[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(四)
2022-04-16
續
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(一)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak.html
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(二)
https://shaurong.blogspot.com/2022/04/aspnetaspnetfortify-sca-ciphermodecbc.html
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(三)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak_16.html
環境:Visual Studio 2022 + ASP.NET + WebForm + Web Application + C#
參考下面這篇進行修改
RijndaelManaged 類別 (System.Security.Cryptography) | Microsoft Docs
https://docs.microsoft.com/zh-tw/dotnet/api/system.security.cryptography.rijndaelmanaged?view=net-6.0
Default2.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default2.aspx.cs"
Inherits="WebApplication1.Default2" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
</head>
<body>
<form id="form1" runat="server">
key:<asp:TextBox ID="TextBox1" runat="server" Width="350px"></asp:TextBox><br />
iv:<asp:TextBox ID="TextBox2" runat="server" Width="350px"></asp:TextBox><br />
原文:<asp:TextBox ID="TextBox3" runat="server" Width="350px"></asp:TextBox><br />
加密後:<asp:TextBox ID="TextBox4" runat="server" Width="350px"></asp:TextBox><br />
解密後:<asp:TextBox ID="TextBox5" runat="server" Width="350px"></asp:TextBox><br />
<asp:Button ID="Button1" runat="server" Text="Button" OnClick="Button1_Click1" /><br />
<asp:Label ID="Label_MSG" runat="server"></asp:Label>
</form>
</body>
</html>
|
Default2.aspx.cs
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace WebApplication1
{
public partial class Default2 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
TextBox1.Text = "1234567812345678"; // key, iv
TextBox2.Text = "12345678"; // key, iv 長度必須是 8
TextBox3.Text = "Test String";
}
// https://docs.microsoft.com/zh-tw/dotnet/api/system.security.cryptography.rijndaelmanaged?view=net-6.0
protected void Button1_Click1(object sender, EventArgs e)
{
try
{
string original = "Here is some data to encrypt!";
// Create a new instance of the RijndaelManaged
// class. This generates a new key and initialization
// vector (IV).
using (RijndaelManaged rijAlg = new RijndaelManaged())
{
// 亂碼,不喜歡,保存不方便
//rijAlg.GenerateKey();
//rijAlg.GenerateIV();
//TextBox1.Text = System.Text.Encoding.Unicode.GetString(rijAlg.Key);
//TextBox2.Text = System.Text.Encoding.Unicode.GetString(rijAlg.IV);
//TextBox5.Text = TextBox2.Text.Length.ToString();
rijAlg.Key = System.Text.Encoding.Unicode.GetBytes(TextBox1.Text);
//指定的初始化向量 (IV) 不符合此演算法的區塊大小。
// Rijndael IV size doesn't match block size
//byte[] iv = new byte[128];
//string ivStr = "";
//for (int i = 0; i < 16; i++)
// ivStr += "12345678";
//TextBox2.Text = ivStr;
rijAlg.IV = System.Text.Encoding.Unicode.GetBytes(TextBox2.Text);
// Encrypt the string to an array of bytes.
byte[] encrypted = EncryptStringToBytes(original, rijAlg.Key, rijAlg.IV);
// Decrypt the bytes to a string.
string roundtrip = DecryptStringFromBytes(encrypted, rijAlg.Key, rijAlg.IV);
//Display the original data and the decrypted data.
//Console.WriteLine("Original: {0}", original);
//Console.WriteLine("Round Trip: {0}", roundtrip);
TextBox4.Text = original;
TextBox5.Text = roundtrip;
}
}
catch (Exception ex)
{
//Console.WriteLine("Error: {0}", e.Message);
Label_MSG.Text = "不明錯誤。";
if (ex!=null)
Label_MSG.Text = ex.Message;
}
}
static byte[] EncryptStringToBytes(string plainText, byte[] Key, byte[] IV)
{
// Check arguments.
if (plainText == null || plainText.Length <= 0)
throw new ArgumentNullException("plainText");
if (Key == null || Key.Length <= 0)
throw new ArgumentNullException("Key");
if (IV == null || IV.Length <= 0)
throw new ArgumentNullException("IV");
byte[] encrypted;
// Create an RijndaelManaged object
// with the specified key and IV.
using (RijndaelManaged rijAlg = new RijndaelManaged())
{
rijAlg.Key = Key;
rijAlg.IV = IV;
//rijAlg.Mode = CipherMode.ECB; // 微軟建議別用;可執行
//rijAlg.Mode = CipherMode.CBC; // 預設,Fortify SCA 認為不安全
rijAlg.Mode = CipherMode.CFB; // Fortify SCA 認為安全;可執行
//rijAlg.Mode = CipherMode.OFB; // Fortify SCA 認為安全;System.Security.Cryptography.CryptographicException: '指定的 Cipher 模式對此演算法而言是無效的。'
// 經查,RijndaelManaged目前不支援OFB模式。
//rijAlg.Mode = CipherMode.CTS; // Fortify SCA 認為安全;System.Security.Cryptography.CryptographicException: '指定的 Cipher 模式對此演算法而言是無效的。'
//rijAlg.Mode = CipherMode.CTR; // Fortify SCA 建議,但沒有這種模式
// Create an encryptor to perform the stream transform.
ICryptoTransform encryptor = rijAlg.CreateEncryptor(rijAlg.Key, rijAlg.IV);
// Create the streams used for encryption.
using (MemoryStream msEncrypt = new MemoryStream())
{
using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
{
using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
{
//Write all data to the stream.
swEncrypt.Write(plainText);
}
encrypted = msEncrypt.ToArray();
}
}
}
// Return the encrypted bytes from the memory stream.
return encrypted;
}
static string DecryptStringFromBytes(byte[] cipherText, byte[] Key, byte[] IV)
{
// Check arguments.
if (cipherText == null || cipherText.Length <= 0)
throw new ArgumentNullException("cipherText");
if (Key == null || Key.Length <= 0)
throw new ArgumentNullException("Key");
if (IV == null || IV.Length <= 0)
throw new ArgumentNullException("IV");
// Declare the string used to hold
// the decrypted text.
string plaintext = null;
// Create an RijndaelManaged object
// with the specified key and IV.
using (RijndaelManaged rijAlg = new RijndaelManaged())
{
rijAlg.Key = Key;
rijAlg.IV = IV;
rijAlg.Mode = CipherMode.CFB;
// Create a decryptor to perform the stream transform.
ICryptoTransform decryptor = rijAlg.CreateDecryptor(rijAlg.Key, rijAlg.IV);
// Create the streams used for decryption.
using (MemoryStream msDecrypt = new MemoryStream(cipherText))
{
using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (StreamReader srDecrypt = new StreamReader(csDecrypt))
{
// Read the decrypted bytes from the decrypting stream
// and place them in a string.
plaintext = srDecrypt.ReadToEnd();
}
}
}
}
return plaintext;
}
}
} |
實際測試
(完)
相關
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(一)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak.html
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(二)
https://shaurong.blogspot.com/2022/04/aspnetaspnetfortify-sca-ciphermodecbc.html
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(三)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak_16.html
[研究][ASP.NET]Fortify SCA 報告 CipherMode.CBC 有 Weak Encryption: Insecure Mode of Operation 問題之解決(四)
https://shaurong.blogspot.com/2022/04/aspnetfortify-sca-ciphermodecbc-weak_59.html
[研究] [C#] AES-256-CBC 加密字串、解密字串
http://shaurong.blogspot.com/2016/11/c-aes-256-cbc_22.html
System.Security.Cryptography 命名空間 | Microsoft Docs
https://docs.microsoft.com/zh-tw/dotnet/api/system.security.cryptography?view=net-6.0
沒有留言:
張貼留言