Results 1 to 7 of 7

Thread: Length of data to decrypt is invalid

  1. #1

    Thread Starter
    Lively Member FunkySloth's Avatar
    Join Date
    Aug 2016
    Posts
    89

    Length of data to decrypt is invalid

    Hi ,

    How many characters should I allow to match the number of characters that Crypto Algorithm allowed. This is my code:

    Code:
            public static string Decrypt(string input)
            {
                byte[] Results;
                UTF8Encoding UTF8 = new UTF8Encoding();
                MD5CryptoServiceProvider HashProvider = new MD5CryptoServiceProvider();
                byte[] TDESKey = HashProvider.ComputeHash(UTF8.GetBytes("ABCDCLEAR"));
                TripleDESCryptoServiceProvider TDESAlgorithm = new TripleDESCryptoServiceProvider();
                TDESAlgorithm.Key = TDESKey;
                TDESAlgorithm.Mode = CipherMode.ECB;
                TDESAlgorithm.Padding = PaddingMode.PKCS7;
                byte[] DataToDecrypt = Convert.FromBase64String(input); /// it will dycrpt your message
                try
                {
                    ICryptoTransform Decryptor = TDESAlgorithm.CreateDecryptor();
                    Results = Decryptor.TransformFinalBlock(DataToDecrypt, 0, DataToDecrypt.Length);
                }
                finally
                {
                    TDESAlgorithm.Clear();
                    HashProvider.Clear();
                }
                return UTF8.GetString(Results);
            }
    This is the responsible for the error:

    Code:
                    ICryptoTransform Decryptor = TDESAlgorithm.CreateDecryptor();
                    Results = Decryptor.TransformFinalBlock(DataToDecrypt, 0, DataToDecrypt.Length);
    Last edited by FunkySloth; Jul 17th, 2017 at 09:21 PM.

  2. #2

    Thread Starter
    Lively Member FunkySloth's Avatar
    Join Date
    Aug 2016
    Posts
    89

    Re: Length of data to decrypt is invalid

    I figured out that if the password consist more than 6 characters, the decryption function fails. Can anyone tell me why?

    Thank you

  3. #3
    You don't want to know.
    Join Date
    Aug 2010
    Posts
    4,578

    Re: Length of data to decrypt is invalid

    I think I'd have to see some encryption code and/or sample data to tell you why.

    The error message is very clear: the length of your byte array is not the right size. Many encryption algorithms output data with sizes that are always multiples of a certain number, usually 16. So if your input data isn't a multiple of that number, it's either got too many or too little bytes and can't be decrypted.

    So to see what's going on, we'd have to see the size of the original encrypted data and compare it to the size of the data you decode here. If they're different, something's wrong with how you're encoding or decoding the bytes to Base64. You also might've configured the algorithm differently in two cases.

    Also: every reliable example I see uses CryptoStream rather than directly using ICryptoTransform. Maybe that will help.

    Also: You might be a victim of the bathroom wall of code. ECB mode is cryptographically weak and considered one of the poorest means of encryption. This decryption code looks like a copy/paste of possibly the easiest encryption to crack that .NET can deliver. This is a very frustrating thing about security code: anything with a million examples is likely to be the most wrong solution.

    Also: 3DES is a very old algorithm and has known attacks. You should be using something stronger. Wikipedia has this to say about the security of 3DES:
    This can be considered broken, as the whole 3des keyspace can be searched throughly by affordable consumer hardware today (2017).
    Consider using AES or Rijndael instead. They have the same API but aren't considered broken yet. But do definitely switch away from ECB mode.
    This answer is wrong. You should be using TableAdapter and Dictionaries instead.

  4. #4

    Thread Starter
    Lively Member FunkySloth's Avatar
    Join Date
    Aug 2016
    Posts
    89

    Re: Length of data to decrypt is invalid

    Hi Sitten,

    Glad I recall this thread and saw your reply, you are right about I copy/paste of the Encrypt and Decrypt function, and made a slight changes.

    This is the Encryption Code:

    Code:
            public static string Encrypt(string input)
            {
                byte[] encryptResults;
                UTF8Encoding UTF8 = new UTF8Encoding();
                MD5CryptoServiceProvider HashProvider = new MD5CryptoServiceProvider();
                byte[] TDESKey = HashProvider.ComputeHash(UTF8.GetBytes("ABCDCLEAR"));
                TripleDESCryptoServiceProvider TDESAlgorithm = new TripleDESCryptoServiceProvider();
                TDESAlgorithm.Key = TDESKey;
                TDESAlgorithm.Mode = CipherMode.ECB;
                TDESAlgorithm.Padding = PaddingMode.PKCS7;
                byte[] DataToEncrypt = UTF8.GetBytes(input); /// it will encrypt your message
                try
                {
                    ICryptoTransform Encryptor = TDESAlgorithm.CreateEncryptor();
                    encryptResults = Encryptor.TransformFinalBlock(DataToEncrypt, 0, DataToEncrypt.Length);
                }
                finally
                {
                    TDESAlgorithm.Clear();
                    HashProvider.Clear();
                }
                return Convert.ToBase64String(encryptResults);
            }
    However, since this is a creation of password for every users, the possibility of making it multiples of 16 or what ever certain number is very low. So that may be the reason why it failed to decrypt the data.

  5. #5
    Frenzied Member PlausiblyDamp's Avatar
    Join Date
    Dec 2016
    Location
    Newport, UK
    Posts
    1,486

    Re: Length of data to decrypt is invalid

    Are you using this to create passwords or store passwords? I am guessing that you are letting the user pick their own password and this is being used to store it...

    Before you proceed with this you might want to know that storing passwords in an encrypted and therefore reversible form is generally considered a bad practice, if someone gets access to the encrypted version of the password it is fairly trivial to get the un-encrypted password back.

    A better approach is to hash the password, this is a one way way thing, and whenever someone wants to log in you take the password they enter - hash it and compare hashes. This prevents you storing anything that can easily be used to get the original password back.

    Using a class like https://msdn.microsoft.com/en-us/lib...v=vs.110).aspx is probably a good starting point.

    If you want to be more secure you would add additional data (known as a salt) to the original password before computing the hash and then store the hash and the salt, this makes it harder to brute force multiple passwords.

  6. #6

    Thread Starter
    Lively Member FunkySloth's Avatar
    Join Date
    Aug 2016
    Posts
    89

    Re: Length of data to decrypt is invalid

    The user can pick their own password and it will be encrypted and store to the database.

    Isn't it a hash approach? ABCDCLEAR is a salt added to original password?

    Code:
    HashProvider.ComputeHash(UTF8.GetBytes("ABCDCLEAR"));

  7. #7
    Frenzied Member PlausiblyDamp's Avatar
    Join Date
    Dec 2016
    Location
    Newport, UK
    Posts
    1,486

    Re: Length of data to decrypt is invalid

    Most of the cryptographic functions expect the data to be of specific length, or multiples of a specific length - rather than trying to work this out yourself there is a class Rfc2898DeriveBytes that can derive the correct number of bytes for you and incorporate a provided salt.

    The RNGCryptoServiceProvider class is a cryptographically valid random number generator that can be used to

    The following code is a quick example and not properly tested however it should give you the idea of how to use these classes

    Create a new console application and paste this into the Module1.vb

    Code:
      Sub Main(args As String())
            Dim password = args(0)
            Dim rnd As New RNGCryptoServiceProvider()
            Dim salt(24) As Byte
            rnd.GetBytes(salt)
            Console.WriteLine("Salt : " + Convert.ToBase64String(salt))
    
            Dim derived As New Rfc2898DeriveBytes(password, salt)
            derived.IterationCount = 1000
            Dim hash = derived.GetBytes(24)
            Console.WriteLine("hash : " + Convert.ToBase64String(hash))
        End Sub
    If you run it from a command line and pass a password as an argument then it will output the salt and the hash to the console in a Base64 format, in reality you would need to store both of these things in your database (or similar) as you would need to repeat the process using the provided password with the stored hash (use the original version, not the base64 encoded version) to confirm the password matches.
    Last edited by PlausiblyDamp; Sep 9th, 2017 at 04:01 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width