I have received a SQL server database with passwords. This database is coming from a .NET website. I am rebuilding the website to PHP, so I would like to use my own encryption algorithm for the passwords. To do so, I tried to decrypt the passwords from the source database, but have not succeeeded so far.
According to the original developer it uses Rijndael encryption. The keys were as blob fields in the database. I exported them and tried to use PHP to decrypt the passwords. I have not succeeded but read somewhere on Stack overflow that there are difference in the way PHP and .NET implements it. This can only be fixed by changing the way of encrypting in .NET, but that's not an option.
So next thing I tried is to create a small .NET web form to decode the passwords. For a test I use this code:
var iv = Encoding.UTF8.GetBytes("5F38D2742EFC59486F6CBDDAB3E46EC5");
var key = Encoding.UTF8.GetBytes("F88640BE83A6911472BA4AF9B9C37E2C2B3E78BCFECF4BC6ADE1E928441F6AD7");
var rijndael = new RijndaelManaged
{
BlockSize = 256,
IV = iv,
KeySize = 256,
Key = key
};
rijndael.Padding = PaddingMode.None;
var buffer = Convert.FromBase64String("D1jo49HH6cL4kZVVeIDyDbJGtO4+f2N9YIonOqRg6hM=");
var transform = rijndael.CreateDecryptor();
string decrypted;
using (var ms = new MemoryStream())
{
using (var cs = new CryptoStream(ms, transform, CryptoStreamMode.Write))
{
cs.Write(buffer, 0, buffer.Length);
cs.FlushFinalBlock();
decrypted = Encoding.UTF8.GetString(ms.ToArray());
cs.Close();
}
ms.Close();
}
Label1.Text = decrypted;
I have altered the keys by the way, but the number of characters are still the same. Apperantly the key is 512bits in size instead of 256bits. But that is not supported by Rijndael. When I take away half of the key it doesn't generate any errors, but of course, doesn't give me the correct password.
Now I noticed the key is in hexadecimal characters. I tried to convert it using a web tool like http://www.string-functions.com/hex-string.aspx, but that does not give me a valid string (just some strange characters. So I'm not sure if this has anything to do with it, but if so, how to convert it?
The error is in these two lines:
var iv = Encoding.UTF8.GetBytes("5F38D2742EFC59486F6CBDDAB3E46EC5");
var key = Encoding.UTF8.GetBytes("F88640BE83A6911472BA4AF9B9C37E2C2B3E78BCFECF4BC6ADE1E928441F6AD7");
What you have in your string literals appears to be hex strings. These should be decoded by taking each pair of characters in turn and converting those into a byte
. Unfortunately, there's no built in function in the .NET framework to do this, but the question How do you convert Byte Array to Hexadecimal String, and vice versa, in C# should contain some useful hints to achieving this.
Your current code, instead, will take each character, in turn, and compute one or more (okay, in this case, always one) byte
values that is the UTF8 value for that character.
These are two very different operations, but the difference in how the characters are/should be consumed is why you are getting double the number of bytes compared to what you were expecting to receive.