search

MHumm / DelphiEncryptionCompendium

Cryptographic library for Embarcadero Delphi and potentially for FPC as well
Apache License 2.0
257 stars 67 forks source link

Key length over 16 characters with exception #12

Closed EdAdvokat closed 3 years ago

EdAdvokat commented 3 years ago

I have used a key with 18 digits and get an exception afterwards: Keymaterial is too large for use (securityissue). With a key of 16 characters the program runs without errors.

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected and actual behavior A clear and concise description of what you expected to happen and what you see happening.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

Smartphone (please complete the following information):

Additional context Add any other context about the problem here.

MHumm commented 3 years ago

I tried to reproduce this bug but failed to do so. Here's the test application I used. Can you share some code you used while you got this exception?


program Cipher_Console;

{$APPTYPE CONSOLE}

{$R *.res}

uses
  System.SysUtils,
  DECCipherBase,
  DECCipherModes,
  DECCipherFormats,
  DECCiphers;

var
  Cipher     : TCipher_AES;
  // We use raw byte string here since Unicode handling of Windows console
  // is not given
  SourceText : RawByteString;

  // Key for the initialization of our encryption run
  CipherKey  : RawByteString;
  IV         : RawByteString;

  Input,
  Output     : TBytes;
  i          : Integer;
begin
  Cipher := TCipher_AES.Create;
  try
    try
      // Init our encryption
      CipherKey := 'Passwort1234567890';
      IV := #0#0#0#0#0#0#0#0;
      Cipher.Init(CipherKey, IV, 0);
      Cipher.Mode := cmCBCx;

      SourceText := 'Beispielklartext';
      WriteLn('Source text: ' + SourceText);
      Input := System.SysUtils.BytesOf(SourceText);

      // Encrypt
      Output := Cipher.EncodeBytes(Input);

      Write('Encrypted data in hex: ');
      for i := 0 to high(Output) do
        Write(IntToHex(Output[i], 2), ' ');

      WriteLn;

      // Decrypt
      Cipher.Init(CipherKey, IV, 0);
      Output := Cipher.DecodeBytes(Output);

      SourceText := RawByteString(System.SysUtils.StringOf(Output));

      WriteLn('Decrypted data: ' + SourceText);

      // Show that using a different key results in a different output
      WriteLn;

      CipherKey := 'Password';
      Cipher.Init(CipherKey, IV, 0);
      Output := Cipher.DecodeBytes(Output);

      SourceText := RawByteString(System.SysUtils.StringOf(Output));

      WriteLn('Decrypted with different key: ' + SourceText);

      ReadLn;
    except
      on E: Exception do
        Writeln(E.ClassName, ': ', E.Message);
    end;

  finally
    Cipher.Free;
  end;
end.

Even when changing mode from CBCx to EBCx I didn't get any exception. Debugging reveals, that there is a check against Context.KeySize, which is 32 for this AES implementation and thus higher than your 18 byte key. Or is your key a regular Unicode string? Then key length would be double on Win32 as Unicode string is UTF16.

MHumm commented 3 years ago

Ok, the poster of this bugreport informed me, that he produced the exception by testing ProgressDemoVCL and that he added 1234567890 to the password.

I can reproduce it with that information and I'll modify the demo application. The issue arises because when calling like this Delphi calls the WideString based variant of the init method and this uses 2 byte per character, so with his longer key he produces a key longer than the maximum allowed key length of 32 byte.