[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(三)
2022-04-16
續
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(一)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak.html
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(二)
https://shaurong.blogspot.com/2022/04/aspnetaspnetfortify-sca-ciphermodecbc.html
環境:Visual Studio 2022 + ASP.NET + WebForm + Web Application + C#
測試一下
Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication1.Default" %> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> </head> <body> <form id="form1" runat="server"> key:<asp:TextBox ID="TextBox1" runat="server">1234567812345678</asp:TextBox><br /> iv:<asp:TextBox ID="TextBox2" runat="server">1234567812345678</asp:TextBox><br /> 原文:<asp:TextBox ID="TextBox3" runat="server" Width="350px"></asp:TextBox><br /> 加密後:<asp:TextBox ID="TextBox4" runat="server" Width="350px"></asp:TextBox><br /> 解密後:<asp:TextBox ID="TextBox5" runat="server" Width="350px"></asp:TextBox><br /> <asp:Button ID="Button1" runat="server" Text="Button" OnClick="Button1_Click1" /> </form> </body> </html> |
Default.aspx.cs
using System;
using System.Security.Cryptography;
using System.Text;
namespace WebApplication1
{
public partial class Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
TextBox1.Text = "1234567812345678"; // key, iv
TextBox2.Text = "1234567812345678"; // key, iv
TextBox3.Text = "Test String";
}
protected void Button1_Click1(object sender, EventArgs e)
{
String encryptData = Encrypt(TextBox3.Text, TextBox1.Text, TextBox2.Text);
TextBox4.Text = encryptData;
String decryptData = Decrypt(TextBox4.Text, TextBox1.Text, TextBox2.Text);
TextBox5.Text = decryptData;
}
public static string Encrypt(string toEncrypt, string key, string iv)
{
byte[] keyArray = UTF8Encoding.UTF8.GetBytes(key);
byte[] ivArray = UTF8Encoding.UTF8.GetBytes(iv);
byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(toEncrypt);
//進階加密標準(英語:Advanced Encryption Standard,縮寫:AES)
//https://zh.wikipedia.org/wiki/%E9%AB%98%E7%BA%A7%E5%8A%A0%E5%AF%86%E6%A0%87%E5%87%86
// RijndaelManaged 類別
// https://msdn.microsoft.com/zh-tw/library/system.security.cryptography.rijndaelmanaged(v=vs.110).aspx
//區塊(Block)密碼工作模式(mode of operation)
//https://zh.wikipedia.org/wiki/%E5%9D%97%E5%AF%86%E7%A0%81%E7%9A%84%E5%B7%A5%E4%BD%9C%E6%A8%A1%E5%BC%8F
RijndaelManaged myRijndael = new RijndaelManaged();
myRijndael.KeySize = 256;
myRijndael.Key = keyArray;
myRijndael.IV = ivArray; // 初始化向量 initialization vector (IV)
//myRijndael.Mode = CipherMode.ECB; // 微軟建議別用;可執行
//myRijndael.Mode = CipherMode.CBC; // 預設;Fortify SCA 認為不安全;密碼分組連結(CBC,Cipher-block chaining)模式
myRijndael.Mode = CipherMode.CFB; // Fortify SCA 認為安全;可執行
//myRijndael.Mode = CipherMode.OFB; // Fortify SCA 認為安全;System.Security.Cryptography.CryptographicException: '指定的 Cipher 模式對此演算法而言是無效的。'
// 經查,RijndaelManaged目前不支援OFB模式。
//myRijndael.Mode = CipherMode.CTS; // Fortify SCA 認為安全;System.Security.Cryptography.CryptographicException: '指定的 Cipher 模式對此演算法而言是無效的。'
//rijAlg.Mode = CipherMode.CTR; // Fortify SCA 建議,但沒有這種模式
myRijndael.Padding = PaddingMode.Zeros;
ICryptoTransform cTransform = myRijndael.CreateEncryptor();
byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
return Convert.ToBase64String(resultArray, 0, resultArray.Length);
}
public static string Decrypt(string toDecrypt, string key, string iv)
{
byte[] keyArray = UTF8Encoding.UTF8.GetBytes(key);
byte[] ivArray = UTF8Encoding.UTF8.GetBytes(iv);
byte[] toEncryptArray = Convert.FromBase64String(toDecrypt);
RijndaelManaged myRijndael = new RijndaelManaged();
myRijndael.KeySize = 256;
myRijndael.Key = keyArray;
myRijndael.IV = ivArray;
//myRijndael.Mode = CipherMode.ECB;
//myRijndael.Mode = CipherMode.CBC;
myRijndael.Mode = CipherMode.CFB;
//myRijndael.Mode = CipherMode.OFB;
//myRijndael.Mode = CipherMode.CTS;
myRijndael.Padding = PaddingMode.Zeros;
ICryptoTransform cTransform = myRijndael.CreateDecryptor();
byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
return UTF8Encoding.UTF8.GetString(resultArray);
}
}
} |
實際測試,最後能用的只有 CFB模式
myRijndael.Mode = CipherMode.CFB; |
但也發現新問題,下面這篇 WinForm 解密字串是正常的,
[研究] [C#] AES-256-CBC 加密字串、解密字串
http://shaurong.blogspot.com/2016/11/c-aes-256-cbc_22.html
結果本篇 WebForm 解密後字串尾多了 �����,待研究。
後面的測試發現,疑似為 UTF8 問題,好像要改為 UniCode?待測。
**********
正常版本
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(四)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak_59.html
(完)
相關
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(一)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak.html
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(二)
https://shaurong.blogspot.com/2022/04/aspnetaspnetfortify-sca-ciphermodecbc.html
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(三)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak_16.html
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(四)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak_59.html
沒有留言:
張貼留言