Security :: Decryption Error "Length Of The Data To Decrypt Is Invalid"
Jun 14, 2010
I am using encryption/decryption logic from the following link: [URL] Code from this page is working but at times, its throwing an error while decyption as 'Length of the data to decrypt is invalid'. I have a very limited knowledge on this topic so I am no able to troubleshoot it further
When i try to encrypt it goes fine.. but when i right after try to decrypt it i get an:"Length of the data to decrypt is invalid" error... the error occours when i try to run the code FlushFinalBlock();here is my code:
I'm teaching myself ASP.net. I'm creating an application that needs to store sensitive data. So, I found the following Blog to encrypt and decrypt data.
I'm sure it's my app, but I wanted to make sure I'm not missing anything obvious. For some reason, my app and Encryptor only works when I pass < then 7 characters. If a pass 8, it doesn't commit to the database. If I remove Encryptor, the app will store
I have all application errors sent to my email. I keep getting this:
mysite.com/webresource.axd?d=yacsx7hz0irzn_i7ifr3morrek9u6srdkqxsjvpn3mw1&t=633598204507656250 Padding is invalid and cannot be removed.
Stack Trace: at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte inputBuffer, Int32 inputOffset, Int32 inputCount, Byte& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte inputBuffer, Int32 inputOffset, Int32 inputCount) at System.Security.Cryptography.CryptoStream.FlushFinalBlock() [code]....
i googled and read to add machineKey in my web.config <system.web> which i did: <machineKey validationKey='0EFA95136AEA44850D5CEDDF0CC7502B1A009.....' decryptionKey='E88EB13ADB2C3D395193AA71DBB1E...' validation='SHA1'/>
and added <pages masterPageFile enableViewStateMac="true" viewStateEncryptionMode="Auto"> to my masterpage.But i keep getting that error.
it is really annoying that I am keep getting these error. what is that. we started to get this afte we updatet the net framawork for security vulnaribility. here is the error we keep getting. but not everytime;
System.FormatException: Invalid length for a Base-64 char array.
Generated: Thu, 07 Oct 2010 04:05:16 GMT
System.Web.HttpException: The state information is invalid for this page and might be corrupted. ---> System.Web.UI.ViewStateException: Invalid viewstate.
This is meant to be easy ...so ive been told, but still cant get it to work!I have a sql database hosted on a shared server which requires the use of sql authentication.As a result I require to encrypt my sensitive data in the config (connection strings etc).I understand that you can do this using aspnet_regiis etc, but ive been told that as I have no direct acccess to the server, I may need to program the encryption. I have seen a few examples, but as a novice I have been banging away at this, looking at an errors screen most of the time!
I have requirement to encrypt the windows service config file and web.config connection strings, I could able to do that for web.config with aspnet_regiisC:WindowsMicrosoft.NETFramework64v2.0.50727>aspnet_regiis -pe "connectionStrings" -app "/application.ui")But I am still looking similar kind of way for windows service config file to encrypt and decrypt..exe.config file snippet as below
For our website, we have decided we would like to maintain our user passwords as encrypted binary data in our database. We are using ASP.NET 3.5 to host our site and SQL Server Express 2008 for the database, both running on the same server. When a user logs in and submits a username and password, there will need to be some sort of encryption or decryption in order to verify the credentials. To me, it would appear that there are 3 ways to do this:
1)[C# Encyrption] On User creation, perform encryption in the Web App and submit the encrypted password to the database. To verify credentials at Login, perform the same encryption on the submitted password and ensure that it matches the value stored in the database.
2)[SQL Encryption] On User creation, submit the plain-text password to the database and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, have the database perform decryption on the password during the SELECT statement, and compare the plain-text submitted password to the one in the database.
3)[Mix] On User creation, submit the plain-text password to the database, and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, perform the same encryption algorithm used by SQL on the submitted password ( is this possible? ), and ensure that it matches the value stored in the database.
Does anybody have an opinion as to which of these options is best? Number 1) is the most familiar to me, and would be the easiest to use with LINQ to SQL ( which is our current data model ), so I am leaning towards that. But if there are better options I would love to know about them.
I have an asp.net page where I have used FormsAuthentication.HashPasswordForStoringInConfigFile. Encrypted password is saved in database. I have created a forgotPassword page. Where I need to send user his password. How can I decrypt it and send it to user. if SHA1 can not be decryoted what other option should I use to encrypt the passwords?
Ok this one might be a bit tough to figure out, but each day when users open their application the following error is generated and they can not enter the application: "Failed to decrypt using provider 'EncryptionProvider'. Error message from the provider: The RSA key container could not be opened." Guess what fixes it... I have to open the application 1 time and then all of the users can being to open the application. This is not an issue with the encryption/decryption of the .config never having worked; it works just fine - but not all of the time. It sounds like a permissions issue to me, like me opening the app grants access to the key file for a time period, and the next day the issue starts all over again. Here is what I have already done (actually when I set up encryption originally), as the many, many posts with this issue are resolved with, but none have worked:
- aspnet_regiis -pa "MyWebKeys" "NT AuthorityNETWORK SERVICE" - aspnet_regiis -pa "MyWebKeys" "ASPNET" - Gave ASPNET account read access to "C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys" folder - Gave NETWORK SERVICE account read access to "C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys" folder
I did not do the following, since I am not using the deafult machinekeys, but rather the imported "MyWebKeys" container
"MyWebKeys" are an imported key container on the server, that upon importing reside in the default "C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys" directory. So it appears I have covered everything, right? What am I missing? Do I have to add individual users or groups with the pa command that use my application to allow access to the container? Remember the encryption/decryption does work 95% of the time. It just seems that each day in the morning, I must open the app once prior to the users being able to open the application, which tells me it is a permissions issue because I am an Admin on the server and they are not, but I thought all of this runs under the NETWORK SERVICE account anyways?)
Due to a bug in Flash, I have to use the ASPXAuth cookie to log a user in on a page that a flash upload script calls after upload. See this page for more information: [URL]
I have to make the ASPXAUTH string "public" in the sense that it will be in the HTML of the page. My question is, how secure is this?
I understand that anyone that can get to the string in the HTML can probably get to it from the cookie just as easily, but let's say someone does have this ASPXAUTH string. Is it possible that they can login as another user using this cookie? Would they be able to decrypt it?
So i dont need to use Q and A for password retrevial ( I use email password recovery), but I would like to use Q and A as and Admin, just as that higher level of secuirty.How can I turn off the encryption of the answer of the Q and A, or decrypt it in a report or something ???
I am trying to Upload data from Excel file. Transfer data from Excel file to XML file and passed it to Store procedure. And insert the record into database.I also set the timeout for command to zero. when i upload 1 to 500 rows its working fine and when I upload the 10000 rows than its takes time but upload all the users successfully at localhost. But when I upload the code to remote srever,than its only upload upto 300 or 400 rows.After uploading these users it will gives the error of Request Time Out . Even more if I tried to upload 50000 rows its give me the error of 'Maximum Length Exceeded'. Can anyone tell me what the maximum size of Excel sheet to upload the users. How I can get rid of the Request Time Out Issue. How I can Increase the server response time.