论(0)
  • 爱一瞬间的悲伤
    2020-11-29 07:47

    Although this have been already answered I think it would be a good idea to explain why it is to be expected.

    A padding scheme is usually applied because most cryptographic filters are not semantically secure and to prevent some forms of cryptoatacks. For example, usually in RSA the OAEP padding scheme is used which prevents some sorts of attacks (such as a chosen plaintext attack or blinding).

    A padding scheme appends some (usually) random garbage to the message m before the message is sent. In the OAEP method, for example, two Oracles are used (this is a simplistic explanation):

    1. Given the size of the modulus you padd k1 bits with 0 and k0 bits with a random number.
    2. Then by applying some transformation to the message you obtain the padded message wich is encrypted and sent.

    That provides you with a randomization for the messages and with a way to test if the message is garbage or not. As the padding scheme is reversible, when you decrypt the message whereas you can't say anything about the integrity of the message itself you can, in fact, make some assertion about the padding and thus you can know if the message has been correctly decrypted or you're doing something wrong (i.e someone has tampered with the message or you're using the wrong key)

    0 讨论(0)
  • 遇见更好的自我
    2020-11-29 07:52

    There may be some unread bytes in the CryptoStream. Closing before reading the stream completely was causing the error in my program.

    0 讨论(0)
 看不清?
提交回复
热议问题