Had a bug in one of my (semi)secure data stores today.
Basically I was using the .Net cryptographic patter to encode and decode some strings that I didn't want to be in plain text in this website's database.
I had a unit test in place and the encryption/decryption was fine.
However, in 'real life' testing I saw my text get scrambled - the first few bytes of this text were often corrupted - and it didn't matter whether I used DESCryptoServiceProvider, RC2CryptoServiceProvider, etc
I spent some time looking at my byte to text converters to make sure that it wasn't them... and then I spotted the problem:
I wasn't always correctly initialising the Initialisation Vector (IV) for the encryption/decryption.
This worked fine in the test harnesses - as they always used the same IV and Key for every encrypt/decrypt (because they were in the same process) - but messed up in real use.
Moral of the story - if you are going to use the symmetric cryptographic services then always set both the Key and the IV.
No comments:
Post a Comment