0

Assuming we know the key and the IV for the data we're getting from the stream, is it possible to decrypt it within stream? I encrypted the same message three times and then decrypted it all at once, getting wrong results. Perhaps I should detect padding at the receiving side and re-initialize the CryptoStream?

The problem I am trying to solve is to securely transmit a message without revealing its size over an insecure protocol (e.g. using explicit number of bytes or using 0x3 symbol to split messages).

using System.Security.Cryptography;

var aes = Aes.Create();

aes.Key = Enumerable.Repeat((byte)1, 16).ToArray();
aes.IV = aes.Key;
//aes.Padding = PaddingMode.None;

var line = Encoding.Unicode.GetBytes("hello stackoverflow ");

// expected result
Print(Enumerable.Repeat(line, 3).SelectMany(i=>i).ToArray());

var enc = Enumerable.Repeat(aes.EncryptCbc(line, aes.IV), 3).SelectMany(i=>i).ToArray();

// getting data from stream, e.g. NetworkStream
using var mem = new MemoryStream(enc);

using var stream = new CryptoStream(mem, aes.CreateDecryptor(), CryptoStreamMode.Read);

var results = new byte[192];
var read = 0;
while(true){
    int r = stream.Read(results, read, results.Length - read);
    read += r;
    if(r==0)break;
}
Print(results);

Console.WriteLine(Encoding.Unicode.GetString(results));

void Print(byte[] arr){
    foreach (var b in arr)
    {
        Console.Write($"{b:X2} ");
    }
    Console.WriteLine();
}
Improve this question
10
  • 1
    In principle that shouldn't be a problem - AES does not rely on the length of the message. The issue here is more likely to be that you use the same aes instance for encryption and decryption. AES morphs its internal state as it goes. Commented Oct 5 at 21:57
  • 2
    Your read loop is invalid. You keep overwriting the data buffer with each new read. You need to advance the buffer pointer by r. Commented Oct 5 at 22:35
  • 1
    @user207421, it advances correctly with this call void Read(byte[] buffer, int offset, int limit) Commented Oct 6 at 7:37
  • @500-InternalServerError, afaik the state is not our concern as long we have correct key and IV on another machine Commented Oct 6 at 7:46
  • 1
    If you want to hide the message size, why not just pad your data? i.e. Make your message something like NumberOfValidBytes | ValidBytes | GarbageBytes. I don't see why you would need to mess with the encryption step at all. And what do you mean with "insecure protocol"? We typically use encryption to create a "secure" channel over an insecure one. Commented Oct 7 at 7:02

1 Answer 1

Reset to default
1

Decryption fails because the ciphertext used (enc) is invalid for AES-CBC.

With a valid AES-CBC ciphertext, when encrypting the first plaintext block, the initial IV is used as IV, and when encrypting the following plaintext blocks, the respective preceding ciphertext block is used as IV, see CBC. In addition, a valid AES-CBC ciphertext contains the (encrypted) padding bytes only at the end (if padding is used).

The ciphertext used (enc) in the posted example code, on the other hand, was generated by concatenating three AES-CBC single ciphertexts. The result is applied as ciphertext for AES-CBC decryption, which does not work because the last two single ciphertexts use the wrong IV for this (namely the initial IV) and the first two single ciphertexts also contain (encrypted) padding bytes.

If you want to stick with your approach (see a possible alternative in JonasH's comment), the correct IVs must be used for the encryption of the second and third single ciphertexts:

...
var ct1 = aes.EncryptCbc(line, aes.IV);
var ct2 = aes.EncryptCbc(line, ct1[^16..]);
var ct3 = aes.EncryptCbc(line, ct2[^16..]);
byte[] enc = [..ct1, ..ct2, ..ct3];
...

The ciphertext produced in this way can be decrypted using the posted decryption code.

However, the decrypted plaintext still contains the padding bytes. If your use case allows it, this problem could be solved e.g. with a custom padding, where all padding bytes have the same value (which must not occur in the plaintext), so that after decryption, the padding sequences can simply be removed (or used as separators). The default padding must be disabled for this purpose with PaddingMode.None.

Another approach is to use a stream cipher mode. Stream cipher modes do not require padding, so the padding problem would not arise in the first place. .NET supports CFB mode, e.g.:

aes.Padding = PaddingMode.None;
aes.Mode = CipherMode.CFB;
...
var ct1 = aes.EncryptCfb(line, aes.IV, PaddingMode.None);
var ct2 = aes.EncryptCfb(line, ct1[^16..], PaddingMode.None);
var ct3 = aes.EncryptCfb(line, ct2[^16..], PaddingMode.None);
byte[] enc = [..ct1, ..ct2, ..ct3];
...

.NET uses CFB-8 by default. However, it can also be switched to the more performant CFB-128 (via the FeedbackSize parameter). Unfortunately, this variant pads to 128 bits (due to an MS bug), which is completely unnecessary for a stream cipher, but can be easily fixed (by truncating the encrypted padding bytes after encryption or padding to the required length with arbitrary padding bytes before decryption).

More frequently than CFB mode, CTR mode, also a stream cipher mode, is used. To apply CTR mode, BouncyCastle must be used, as .NET does not natively support CTR mode. The determination of the IVs of the last two single ciphertexts must be modified so that it is compatible with CTR mode.

Note that reusing key-IV pairs is a vulnerability whose severity depends on the mode. For CTR (and CTR-based modes), it is a severe vulnerability.

Concerning your comment: AES-CBC only allows the encryption of plaintexts whose length is a multiple of the blocksize (16 bytes for AES). However, your plaintext has a length of 120 bytes (3x20 ASCII characters, UTF16LE encoded), which does not meet this condition. Either change the plaintext length (as pointed out in the error message The input data is not a complete block) or use a padding.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.