C# – CryptographicException – Bad Data

ccryptographywinforms

I develop a WinForms solution which uses encryption.

One of the problems I have is dealing with empty passwords (e.g. no password set).
Obviously, empty string causes Cryptographic Exception, so I tried to prevent encrypting/decrypting string if it's empty and set its value to empty string.

However, I get exception:
CryptoGraphic Exception (Bad Data).

Here is the stack trace:

at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.Utils._DecryptData(SafeKeyHandle hKey, Byte[] data, Int32 ib, Int32 cb, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode PaddingMode, Boolean fDone)
at System.Security.Cryptography.CryptoAPITransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
at xxx.Security.Cryptography.Decrypt(String cipherString, Boolean useHashing) in C:\xxxx\xxxx\xxxx\xxxx\xxxx\xxxx\Cryptography.cs:line 82

Here is the source code of the class:

using System;
using System.Security.Cryptography;
using System.Text;

namespace xxx
{
  public class Cryptography
  {
    private const string key = "xxxx";

    public static string Encrypt(string toEncrypt, bool useHashing)
    {
        if (toEncrypt == "")
        {
            string result = System.Convert.ToBase64String(Encoding.UTF8.GetBytes(toEncrypt));
            return result;
        }
        else
        {
            try
            {
                byte[] keyArray;
                byte[] toEncryptArray = Encoding.UTF8.GetBytes(toEncrypt);

                //If hashing use get hashcode regards to your key
                if (useHashing)
                {
                    MD5CryptoServiceProvider md5CryptoServiceProvider = new MD5CryptoServiceProvider();
                    keyArray = md5CryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes(key));
                    md5CryptoServiceProvider.Clear();
                }
                else
                    keyArray = Encoding.UTF8.GetBytes(key);

                TripleDESCryptoServiceProvider tripleDesCryptoServiceProvider = new TripleDESCryptoServiceProvider();
                //set the secret key for the tripleDES algorithm
                tripleDesCryptoServiceProvider.Key = keyArray;
                //mode of operation. there are other 4 modes.
                //We choose ECB(Electronic code Book)
                tripleDesCryptoServiceProvider.Mode = CipherMode.ECB;
                //padding mode(if any extra byte added)

                tripleDesCryptoServiceProvider.Padding = PaddingMode.PKCS7;

                ICryptoTransform cTransform = tripleDesCryptoServiceProvider.CreateEncryptor();
                //transform the specified region of bytes array to resultArray
                byte[] resultArray =
                  cTransform.TransformFinalBlock(toEncryptArray, 0,
                  toEncryptArray.Length);
                //Release resources held by TripleDes Encryptor
                tripleDesCryptoServiceProvider.Clear();
                //Return the encrypted data into unreadable string format
                return Convert.ToBase64String(resultArray, 0, resultArray.Length);
            }
            catch (Exception)
            {
                string result = System.Convert.ToBase64String(Encoding.UTF8.GetBytes(toEncrypt));
                return result;
            }
        }
    }


    public static string Decrypt(string cipherString, bool useHashing)
    {
        if (cipherString == "")
        {
            UTF8Encoding utf8 = new UTF8Encoding();
            return Encoding.UTF8.GetString(utf8.GetBytes(""));
        }
        else
        {
            try
            {
                byte[] keyArray;
                //get the byte code of the string

                byte[] toEncryptArray = Convert.FromBase64String(cipherString);


                if (useHashing)
                {
                    //if hashing was used get the hash code with regards to your key
                    MD5CryptoServiceProvider md5CryptoServiceProvider = new MD5CryptoServiceProvider();
                    keyArray = md5CryptoServiceProvider.ComputeHash(UTF8Encoding.UTF8.GetBytes(key));
                    //release any resource held by the MD5CryptoServiceProvider

                    md5CryptoServiceProvider.Clear();
                }
                else
                {
                    //if hashing was not implemented get the byte code of the key
                    keyArray = UTF8Encoding.UTF8.GetBytes(key);
                }

                TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider();
                //set the secret key for the tripleDES algorithm
                tdes.Key = keyArray;
                //mode of operation. there are other 4 modes. 
                //We choose ECB(Electronic code Book)

                tdes.Mode = CipherMode.ECB;
                //padding mode(if any extra byte added)
                tdes.Padding = PaddingMode.PKCS7;

                ICryptoTransform cTransform = tdes.CreateDecryptor();
                byte[] resultArray = cTransform.TransformFinalBlock(
                                     toEncryptArray, 0, toEncryptArray.Length);
                //Release resources held by TripleDes Encryptor                
                tdes.Clear();
                //return the Clear decrypted TEXT
                return Encoding.UTF8.GetString(resultArray);
            }
            catch (Exception)
            {
                UTF8Encoding utf8 = new UTF8Encoding();
                return Encoding.UTF8.GetString(utf8.GetBytes(""));
            }
        }
        }
    }
}

So the problem is in Decrypt method. Any clues please?

P.S. Yes, I know the code is not ideal. This class wasn't written by me, I'm just trying to use it. Thank you for improvement suggestions, I will definitely concider them.

Best Answer

If you really want to allow empty passwords, make sure you special-case null as well as empty strings.

So change

if (toEncrypt == "")

if (string.IsNullOrEmpty(toEncrypt))

and return null if toEncrypt is null or empty.

Also change

if (cipherString == "")

if (string.IsNullOrWhiteSpace(cipherString))

and return an empty string if 'cipherString' is null or whitespace.

NB - the comment from CodesInChaos above is quite right. This code has a certain smell about it. He gives good advice.

Related Solutions

C# – Why is lock(this) {…} bad

It is bad form to use this in lock statements because it is generally out of your control who else might be locking on that object.

In order to properly plan parallel operations, special care should be taken to consider possible deadlock situations, and having an unknown number of lock entry points hinders this. For example, any one with a reference to the object can lock on it without the object designer/creator knowing about it. This increases the complexity of multi-threaded solutions and might affect their correctness.

A private field is usually a better option as the compiler will enforce access restrictions to it, and it will encapsulate the locking mechanism. Using this violates encapsulation by exposing part of your locking implementation to the public. It is also not clear that you will be acquiring a lock on this unless it has been documented. Even then, relying on documentation to prevent a problem is sub-optimal.

Finally, there is the common misconception that lock(this) actually modifies the object passed as a parameter, and in some way makes it read-only or inaccessible. This is false. The object passed as a parameter to lock merely serves as a key. If a lock is already being held on that key, the lock cannot be made; otherwise, the lock is allowed.

This is why it's bad to use strings as the keys in lock statements, since they are immutable and are shared/accessible across parts of the application. You should use a private variable instead, an Object instance will do nicely.

Run the following C# code as an example.

public class Person
{
    public int Age { get; set;  }
    public string Name { get; set; }

    public void LockThis()
    {
        lock (this)
        {
            System.Threading.Thread.Sleep(10000);
        }
    }
}

class Program
{
    static void Main(string[] args)
    {
        var nancy = new Person {Name = "Nancy Drew", Age = 15};
        var a = new Thread(nancy.LockThis);
        a.Start();
        var b = new Thread(Timewarp);
        b.Start(nancy);
        Thread.Sleep(10);
        var anotherNancy = new Person { Name = "Nancy Drew", Age = 50 };
        var c = new Thread(NameChange);
        c.Start(anotherNancy);
        a.Join();
        Console.ReadLine();
    }

    static void Timewarp(object subject)
    {
        var person = subject as Person;
        if (person == null) throw new ArgumentNullException("subject");
        // A lock does not make the object read-only.
        lock (person.Name)
        {
            while (person.Age <= 23)
            {
                // There will be a lock on 'person' due to the LockThis method running in another thread
                if (Monitor.TryEnter(person, 10) == false)
                {
                    Console.WriteLine("'this' person is locked!");
                }
                else Monitor.Exit(person);
                person.Age++;
                if(person.Age == 18)
                {
                    // Changing the 'person.Name' value doesn't change the lock...
                    person.Name = "Nancy Smith";
                }
                Console.WriteLine("{0} is {1} years old.", person.Name, person.Age);
            }
        }
    }

    static void NameChange(object subject)
    {
        var person = subject as Person;
        if (person == null) throw new ArgumentNullException("subject");
        // You should avoid locking on strings, since they are immutable.
        if (Monitor.TryEnter(person.Name, 30) == false)
        {
            Console.WriteLine("Failed to obtain lock on 50 year old Nancy, because Timewarp(object) locked on string \"Nancy Drew\".");
        }
        else Monitor.Exit(person.Name);

        if (Monitor.TryEnter("Nancy Drew", 30) == false)
        {
            Console.WriteLine("Failed to obtain lock using 'Nancy Drew' literal, locked by 'person.Name' since both are the same object thanks to inlining!");
        }
        else Monitor.Exit("Nancy Drew");
        if (Monitor.TryEnter(person.Name, 10000))
        {
            string oldName = person.Name;
            person.Name = "Nancy Callahan";
            Console.WriteLine("Name changed from '{0}' to '{1}'.", oldName, person.Name);
        }
        else Monitor.Exit(person.Name);
    }
}

Console output

'this' person is locked!
Nancy Drew is 16 years old.
'this' person is locked!
Nancy Drew is 17 years old.
Failed to obtain lock on 50 year old Nancy, because Timewarp(object) locked on string "Nancy Drew".
'this' person is locked!
Nancy Smith is 18 years old.
'this' person is locked!
Nancy Smith is 19 years old.
'this' person is locked!
Nancy Smith is 20 years old.
Failed to obtain lock using 'Nancy Drew' literal, locked by 'person.Name' since both are the same object thanks to inlining!
'this' person is locked!
Nancy Smith is 21 years old.
'this' person is locked!
Nancy Smith is 22 years old.
'this' person is locked!
Nancy Smith is 23 years old.
'this' person is locked!
Nancy Smith is 24 years old.
Name changed from 'Nancy Drew' to 'Nancy Callahan'.

.net – Occasional Bad Data Error while decrypting the string : System.Security.Cryptography.CryptographicException

You have a bug lurking in your code...

You should never use any of the System.Text.Encoding classes for cipher text. You will experience intermittent errors. You should use Base64 encoding and the System.Convert class methods.

To obtain an encrypted string from an encrypted byte[], you should use: Convert.ToBase64String(byte[] bytes)
To obtain a a raw byte[] from a string to be encrypted, you should use: Convert.FromBase64String(string data)

For additional info, please refer to MS Security guru Shawn Farkas's post at http://blogs.msdn.com/b/shawnfa/archive/2005/11/10/491431.aspx

Best Answer

Related Solutions

C# – Why is lock(this) {…} bad

.net – Occasional Bad Data Error while decrypting the string : System.Security.Cryptography.CryptographicException

Related Topic