Wednesday, December 10, 2008

If your encryption/decryption works in your test harness but it goes wrong in real life....

Had a bug in one of my (semi)secure data stores today.

Basically I was using the .Net cryptographic patter to encode and decode some strings that I didn't want to be in plain text in this website's database.

I had a unit test in place and the encryption/decryption was fine.

However, in 'real life' testing I saw my text get scrambled - the first few bytes of this text were often corrupted - and it didn't matter whether I used DESCryptoServiceProvider, RC2CryptoServiceProvider, etc

I spent some time looking at my byte to text converters to make sure that it wasn't them... and then I spotted the problem:

I wasn't always correctly initialising the Initialisation Vector (IV) for the encryption/decryption.

This worked fine in the test harnesses - as they always used the same IV and Key for every encrypt/decrypt (because they were in the same process) - but messed up in real use.

Moral of the story - if you are going to use the symmetric cryptographic services then always set both the Key and the IV.

No comments:

Post a Comment