c#


Security test for AES


I dont know how to start this but I want to know if how am I gonna test how secured my program specifically the application of AES which I just copied on MSDN.
I'm no expert at application security, neither much knowledge about the security issues.
Much better if there are software that automatically do it for me.
This is the code I copied:
static byte[] EncryptStringToBytes_Aes(string plainText, byte[] Key, byte[] IV)
{
// Check arguments.
if (plainText == null || plainText.Length <= 0)
throw new ArgumentNullException("plainText");
if (Key == null || Key.Length <= 0)
throw new ArgumentNullException("Key");
if (IV == null || IV.Length <= 0)
throw new ArgumentNullException("IV");
byte[] encrypted;
// Create an AesManaged object
// with the specified key and IV.
using (AesManaged aesAlg = new AesManaged())
{
aesAlg.Key = Key;
aesAlg.IV = IV;
// Create a decrytor to perform the stream transform.
ICryptoTransform encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV);
// Create the streams used for encryption.
using (MemoryStream msEncrypt = new MemoryStream())
{
using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
{
using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
{
//Write all data to the stream.
swEncrypt.Write(plainText);
}
encrypted = msEncrypt.ToArray();
}
}
}
// Return the encrypted bytes from the memory stream.
return encrypted;
}
That code just uses AES/CBC. That's fine providing confidentiality for data at rest. As usual it leaks information about the input length.
Furthermore, it doesn't provide integrity or authenticity, so anybody can change the ciphertext. This means that if this is a valid attack scenario that parts of the plaintext will come out garbled.
It doesn't provide any protection within transport protocols by itself. It's pretty easy to even leak the entire plaintext due to padding oracle attacks.
The key should be derived from a password using a password hash such as PBKDF2 or it should be randomly generated.
If you reuse the key for CBC then the IV should be non-predictable (by using a secure random generator). The IV is usually put in front of the ciphertext.
The code doesn't show any of these properties.
In other words, it depends very much on the use and possible attack vectors if the code above is secure or not. AES is secure, but that in itself doesn't provide any protection.
The code is AES/CBC, nothing more, nothing less. If you don't understand crypto and you copy code, even from Microsoft, the chances are slim that you will end up with any kind of security.

Related Links

How can facebook Fan Page admin post
how to load a dll into ram and have it accessible by another dll that has been loaded into ram
Instance generic method by type with reflection C# [duplicate]
How to deal with DBNull in DataContractSerializer?
Inheritance Variable Questions (Changing inherited variables) in Unity (C#)
Unable to update main form control from subclass
On an ASP.NET HTML page with a DO/WHILE loop: How to stop then continue loop with SUBMIT button
How to have events separated at least by a given time span?
Getting error in Unity Universal Windows Platform
Can a non-nullable int be null? [duplicate]
Delete from one, add to another Listbox and vice versa with the same sorting like before
use unrar.dll in a c# project to retrieve the list of file and relative CRC code
How to declare an array containing generic type?
Manage multiple authentications with ASP.NET Identity
Is there any reason to keep a settings file nested underneath properties?
IIS Web Application can't be accessed remotely

Categories

HOME
ssms
botframework
bigtable
skypedeveloper
stdout
squeak
glympse
richtextbox
restheart
ndepend
responsive
infopath
airbnb
hapijs
google-street-view
tcpdf
priority-queue
mex
launchd
edirectory
urhosharp
snapkit
ports
flickr
minitest
repeat
client-server
tapply
delphi-xe
pyexcel
java-5
apiman
piranha-cms
activeandroid
remap
confluent
history
ng-class
playframework-2.3
codesniffer
computed-properties
symantec
xcode7.1
geokit
scriptengine
normalisation
gdi
bbedit
roslyn-code-analysis
euro
vspackage
opennebula
jeet-grid
strcpy
crtdbg.h
fiware-health
system.net
sat4j
disparity-mapping
visual-studio-setup-proje
xps
iwork
nativequery
thucydides
mencoder
zend-db-table
source-depot
mandelbrot
proj4
gwt2
vline
boost.build
urlfetch
php-gettext
aspmenu-control
animationdrawable
mysql-connector
pinchzoom
commonsware
towerjs
project-files
scsf
session-hijacking
backlight
lightopenid
zipstream
text-manipulation
miniport
mysql-logic
mdd
ironpython-studio
tracd
scalable

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App