2022年4月16日 星期六

[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(三)

[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(三)

2022-04-16

[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(一)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak.html

[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(二)
https://shaurong.blogspot.com/2022/04/aspnetaspnetfortify-sca-ciphermodecbc.html

環境:Visual Studio 2022 + ASP.NET + WebForm + Web Application + C#

測試一下

Default.aspx


<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" 
    Inherits="WebApplication1.Default" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
        key:<asp:TextBox ID="TextBox1" runat="server">1234567812345678</asp:TextBox><br />
        iv:<asp:TextBox ID="TextBox2" runat="server">1234567812345678</asp:TextBox><br />
        原文:<asp:TextBox ID="TextBox3" runat="server" Width="350px"></asp:TextBox><br />
        加密後:<asp:TextBox ID="TextBox4" runat="server" Width="350px"></asp:TextBox><br />
        解密後:<asp:TextBox ID="TextBox5" runat="server" Width="350px"></asp:TextBox><br />
        <asp:Button ID="Button1" runat="server" Text="Button" OnClick="Button1_Click1" />

    </form>
</body>
</html>

Default.aspx.cs


using System;
using System.Security.Cryptography;
using System.Text;

namespace WebApplication1
{
    public partial class Default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            TextBox1.Text = "1234567812345678"; // key, iv
            TextBox2.Text = "1234567812345678"; // key, iv
            TextBox3.Text = "Test String";
        }

        protected void Button1_Click1(object sender, EventArgs e)
        {
            String encryptData = Encrypt(TextBox3.Text, TextBox1.Text, TextBox2.Text);
            TextBox4.Text = encryptData;

            String decryptData = Decrypt(TextBox4.Text, TextBox1.Text, TextBox2.Text);
            TextBox5.Text = decryptData;
        }
        public static string Encrypt(string toEncrypt, string key, string iv)
        {
            byte[] keyArray = UTF8Encoding.UTF8.GetBytes(key);
            byte[] ivArray = UTF8Encoding.UTF8.GetBytes(iv);
            byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(toEncrypt);

            //進階加密標準(英語:Advanced Encryption Standard,縮寫:AES)
            //https://zh.wikipedia.org/wiki/%E9%AB%98%E7%BA%A7%E5%8A%A0%E5%AF%86%E6%A0%87%E5%87%86

            // RijndaelManaged 類別
            // https://msdn.microsoft.com/zh-tw/library/system.security.cryptography.rijndaelmanaged(v=vs.110).aspx

            //區塊(Block)密碼工作模式(mode of operation)
            //https://zh.wikipedia.org/wiki/%E5%9D%97%E5%AF%86%E7%A0%81%E7%9A%84%E5%B7%A5%E4%BD%9C%E6%A8%A1%E5%BC%8F

            RijndaelManaged myRijndael = new RijndaelManaged();
            myRijndael.KeySize = 256;
            myRijndael.Key = keyArray;
            myRijndael.IV = ivArray;  // 初始化向量 initialization vector (IV)
            //myRijndael.Mode = CipherMode.ECB; // 微軟建議別用;可執行
            //myRijndael.Mode = CipherMode.CBC; // 預設;Fortify SCA 認為不安全;密碼分組連結(CBC,Cipher-block chaining)模式
            myRijndael.Mode = CipherMode.CFB; // Fortify SCA 認為安全;可執行
            //myRijndael.Mode = CipherMode.OFB; // Fortify SCA 認為安全;System.Security.Cryptography.CryptographicException: '指定的 Cipher 模式對此演算法而言是無效的。'
                                                // 經查,RijndaelManaged目前不支援OFB模式。
            //myRijndael.Mode = CipherMode.CTS; // Fortify SCA 認為安全;System.Security.Cryptography.CryptographicException: '指定的 Cipher 模式對此演算法而言是無效的。'
            //rijAlg.Mode = CipherMode.CTR; // Fortify SCA 建議,但沒有這種模式

            myRijndael.Padding = PaddingMode.Zeros;

            ICryptoTransform cTransform = myRijndael.CreateEncryptor();
            byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);

            return Convert.ToBase64String(resultArray, 0, resultArray.Length);
        }

        public static string Decrypt(string toDecrypt, string key, string iv)
        {
            byte[] keyArray = UTF8Encoding.UTF8.GetBytes(key);
            byte[] ivArray = UTF8Encoding.UTF8.GetBytes(iv);
            byte[] toEncryptArray = Convert.FromBase64String(toDecrypt);

            RijndaelManaged myRijndael = new RijndaelManaged();
            myRijndael.KeySize = 256;
            myRijndael.Key = keyArray;
            myRijndael.IV = ivArray;

            //myRijndael.Mode = CipherMode.ECB;
            //myRijndael.Mode = CipherMode.CBC;
            myRijndael.Mode = CipherMode.CFB;
            //myRijndael.Mode = CipherMode.OFB;
            //myRijndael.Mode = CipherMode.CTS;

            myRijndael.Padding = PaddingMode.Zeros;

            ICryptoTransform cTransform = myRijndael.CreateDecryptor();
            byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);

            return UTF8Encoding.UTF8.GetString(resultArray);
        }

    }
}

實際測試,最後能用的只有 CFB模式


myRijndael.Mode = CipherMode.CFB; 

但也發現新問題,下面這篇 WinForm 解密字串是正常的,
[研究] [C#] AES-256-CBC 加密字串、解密字串
http://shaurong.blogspot.com/2016/11/c-aes-256-cbc_22.html

結果本篇 WebForm 解密後字串尾多了 �����,待研究。

後面的測試發現,疑似為 UTF8 問題,好像要改為 UniCode?待測。

**********
正常版本


[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(四)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak_59.html

(完)

相關

[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(一)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak.html

[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(二)
https://shaurong.blogspot.com/2022/04/aspnetaspnetfortify-sca-ciphermodecbc.html

[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(三)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak_16.html

[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(四)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak_59.html




沒有留言:

張貼留言