joshfree
commented
8 years ago Related issue tracking NotImplementedException areas https://github.com/dotnet/corefx/issues/1993
Closed guardrex closed 4 years ago
joshfree
commented
8 years ago Related issue tracking NotImplementedException areas https://github.com/dotnet/corefx/issues/1993
bartonjs
commented
8 years ago @GuardRex Thanks for reporting it, I hadn't noticed that the checkin didn't define the create method.
But: What makes AES unsuitable in context?
guardrex
commented
8 years ago @bartonjs Nothing at all. I know ... TripleDES sucks from a security standpoint. I just wanted to run a test with another package and needed a quick symmetric algorithm with a common key and had that code lying around. I saw that it wasn't implemented but thought it was on the backlog somewhere, so that's why I asked about it. It's not critical to what I'm testing that I use TripleDES.
bartonjs
commented
8 years ago @eerhardt Would you want to take a crack at this one? I think what happened is the base class got defined, and TripleDESCng got defined in the Cng library for exposure with existing stored keys; but the lightweight (and Unix) implementations didn't get defined. So, like with the Aes implementation, a barebones Windows/Unix version should be in this library.
Once we get the forward referencing in platform-specific packages stuff working we could debate changing the Windows version to be a wrapper/forwarder over TripleDESCng.
eerhardt
commented
8 years ago I'll take a crack at it.
morganbr
commented
8 years ago @GuardRex obligatory security notes for posterity:
guardrex
commented
8 years ago @morganbr I've been using BCrypt for years. I needed a quick-and-dirty (non-production) symmetric key algorithm for some testing. I didn't check to see if there is a CoreCLR-friendly BCrypt package available, and I had that TripleDES code readily available. I'd prefer to never us it for anything, even testing. How about something like this, which I cobbled together from a few bits online and concepts ...
public class GuardRexEncryption
{
private static byte[] key = { <KEY_BYTES_HERE> };
private ICryptoTransform encryptor, decryptor;
private UTF8Encoding encoder;
private Aes alg;
public GuardRexEncryption()
{
alg = Aes.Create();
encoder = new UTF8Encoding();
}
public string Encrypt(string unencrypted)
{
alg.GenerateIV();
return GetString(Encrypt(encoder.GetBytes(unencrypted), alg.IV)) + ";" + GetString(alg.IV);
}
public string Decrypt(string encrypted)
{
string[] splitStr = encrypted.Split(';');
return encoder.GetString(Decrypt(GetBytes(splitStr[0]), GetBytes(splitStr[1])));
}
private byte[] Encrypt(byte[] buffer, byte[] vector)
{
encryptor = alg.CreateEncryptor(key, vector);
return Transform(buffer, encryptor);
}
private byte[] Decrypt(byte[] buffer, byte[] vector)
{
decryptor = alg.CreateDecryptor(key, vector);
return Transform(buffer, decryptor);
}
private string GetString(byte[] input)
{
return Convert.ToBase64String(input);
}
private byte[] GetBytes(string input)
{
return Convert.FromBase64String(input);
}
protected byte[] Transform(byte[] buffer, ICryptoTransform transform)
{
MemoryStream stream = new MemoryStream();
using (CryptoStream cs = new CryptoStream(stream, transform, CryptoStreamMode.Write))
{
cs.Write(buffer, 0, buffer.Length);
}
return stream.ToArray();
}
}@GuardRex looks good. You raise a good point on bcrypt -- we should consider having algorithms that are more commonly used on Linux. I've filed dotnet/corefx#4986 to investigate what we might want.
guardrex
commented
8 years ago @morganbr Thanks for checking me on that. I used this the other day, its perfect for what I usually need for this type of thing ... and the bonus of not having to add another package to an app for something so simple is a nice bonus. Thanks again! :beers:
I get a "not implemented" exception if I try to use TripleDES. What's the preferred "simple" and "not so secure but easy and fast" way to symmetrically encrypt/decrypt a string with a key in a dnxcore50 project?