开发者

How should my code deal with intentional use of the wrong crypto key?

问答 作者:

I am using the following:

 RijndaelManaged rm = new RijndaelManaged();
 encryptor = rm.CreateEncryptor(key, vector);
 decryptor = rm.CreateDecryptor(key, vector);
 rm.Padding = PaddingMode.None;

This works good for me. However when I try to intentionally use an incorrect key I get an exception when decoding here:

public byte[] Decrypt(byte[] buffer) {
 MemoryStream decryptStream = new MemoryStream();
 using (CryptoStream cs = new CryptoStream(decryptStream, decryptor, CryptoStreamMode.Write)) {
  cs.Write(buffer, 0, buffer.Length);
 }
 return decryptStream.ToArray();
}

System.Security.Cryptography.CryptographicException was unhandled by user code
  Message=Padding is invalid and cannot be remove开发者_运维问答d.

Is there some way I can cleanly manage this and is this to be expected if I on purpose use the WRONG key?

Now I changed this to the following based on a suggestion below:

public byte[] Decrypt(byte[] buffer)
    {
        try {
            MemoryStream decryptStream = new MemoryStream();
            using (CryptoStream cs = new CryptoStream(decryptStream, decryptor, CryptoStreamMode.Write))
            {
                cs.Write(buffer, 0, buffer.Length);
            }
            return decryptStream.ToArray();
        } catch(CryptographicException e){
            //... do something with it ...
            return null;
        }
    }

How can I pass up the exception to the next method which is:

public string DecryptFromUrl(string encrypted)
{
    return Decrypt(HttpUtility.UrlDecode(encrypted));
}

In any case you should be try { ... } catching() the error and handling it from there. You could return a specific error, generic error, log it etc depending on your requirements.

try
{
... code ...
}
catch(CryptographicException e)
{
... do something with it ...
}

It's ok for the Decrypt method to throw an exception when it can't decrypt - that's what the exceptions are used for. However, it would be better to throw some custom exception insted of the System.Security.Cryptography.CryptographicException which is specific to your current implementation. For example, you may change the Decrypt method to do this:

public byte[] Decrypt(byte[] buffer)
{
    MemoryStream decryptStream = new MemoryStream();
    try
    {
        using (CryptoStream cs = new CryptoStream(decryptStream, decryptor, CryptoStreamMode.Write))
        {
            cs.Write(buffer, 0, buffer.Length);
        }
    }
    catch ( CryptographicException ex )
    {
        throw new InvalidKeyException(ex);
    }
    return decryptStream.ToArray();
}

Where InvalidKeyException is a class that derives from System.Exception. Now, assuming the decrypt method is part of a class called EncryptionProvider, you can call it like this:

EncryptionProvider encryptionProvider;
// initialize the encryptionProvider with the key
try
{
    byte[] decryptedData = encryptionProvider.Decrypt( encryptedData );
    // use decryptedData here - it's decrypted with the correct key
}
catch ( InvalidKeyException )
{
    // Handle the "wrong key" case here. You may notify the user that they are 
    // not  authorized to access this information or something similar,
    // depending on your application logic
}

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9