c#


Security test for AES


I dont know how to start this but I want to know if how am I gonna test how secured my program specifically the application of AES which I just copied on MSDN.
I'm no expert at application security, neither much knowledge about the security issues.
Much better if there are software that automatically do it for me.
This is the code I copied:
static byte[] EncryptStringToBytes_Aes(string plainText, byte[] Key, byte[] IV)
{
// Check arguments.
if (plainText == null || plainText.Length <= 0)
throw new ArgumentNullException("plainText");
if (Key == null || Key.Length <= 0)
throw new ArgumentNullException("Key");
if (IV == null || IV.Length <= 0)
throw new ArgumentNullException("IV");
byte[] encrypted;
// Create an AesManaged object
// with the specified key and IV.
using (AesManaged aesAlg = new AesManaged())
{
aesAlg.Key = Key;
aesAlg.IV = IV;
// Create a decrytor to perform the stream transform.
ICryptoTransform encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV);
// Create the streams used for encryption.
using (MemoryStream msEncrypt = new MemoryStream())
{
using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
{
using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
{
//Write all data to the stream.
swEncrypt.Write(plainText);
}
encrypted = msEncrypt.ToArray();
}
}
}
// Return the encrypted bytes from the memory stream.
return encrypted;
}
That code just uses AES/CBC. That's fine providing confidentiality for data at rest. As usual it leaks information about the input length.
Furthermore, it doesn't provide integrity or authenticity, so anybody can change the ciphertext. This means that if this is a valid attack scenario that parts of the plaintext will come out garbled.
It doesn't provide any protection within transport protocols by itself. It's pretty easy to even leak the entire plaintext due to padding oracle attacks.
The key should be derived from a password using a password hash such as PBKDF2 or it should be randomly generated.
If you reuse the key for CBC then the IV should be non-predictable (by using a secure random generator). The IV is usually put in front of the ciphertext.
The code doesn't show any of these properties.
In other words, it depends very much on the use and possible attack vectors if the code above is secure or not. AES is secure, but that in itself doesn't provide any protection.
The code is AES/CBC, nothing more, nothing less. If you don't understand crypto and you copy code, even from Microsoft, the chances are slim that you will end up with any kind of security.

Related Links

Apply button in Catel's DataWindow
Why does Timespan.TryParseExact not parsing input as expected?
Multiple ItemSources binding
Difference between Do/While and While/Do
How to get the SQL code generate and return code
Crash in production when using a WebBrowser inside a Pivot
Add same value into string multiple times
Checking for Nulls on DB Record Mapping
Check InnerException in System.TypeInitializationException thrown by an external code frame
Datagridview using excel file as datasource in c#
Accessing anonymous type variables
The provider is not compatible with this version of oracle client. ASP.net and oracle issue
Visual Studio 2013 Solution building not in build order
Combine WindowsAuthentication with rules stored in DB
I18N Rendering as EN-US and not Neutral Culture
Using generic or nor knowing type of a property in a method

Categories

HOME
qlikview
marie
boxplot
coordinates
angularjs-directive
docker-compose
schema
meson-build
scapy
vsixmanifest
subprocess
cracking
minimax
desktop-application
resharper
tmux
hapijs
udeploy
custom-component
dev-c++
matlab-gui
jira-zephyr
utc
proof-general
units-of-measurement
language-detection
node-soap
voyager
incapsula
mkdir
scip
mongoid5
ng-lightning
php-mongodb
f#-fake
risc
html-entities
niagara-ax
hierarchical-clustering
pyopenssl
history
ng-class
dynamic-linking
r-commander
boost-regex
liferay-ide
iban
suitesparse
pyautogui
lightspeed
blackberry-webworks
optional-parameters
mavlink
symantec
disconnect
netlink
geokit
jmap
video-embedding
fadein
wonderware
serial-communication
biginsights
joomla3.3
xml-simple
httpmodule
nexusdb
static-files
quickfixn
iphone-6
novell
lwuit
sat4j
scjp
behance-api
reactjs-native
ironworker
record-locking
dd4t
latex-suite
exi
vline
cron4j
mail-gem
filedialog
vectorwise
execjs
lightopenid
designated-initializer
cpack
oaw
silverlight-2.0
qlibrary
moores-law
weak-typing

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App