We have a legacy ASP.NET site which uses the encryption methods here:
http://www.codekeep.net/snippets/af1cd375-059a-4175-93d7-25eea2c5c660.aspx
When we call the following method, the page loads very slowly and eventually Connection Reset is returned:
Decrypt(" ", true);
If the method is called multiple times in subsequent page requests, the Application Pool goes down.
This is occurring on a Windows 2008 server running .NET framework v3.5.
I narrowed the problem down to the TransformFinalBlock()
call.
NOTE: on Cassini, I do not get a connection timeout; instead the following exception is thrown:
System.Security.Cryptography.CryptographicException: Bad Data
Calling Decrypt() for other strings causes no problems in any environment.
Why is this happening? Is it a bug in TripleDESCryptoServiceProvider?
Obviously, I could filter the cipherString to reject " " and avoid this particular issue. However, I am worried that some other cipherString values that I am not suspecting will cause the DoS.
UPDATE 2011.06.28
The following is the minimal code to reproduce the issue:
// problem occurs when toEncryptArray is an empty array {}
byte[] toEncryptArray = {};
MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();
byte[] keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes("dummy_key"));
hashmd5.Clear();
TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider();
tdes.Key = keyArray;
tdes.Mode = CipherMode.ECB;
tdes.Padding = PaddingMode.PKCS7;
ICryptoTransform cTransform = tdes.CreateDecryptor();
// the following line can crashes the ASP.NET Application Pool (may need to call multiple times).
byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
tdes.Clear();