Random Thoughts Warranty void. https://vcsjones.dev/ Wed, 08 Apr 2026 12:16:00 +0000 Wed, 08 Apr 2026 12:16:00 +0000 Jekyll v4.4.1 .NET's Cryptographic One-Shots <p>Over the past few releases in .NET, formerly .NET Core, there has been progress on making cryptographic primitives like AES, SHA, etc. better for developers to use.</p> <p>“Better” is an interesting point of conversation with cryptographic API design. To a developer, better may mean more throughput, less allocations, or a simply less cumbersome API. To a framework or library author, it means thinking about how developers will use, or mis-use, an API.</p> <p>Let’s look at AES encryption as it was in the .NET Framework days:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">using</span> <span class="nn">System.Security.Cryptography</span><span class="p">;</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">data</span> <span class="p">=</span> <span class="k">default</span><span class="p">;</span> <span class="k">using</span> <span class="p">(</span><span class="n">Aes</span> <span class="n">aes</span> <span class="p">=</span> <span class="n">Aes</span><span class="p">.</span><span class="nf">Create</span><span class="p">())</span> <span class="p">{</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">key</span> <span class="p">=</span> <span class="k">default</span><span class="p">;</span> <span class="c1">// Get a key from somewhere</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">iv</span> <span class="p">=</span> <span class="k">default</span><span class="p">;</span> <span class="c1">// Get a unique IV from somewhere</span> <span class="k">using</span> <span class="nn">ICryptoTransform</span> <span class="n">transform</span> <span class="p">=</span> <span class="n">aes</span><span class="p">.</span><span class="nf">CreateEncryptor</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">iv</span><span class="p">);</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">encrypted</span> <span class="p">=</span> <span class="n">transform</span><span class="p">.</span><span class="nf">TransformFinalBlock</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">Length</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>This may only be a dozen or so lines of a code, but not all of it is straight forward. What is a “transform”? What is a “block”? What does “final” mean?</p> <p>The APIs expose quite a bit of functionality, and are confusingly named. <code class="language-plaintext highlighter-rouge">TransformFinalBlock</code> for example, despite having “Block” in it’s name, is almost always going to be capable of encrypting more than one block. It also means the data doesn’t need to be block aligned, so it handles padding appropriately. Since none of that may be understood, developers often times work around perceived problems, like handling individual blocks. While this API design offers the most flexibility for developers, it also offers the most complexity.</p> <p>This complexity exists for a small group of people. Most developers have some small amount of data they want to encrypt, and when they don’t, they have a <code class="language-plaintext highlighter-rouge">Stream</code>.</p> <p>Complex APIs that are prone to misuse are problematic in a security context. A misused cryptographic API almost always harms intended goal of the cryptographic API, whether that be secrecy, integrity, etc.</p> <p>For .NET, this became a concern when AES GCM and CCM were exposed in .NET Core 3.1. The <code class="language-plaintext highlighter-rouge">AesGcm</code> and <code class="language-plaintext highlighter-rouge">AesCcm</code> classes do not follow the design of AES prior. In addition to not inheriting from <code class="language-plaintext highlighter-rouge">Aes</code> or <code class="language-plaintext highlighter-rouge">SymmetricAlgorithm</code>, they also do not expose any block functionality. This was <a href="https://github.com/dotnet/runtime/issues/27348">discussed at length</a>, and instead these types offer simple <code class="language-plaintext highlighter-rouge">Encrypt</code> or <code class="language-plaintext highlighter-rouge">Decrypt</code> APIs that takes data and return data, or write to an existing buffer.</p> <p>This, while less flexible, resolves many concerns about misusing the AES GCM cipher mode. Primarily among those concerns was releasing unauthenticated data. Streaming decryption is, put simply, difficult to do safely.</p> <p>“Streaming” decryption doesn’t necessarily mean the use of <code class="language-plaintext highlighter-rouge">System.IO.Stream</code>. Rather, it means processing a block of plaintext or ciphertext a block at a time and doing something with it in the middle of encrypting or decrypting. This is often perceived as desirable when handling large amounts of data. After all, if I have a 12 gigabyte file, I can’t just put that in a byte array and encrypt it. Rather, processing it in chunks lets me handle it in memory.</p> <p>In pseudo code, let’s say I wanted to decrypt a file and send it over the network:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># NOTE: This is an example of doing things improperly</span> <span class="n">encryptedFileStream</span> <span class="o">=</span> <span class="n">getFile</span><span class="p">()</span> <span class="n">stream</span> <span class="o">=</span> <span class="n">getStream</span><span class="p">()</span> <span class="kp">loop</span> <span class="p">{</span> <span class="n">data</span> <span class="o">=</span> <span class="n">encryptedFileStream</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="mi">128</span> <span class="o">/</span> <span class="mi">8</span><span class="p">)</span> <span class="c1"># One AES block size</span> <span class="k">if</span> <span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">length</span> <span class="o">==</span> <span class="mi">128</span> <span class="o">/</span> <span class="mi">8</span><span class="p">)</span> <span class="p">{</span> <span class="n">stream</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">decrypt</span><span class="p">(</span><span class="n">data</span><span class="p">))</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">stream</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">decryptFinal</span><span class="p">(</span><span class="n">data</span><span class="p">))</span> <span class="n">stream</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">break</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>Recall though that AES GCM is <em>authenticated</em>. That is, AES GCM can tell if your ciphertext has been modified while in storage or in transit. An important detail of this though is that <strong>GCM cannot authenticate until it has processed the entire ciphertext</strong> (when <code class="language-plaintext highlighter-rouge">decryptFinal</code> is called.)</p> <p>This is breaks down because as we are decrypting, we’re sending (releasing) the plaintext before AES GCM has been able to authenticate the entire cipher text. If the person, tool, whatever on the other end of the network is processing that decrypted data in real time, then they have processed unauthentic data and it’s too late to go back and tell them “Never mind, that data I send you a few seconds ago might have been tampered with.”</p> <p>There are correct ways to do this, but are also still difficult to do correctly. You could break the file up in to small chunks and treat them as individual ciphertexts. However then you need to worry about many nonces, ensuring chunks are processed in the right order, a chunk isn’t missing, or replayed, etc.</p> <p>Before long you’ve invented a cryptographic protocol. This is largely why many folks will recommend using something that is well understood and robust rather than trying to build it yourself. Though not a primitive cipher, this kind of problem falls in the “roll your own cryptography” bucket.</p> <p>It’s rather easy to accidentally roll your own cryptography, especially so when working with “streaming” data.</p> <p>In .NET then, AES GCM and CCM do not support encrypting individual blocks. This still does not solve the issue of ensuring chunks are handled appropriately when handling large amounts of data. For that, higher level tools are still recommended. However it removes the temptation for streaming AES GCM, for which any attempt to use is almost always incorrect. Since it is very difficult to use correctly with no practical use cases, it isn’t offered.</p> <h3 id="toward-better-apis">Toward Better APIs</h3> <p>Simple APIs are important to making them misuse resistent, and .NET has gotten better at that over the past few releases.</p> <p>Like <code class="language-plaintext highlighter-rouge">AesGcm</code>, the <code class="language-plaintext highlighter-rouge">SymmetricAlgorithm</code> and its derivatives like <code class="language-plaintext highlighter-rouge">Aes</code>, <code class="language-plaintext highlighter-rouge">TripleDES</code>, etc. all offer similar one-shot APIs starting in .NET 6 in the form of <code class="language-plaintext highlighter-rouge">EncryptCbc</code>, <code class="language-plaintext highlighter-rouge">EncryptEcb</code> or <code class="language-plaintext highlighter-rouge">DecryptCbc</code> and <code class="language-plaintext highlighter-rouge">DecryptEcb</code>.</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">using</span> <span class="nn">System.Security.Cryptography</span><span class="p">;</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">data</span> <span class="p">=</span> <span class="k">default</span><span class="p">;</span> <span class="k">using</span> <span class="p">(</span><span class="n">Aes</span> <span class="n">aes</span> <span class="p">=</span> <span class="n">Aes</span><span class="p">.</span><span class="nf">Create</span><span class="p">())</span> <span class="p">{</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">key</span> <span class="p">=</span> <span class="k">default</span><span class="p">;</span> <span class="c1">// Get a key from somewhere</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">iv</span> <span class="p">=</span> <span class="k">default</span><span class="p">;</span> <span class="c1">// Get a unique IV from somewhere</span> <span class="n">aes</span><span class="p">.</span><span class="n">Key</span> <span class="p">=</span> <span class="n">key</span><span class="p">;</span> <span class="c1">// Encrypt all the data at once</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">encrypted</span> <span class="p">=</span> <span class="n">aes</span><span class="p">.</span><span class="nf">EncryptCbc</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">iv</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>There is no <code class="language-plaintext highlighter-rouge">ICryptoTransform</code> that needs to be reasoned about or disposed, and there is no need to worry about blocks, padding, etc. Where possible, one shots have been added in most places, and made static where possible.</p> <p>For hashing, prior to .NET 5 it would look something like this:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Prior to .NET 5</span> <span class="k">using</span> <span class="nn">System.Security.Cryptography</span><span class="p">;</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">data</span> <span class="p">=</span> <span class="k">default</span><span class="p">;</span> <span class="c1">// Some data</span> <span class="k">using</span> <span class="p">(</span><span class="n">SHA256</span> <span class="n">hash</span> <span class="p">=</span> <span class="n">SHA256</span><span class="p">.</span><span class="nf">Create</span><span class="p">())</span> <span class="p">{</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">digest</span> <span class="p">=</span> <span class="n">hash</span><span class="p">.</span><span class="nf">ComputeHash</span><span class="p">(</span><span class="n">data</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>Rather than creating an instance of a hash algorithm, <a href="https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.sha256.hashdata?view=net-6.0"><code class="language-plaintext highlighter-rouge">HashData</code></a> now exists:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Starting in .NET 5</span> <span class="k">using</span> <span class="nn">System.Security.Cryptography</span><span class="p">;</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">data</span> <span class="p">=</span> <span class="k">default</span><span class="p">;</span> <span class="c1">// Some data</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">digest</span> <span class="p">=</span> <span class="n">SHA256</span><span class="p">.</span><span class="nf">HashData</span><span class="p">(</span><span class="n">data</span><span class="p">);</span> </code></pre></div></div> <p>This is much easier to reason about. The method is static, there is no stateful hash object that needs to be instantiated, no need to remember to dispose of it, and no need to worry about thread safety. Not only are the one shots easier to use, they almost always offer better performance, either in throughput or reduced allocations. These one shots are not simple wrappers around <code class="language-plaintext highlighter-rouge">HashAlgorithm.Create()</code> and then hashing something. They internally do not allocate on the managed heap at all. Everyone benefits here: the APIs are simpler, and developers get better performance.</p> <p>For .NET 6, the one shot hashing APIs were brought to the <a href="https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.hmacsha256.hashdata?view=net-6.0"><code class="language-plaintext highlighter-rouge">HMAC</code></a> classes as well, offering the same improved APIs and better performance.</p> <p>Also for .NET 6 PBKDF2 got the same treatment with <a href="https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rfc2898derivebytes.pbkdf2?view=net-6.0"><code class="language-plaintext highlighter-rouge">Rfc2898DeriveBytes.Pbkdf2</code></a>.</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">using</span> <span class="nn">System.Security.Cryptography</span><span class="p">;</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">salt</span> <span class="p">=</span> <span class="n">RandomNumberGenerator</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="m">32</span><span class="p">);</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">prk</span> <span class="p">=</span> <span class="n">Rfc2898DeriveBytes</span><span class="p">.</span><span class="nf">Pbkdf2</span><span class="p">(</span> <span class="n">userPassword</span><span class="p">,</span> <span class="n">salt</span><span class="p">,</span> <span class="n">iterations</span><span class="p">:</span> <span class="m">200_000</span><span class="p">,</span> <span class="n">HashAlgorithmName</span><span class="p">.</span><span class="n">SHA256</span><span class="p">,</span> <span class="n">outputLength</span><span class="p">:</span> <span class="m">32</span><span class="p">);</span> </code></pre></div></div> <p>All of these APIs also offer modern amenities, like working <code class="language-plaintext highlighter-rouge">ReadOnlySpan&lt;byte&gt;</code> for input data and being able to write to a <code class="language-plaintext highlighter-rouge">Span&lt;byte&gt;</code> for output data.</p> <p>I’m happy with .NETs move toward easier to use APIs for cryptographic primitives. I still largely believe many developers should use higher level concepts rather than these basic building blocks. However, for those that need the building blocks, they are getting better.</p> Thu, 30 Dec 2021 20:00:00 +0000 https://vcsjones.dev/one-shot-crypto/ https://vcsjones.dev/one-shot-crypto/ General Dos and Don'ts of stackalloc <p>In .NET Core 2.1 a small but well-received feature was the ability to “safely” allocate a segment of data on the stack, using <code class="language-plaintext highlighter-rouge">stackalloc</code>, when used with <code class="language-plaintext highlighter-rouge">Span&lt;T&gt;</code>.</p> <p>Before <code class="language-plaintext highlighter-rouge">Span&lt;T&gt;</code>, <code class="language-plaintext highlighter-rouge">stackalloc</code> required being in an <code class="language-plaintext highlighter-rouge">unsafe</code> context:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">unsafe</span> <span class="p">{</span> <span class="kt">byte</span><span class="p">*</span> <span class="n">data</span> <span class="p">=</span> <span class="k">stackalloc</span> <span class="kt">byte</span><span class="p">[</span><span class="m">256</span><span class="p">];</span> <span class="p">}</span> </code></pre></div></div> <p>The use of <code class="language-plaintext highlighter-rouge">unsafe</code>, along with the little number of APIs in .NET that could work with pointers, was enough to deter a lot of people from using it. As a result, it remained a relatively niche feature. The introduction of <code class="language-plaintext highlighter-rouge">Span&lt;T&gt;</code> now means this can be done without being in an <code class="language-plaintext highlighter-rouge">unsafe</code> context now:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Span</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">data</span> <span class="p">=</span> <span class="k">stackalloc</span> <span class="kt">byte</span><span class="p">[</span><span class="m">256</span><span class="p">];</span> </code></pre></div></div> <p>The .NET team has also been working diligently to add <code class="language-plaintext highlighter-rouge">Span&lt;T&gt;</code> APIs where it makes sense. There is now more appeal and possibility to use <code class="language-plaintext highlighter-rouge">stackalloc</code>.</p> <p><code class="language-plaintext highlighter-rouge">stackalloc</code> is desirable in some performance sensitive areas. It can be used in places where small arrays were used, with the advantage that it does not allocate on the heap - and thus does not apply pressure to the garbage collector. <code class="language-plaintext highlighter-rouge">stackalloc</code> is not a general purpose drop-in for arrays. They are limited in a number of ways that <a href="https://docs.microsoft.com/en-us/archive/msdn-magazine/2018/january/csharp-all-about-span-exploring-a-new-net-mainstay">other posts</a> explain well enough, and require the use of <code class="language-plaintext highlighter-rouge">Span&lt;T&gt;</code>.</p> <p>Recently I vented a bit about <code class="language-plaintext highlighter-rouge">stackalloc</code> on Twitter, as one does on Twitter, specifically the community’s fast embrace of it, without discussing or well-documenting some of <code class="language-plaintext highlighter-rouge">stackalloc</code>’s sharp edges. I’m going to expand on that here, and make an argument for <code class="language-plaintext highlighter-rouge">stackalloc</code> still being unsafe and requiring some thought about being used.</p> <h3 id="dont-use-variable-allocation-lengths">DON’T: Use variable allocation lengths</h3> <p>A large risk with using <code class="language-plaintext highlighter-rouge">stackalloc</code> is running out of stack space. If you’ve ever written a method that is recursive and went too deep, you’ll eventually receive a <code class="language-plaintext highlighter-rouge">StackOverflowException</code>. The <code class="language-plaintext highlighter-rouge">StackOverflowException</code> is a bit special in that it is one of the exceptions that cannot be caught. When a stack overflow occurs, the process immediately exits. Allocating too much with <code class="language-plaintext highlighter-rouge">stackalloc</code> has the same effect - it causes a stack overflow and the process immediately terminates.</p> <p>This is particularly worrisome when the allocation’s length is determined by user input:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Span</span><span class="p">&lt;</span><span class="kt">char</span><span class="p">&gt;</span> <span class="n">buffer</span> <span class="p">=</span> <span class="k">stackalloc</span> <span class="kt">char</span><span class="p">[</span><span class="n">userInput</span><span class="p">.</span><span class="n">Length</span><span class="p">];</span> <span class="c1">//DON'T</span> </code></pre></div></div> <p>This allows users to take down your process, an effective denial-of-service.</p> <p>Using a constant also reduces the risk of arithmetic or overflow mistakes. Currently, .NET Core’s CLR interprets that amount to be allocated as an unsigned integer. This means that an arithmetic over or under flow may result in a stack overflow.</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Span</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">b</span> <span class="p">=</span> <span class="k">stackalloc</span> <span class="kt">byte</span><span class="p">[(</span><span class="n">userInput</span> <span class="p">%</span> <span class="m">64</span><span class="p">)</span> <span class="p">-</span> <span class="m">1</span><span class="p">];</span> <span class="c1">//DON'T</span> </code></pre></div></div> <h3 id="do-use-a-constant-for-allocation-size">DO: Use a constant for allocation size</h3> <p>Instead, it’s better to use a constant value for <code class="language-plaintext highlighter-rouge">stackalloc</code>, always. It immediately resolves any ambiguities about how much is allocated on the stack.</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Span</span><span class="p">&lt;</span><span class="kt">char</span><span class="p">&gt;</span> <span class="n">buffer</span> <span class="p">=</span> <span class="k">stackalloc</span> <span class="kt">char</span><span class="p">[</span><span class="m">256</span><span class="p">];</span> <span class="c1">//better</span> </code></pre></div></div> <p>Once you have an allocated buffer, you can use Span’s <code class="language-plaintext highlighter-rouge">Slice</code> funtionality to adjust it to the correct size:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Span</span><span class="p">&lt;</span><span class="kt">char</span><span class="p">&gt;</span> <span class="n">buffer</span> <span class="p">=</span> <span class="k">stackalloc</span> <span class="kt">char</span><span class="p">[</span><span class="m">256</span><span class="p">];</span> <span class="n">Span</span><span class="p">&lt;</span><span class="kt">char</span><span class="p">&gt;</span> <span class="n">input</span> <span class="p">=</span> <span class="n">buffer</span><span class="p">.</span><span class="nf">Slice</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="n">userInput</span><span class="p">.</span><span class="n">Length</span><span class="p">);</span> </code></pre></div></div> <h3 id="dont-use-stackalloc-in-non-constant-loops">DON’T: Use stackalloc in non-constant loops</h3> <p>Even if you allocate a fixed length amount of data on the stack, doing so in a loop can be dangerous as well, especially if the number of the iterations the loop makes is driven by user input:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="p">&lt;</span> <span class="n">userInput</span><span class="p">;</span> <span class="n">i</span><span class="p">++)</span> <span class="p">{</span> <span class="c1">// DON'T</span> <span class="n">Span</span><span class="p">&lt;</span><span class="kt">char</span><span class="p">&gt;</span> <span class="n">buffer</span> <span class="p">=</span> <span class="k">stackalloc</span> <span class="kt">char</span><span class="p">[</span><span class="m">256</span><span class="p">];</span> <span class="p">}</span> </code></pre></div></div> <p>This also can cause a denial of service, since this allows someone to control the number of stack allocations, though not the length of the allocation.</p> <h3 id="do-allocate-outside-of-loops">DO: Allocate outside of loops</h3> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Span</span><span class="p">&lt;</span><span class="kt">char</span><span class="p">&gt;</span> <span class="n">buffer</span> <span class="p">=</span> <span class="k">stackalloc</span> <span class="kt">char</span><span class="p">[</span><span class="m">256</span><span class="p">];</span> <span class="c1">//better</span> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="p">&lt;</span> <span class="n">userInput</span><span class="p">;</span> <span class="n">i</span><span class="p">++)</span> <span class="p">{</span> <span class="c1">//Do something with buffer</span> <span class="p">}</span> </code></pre></div></div> <p>Allocating outside of the loop is the best solution. This is not only safer, but also better for performance.</p> <h3 id="dont-allocate-a-lot-on-the-stack">DON’T: Allocate a lot on the stack</h3> <p>It’s tempting to allocate as much as nearly possible on the stack:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Span</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">data</span> <span class="p">=</span> <span class="k">stackalloc</span> <span class="kt">byte</span><span class="p">[</span><span class="m">8000</span> <span class="p">*</span> <span class="m">1024</span><span class="p">];</span> <span class="c1">// DON'T</span> </code></pre></div></div> <p>You may find that this runs fine on Linux, but fails on Windows with a stack overflow. Different operating systems, architectures, and environments, have different stacks limits. Linux typically allows for a larger stack than Windows by default, and other hosting scenarios such as in an IIS worker process come with even lower limits. An embedded environment may have a stack of only a few kilobytes.</p> <h3 id="do-conservatively-use-the-stack">DO: Conservatively use the stack</h3> <p>The stack should be used for small allocations only. How much depends on the size of each element being allocated. It’s also desirable to not allocate many large structs, either.</p> <p>I won’t prescribe anything specific, but anything larger than a kilobyte is a point of concern. You can allocate on the heap depending on how much you need. A typical pattern might be:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">const</span> <span class="kt">int</span> <span class="n">MaxStackSize</span> <span class="p">=</span> <span class="m">256</span><span class="p">;</span> <span class="n">Span</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">buffer</span> <span class="p">=</span> <span class="n">userInput</span> <span class="p">&gt;</span> <span class="n">MaxStackSize</span> <span class="p">?</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[</span><span class="n">userInput</span><span class="p">]</span> <span class="p">:</span> <span class="k">stackalloc</span> <span class="kt">byte</span><span class="p">[</span><span class="n">MaxStackSize</span><span class="p">];</span> <span class="n">Span</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">data</span> <span class="p">=</span> <span class="n">buffer</span><span class="p">.</span><span class="nf">Slice</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="n">userInput</span><span class="p">);</span> </code></pre></div></div> <p>This will allocate on the stack for small amounts, still in a constant amount, or if too large, will use a heap-allocated array. This pattern may also make it easier to use <code class="language-plaintext highlighter-rouge">ArrayPool</code>, if you choose, which also does not guarantee that the returned array is exactly the requested size:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">const</span> <span class="kt">int</span> <span class="n">MaxStackSize</span> <span class="p">=</span> <span class="m">256</span><span class="p">;</span> <span class="kt">byte</span><span class="p">[]?</span> <span class="n">rentedFromPool</span> <span class="p">=</span> <span class="k">null</span><span class="p">;</span> <span class="n">Span</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">buffer</span> <span class="p">=</span> <span class="n">userInput</span> <span class="p">&gt;</span> <span class="n">MaxStackSize</span> <span class="p">?</span> <span class="p">(</span><span class="n">rentedFromPool</span> <span class="p">=</span> <span class="n">ArrayPool</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;.</span><span class="n">Shared</span><span class="p">.</span><span class="nf">Rent</span><span class="p">(</span><span class="n">userInput</span><span class="p">))</span> <span class="p">:</span> <span class="k">stackalloc</span> <span class="kt">byte</span><span class="p">[</span><span class="n">MaxStackSize</span><span class="p">];</span> <span class="c1">// Use data</span> <span class="n">Span</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">data</span> <span class="p">=</span> <span class="n">buffer</span><span class="p">.</span><span class="nf">Slice</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="n">userInput</span><span class="p">);</span> <span class="c1">// Return from pool, if we rented</span> <span class="k">if</span> <span class="p">(</span><span class="n">rentedFromPool</span> <span class="k">is</span> <span class="kt">object</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// DO: if using ArrayPool, think carefully about clearing</span> <span class="c1">// or not clearing the array.</span> <span class="n">ArrayPool</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;.</span><span class="n">Shared</span><span class="p">.</span><span class="nf">Return</span><span class="p">(</span><span class="n">rentedFromPool</span><span class="p">,</span> <span class="n">clearArray</span><span class="p">:</span> <span class="k">true</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <h3 id="dont-assume-stack-allocations-are-zero-initialized">DON’T: Assume stack allocations are zero initialized</h3> <p>Most normal uses of <code class="language-plaintext highlighter-rouge">stackalloc</code> result in zero-initialized data. This behavior is however not guaranteed, and can change depending if the application is built for Debug or Release, and other contents of the method. Therefore, don’t assume that any of the elements in a <code class="language-plaintext highlighter-rouge">stackalloc</code>ed <code class="language-plaintext highlighter-rouge">Span&lt;T&gt;</code> are initialized to something by default. For example:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Span</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">buffer</span> <span class="p">=</span> <span class="k">stackalloc</span> <span class="kt">byte</span><span class="p">[</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">int</span><span class="p">)];</span> <span class="kt">byte</span> <span class="n">lo</span> <span class="p">=</span> <span class="m">1</span><span class="p">;</span> <span class="kt">byte</span> <span class="n">hi</span> <span class="p">=</span> <span class="m">1</span><span class="p">;</span> <span class="n">buffer</span><span class="p">[</span><span class="m">0</span><span class="p">]</span> <span class="p">=</span> <span class="n">lo</span><span class="p">;</span> <span class="n">buffer</span><span class="p">[</span><span class="m">1</span><span class="p">]</span> <span class="p">=</span> <span class="n">hi</span><span class="p">;</span> <span class="c1">// DONT: depend on elements at 2 and 3 being zero-initialized</span> <span class="kt">int</span> <span class="n">result</span> <span class="p">=</span> <span class="n">BinaryPrimitives</span><span class="p">.</span><span class="nf">ReadInt32LittleEndian</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span> </code></pre></div></div> <p>In this case, we might expect the result to be 257, every time. However if the <code class="language-plaintext highlighter-rouge">stackalloc</code> does not zero initialize the buffer, then the contents of the upper-half of the integer will not be as expected.</p> <p>This behavior will not always be observed. In Debug builds, it’s likely that you will see that <code class="language-plaintext highlighter-rouge">stackalloc</code> zero-initializes its contents every time, whereas in Release builds, you may find that the contents of a <code class="language-plaintext highlighter-rouge">stackalloc</code> are uninitialized.</p> <p>Starting in .NET 5, developers can opt to explicitly skip zero-initializing <code class="language-plaintext highlighter-rouge">stackalloc</code> contents with the <a href="https://docs.microsoft.com/en-us/dotnet/api/system.runtime.compilerservices.skiplocalsinitattribute?view=net-5.0"><code class="language-plaintext highlighter-rouge">SkipLocalsInit</code></a> attribute. Without it, whether or not <code class="language-plaintext highlighter-rouge">stackalloc</code> is default initialized is up to Roslyn.</p> <h3 id="do-initialize-if-required">DO: Initialize if required</h3> <p>Any item read from a <code class="language-plaintext highlighter-rouge">stackalloc</code>ed buffer should be explicitly assigned, or use <code class="language-plaintext highlighter-rouge">Clear</code> to explicitly clear the entire <code class="language-plaintext highlighter-rouge">Span&lt;T&gt;</code> and initialize it to defaults.</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Span</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">buffer</span> <span class="p">=</span> <span class="k">stackalloc</span> <span class="kt">byte</span><span class="p">[</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">int</span><span class="p">)];</span> <span class="n">buffer</span><span class="p">.</span><span class="nf">Clear</span><span class="p">();</span> <span class="c1">//explicit zero initialize</span> <span class="kt">byte</span> <span class="n">lo</span> <span class="p">=</span> <span class="m">1</span><span class="p">;</span> <span class="kt">byte</span> <span class="n">hi</span> <span class="p">=</span> <span class="m">1</span><span class="p">;</span> <span class="n">buffer</span><span class="p">[</span><span class="m">0</span><span class="p">]</span> <span class="p">=</span> <span class="n">lo</span><span class="p">;</span> <span class="n">buffer</span><span class="p">[</span><span class="m">1</span><span class="p">]</span> <span class="p">=</span> <span class="n">hi</span><span class="p">;</span> <span class="kt">int</span> <span class="n">result</span> <span class="p">=</span> <span class="n">BinaryPrimitives</span><span class="p">.</span><span class="nf">ReadInt32LittleEndian</span><span class="p">(</span><span class="n">buffer</span><span class="p">);</span> </code></pre></div></div> <p>Though not explicitly covered in this post, the same advice applies to arrays rented from the <code class="language-plaintext highlighter-rouge">ArrayPool</code>.</p> <h3 id="summary">Summary</h3> <p>In summary, <code class="language-plaintext highlighter-rouge">stackalloc</code> needs to be used with care. Failing to do so can result in process termination, which is a denial-of-service: your program or web server aren’t running any more.</p> Mon, 24 Feb 2020 05:24:00 +0000 https://vcsjones.dev/stackalloc/ https://vcsjones.dev/stackalloc/ General Import and Export RSA Key Formats in .NET Core 3 <p>.NET Core 3.0 introduced over a dozen new APIs for importing and exporting RSA keys in different formats. Many of them are a variant of another with a slightly different API, but they are extremely useful for working with private and public keys from other systems that work with encoding keys.</p> <p>RSA keys can be encoded in a variety of different ways, depending on if the key is public or private or protected with a password. Different programs will import or export RSA keys in a different format, etc.</p> <p>Often times RSA keys can be described as “PEM” encoded, but that is already ambiguous as to how the key is actually encoded. PEM takes the form of:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>-----BEGIN LABEL----- content -----END LABEL----- </code></pre></div></div> <p>The content between the labels is base64 encoded. The one that is probably the most often seen is BEGIN RSA PRIVATE KEY, which is frequently used in web servers like nginx, apache, etc:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>-----BEGIN RSA PRIVATE KEY----- MII... -----END RSA PRIVATE KEY----- </code></pre></div></div> <p>The base64-encoded text is an RSAPrivateKey from the <a href="https://tools.ietf.org/html/rfc3447#appendix-A.1.2">PKCS#1 spec</a>, which is just an ASN.1 SEQUENCE of integers that make up the RSA key. The corresponding .NET Core 3 API for this is <code class="language-plaintext highlighter-rouge">ImportRSAPrivateKey</code>, or one of its overloads. If your key is “PEM” encoded, you need to find the base64 text between the label BEGIN and END headers, base64 decode it, and pass to <code class="language-plaintext highlighter-rouge">ImportRSAPrivateKey</code>. There is currently an <a href="https://github.com/dotnet/corefx/issues/37748">API proposal</a> to make reading PEM files easier. If your private key is DER encoded, then that just means you can read the content directly as bytes in to <code class="language-plaintext highlighter-rouge">ImportRSAPrivateKey</code>.</p> <p>Here is an example:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">var</span> <span class="n">privateKey</span> <span class="p">=</span> <span class="s">"MII..."</span><span class="p">;</span> <span class="c1">//Get just the base64 content.</span> <span class="kt">var</span> <span class="n">privateKeyBytes</span> <span class="p">=</span> <span class="n">Convert</span><span class="p">.</span><span class="nf">FromBase64String</span><span class="p">(</span><span class="n">privateKey</span><span class="p">);</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">rsa</span> <span class="p">=</span> <span class="n">RSA</span><span class="p">.</span><span class="nf">Create</span><span class="p">();</span> <span class="n">rsa</span><span class="p">.</span><span class="nf">ImportRSAPrivateKey</span><span class="p">(</span><span class="n">privateKeyBytes</span><span class="p">,</span> <span class="k">out</span> <span class="n">_</span><span class="p">);</span> </code></pre></div></div> <p>When using openssl, the <code class="language-plaintext highlighter-rouge">openssl rsa</code> commands typically output RSAPrivateKey PKCS#1 private keys, for example <code class="language-plaintext highlighter-rouge">openssl genrsa</code>.</p> <p>A different format for a private key is PKCS#8. Unlike the RSAPrivateKey from PKCS#1, a PKCS#8 encoded key can represent other kinds of keys than RSA. As such, the PEM label for a PKCS#8 key is “BEGIN PRIVATE KEY” (note the lack of “RSA” there). The key itself contains an AlgorithmIdentifer of what kind of key it is.</p> <p>PKCS#8 keys can also be encrypted protected, too. In that case, the PEM label will be “BEGIN ENCRYPTED PRIVATE KEY”.</p> <p>.NET Core 3 has APIs for both of these. Unencrypted PKCS#8 keys can be imported with <code class="language-plaintext highlighter-rouge">ImportPkcs8PrivateKey</code>, and encrypted PKCS#8 keys can be imported with <code class="language-plaintext highlighter-rouge">ImportEncryptedPkcs8PrivateKey</code>. Their usage is similar to <code class="language-plaintext highlighter-rouge">ImportRSAPrivateKey</code>.</p> <p>Public keys have similar behavior. A PEM encoded key that has the label “BEGIN RSA PUBLIC KEY” should use <code class="language-plaintext highlighter-rouge">ImportRSAPublicKey</code>. Also like private keys, the public key has a format that self-describes the algorithm of the key called a Subject Public Key Info (SPKI) which is used heavily in X509 and many other standards. The PEM header for this is “BEGIN PUBLIC KEY”, and <code class="language-plaintext highlighter-rouge">ImportSubjectPublicKeyInfo</code> is the correct way to import these.</p> <p>All of these APIs have export versions of themselves as well, so if you are trying to export a key from .NET Core 3 to a particular format, you’ll need to use the correct export API.</p> <p>To summarize each PEM label and API pairing:</p> <ol> <li>“BEGIN RSA PRIVATE KEY” =&gt; <a href="https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsa.importrsaprivatekey?view=netcore-3.0"><code class="language-plaintext highlighter-rouge">RSA.ImportRSAPrivateKey</code></a></li> <li>“BEGIN PRIVATE KEY” =&gt; <a href="https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsa.importpkcs8privatekey?view=netcore-3.0"><code class="language-plaintext highlighter-rouge">RSA.ImportPkcs8PrivateKey</code></a></li> <li>“BEGIN ENCRYPTED PRIVATE KEY” =&gt; <a href="https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsa.importencryptedpkcs8privatekey?view=netcore-3.0"><code class="language-plaintext highlighter-rouge">RSA.ImportEncryptedPkcs8PrivateKey</code></a></li> <li>“BEGIN RSA PUBLIC KEY” =&gt; <a href="https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsa.importrsapublickey?view=netcore-3.0"><code class="language-plaintext highlighter-rouge">RSA.ImportRSAPublicKey</code></a></li> <li>“BEGIN PUBLIC KEY” =&gt; <a href="https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsa.importsubjectpublickeyinfo?view=netcore-3.0"><code class="language-plaintext highlighter-rouge">RSA.ImportSubjectPublicKeyInfo</code></a></li> </ol> <p>One gotcha with openssl is to pay attention to the output of the key format. A common enough task from openssl is “Given this PEM-encoded RSA private key, give me a PEM encoded public-key” and is often enough done like this:</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>openssl rsa <span class="nt">-in</span> key.pem <span class="nt">-pubout</span> </code></pre></div></div> <p>Even if key.pem is a PKCS#1 RSAPrivateKey (“BEGIN RSA PRIVATE KEY”), the <code class="language-plaintext highlighter-rouge">-pubout</code> option will output a SPKI (“BEGIN PUBLIC KEY”), not an RSAPublicKey (“BEGIN RSA PUBLIC KEY”). For that, you would need to use <code class="language-plaintext highlighter-rouge">-RSAPublicKey_out</code> instead of <code class="language-plaintext highlighter-rouge">-pubout</code>. The openssl <code class="language-plaintext highlighter-rouge">pkey</code> commands will also typically give you PKCS#8 or SPKI formatted keys.</p> Mon, 07 Oct 2019 20:24:00 +0000 https://vcsjones.dev/key-formats-dotnet-3/ https://vcsjones.dev/key-formats-dotnet-3/ General Sometimes valid RSA signatures in .NET <p>One of the nice things about .NET Core being open source is following along with some of the issues that people report. I tend to keep an eye on System.Security tagged issues, since those tend to be at the intersection of things that interest me and things I can maybe help with.</p> <p>A user <a href="https://github.com/dotnet/corefx/issues/34202">filed an issue</a> where .NET Framework considered a CMS valid, and .NET Core did not. This didn’t entirely surprise me. In the .NET Framework, the <code class="language-plaintext highlighter-rouge">SignedCms</code> class is heavily backed by Windows’ handling of CMS/PKCS#7. In .NET Core, the implementation is managed (sans the cryptography). The managed implementation adheres somewhat strictly to the CMS specification. As other issues have noticed, Windows’, thus .NET Framework’s, implementation was a little more relaxed in some ways.</p> <p>This turned out not to be one of those cases. The CMS part was actually working just fine. What was failing was RSA itself. The core of the issue was that different implementations of RSA disagreed on the RSA signature’s validity.</p> <p>That seems pretty strange!</p> <p>When I talk about different implementations on Windows, I am usually referring to CAPI vs CNG, or <code class="language-plaintext highlighter-rouge">RSACryptoServiceProvider</code> and <code class="language-plaintext highlighter-rouge">RSACng</code>, respectively. For now, I’m keeping this post to the .NET Framework. We’ll bring .NET Core in to the discussion later.</p> <p>There are two implementations because, well, Windows has two of them. CNG, or “Cryptography API: Next Generation” is the newer of the two and is intended to be future of cryptographic primitives on Windows. It shipped in Windows Vista, and offers functionality that CAPI cannot do. An example of that is PSS RSA signatures.</p> <p>.NET Framework exposes these implementations as <code class="language-plaintext highlighter-rouge">RSACryptoServiceProvider</code> and <code class="language-plaintext highlighter-rouge">RSACng</code>. They <em>should</em> be interchangable, and CNG implementations should be used going forward. However, there is one corner case where the old, CAPI implementation considers a signature valid while the CNG one does not.</p> <p>The issue can be demonstrated like so:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">byte</span><span class="p">[]</span> <span class="n">n</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[]</span> <span class="p">{</span> <span class="p">...</span> <span class="p">};</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">e</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[]</span> <span class="p">{</span> <span class="p">...</span> <span class="p">};</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">signature</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[]</span> <span class="p">{</span> <span class="p">...</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">digest</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[]</span> <span class="p">{</span> <span class="m">0x68</span><span class="p">,</span> <span class="m">0xB4</span><span class="p">,</span> <span class="m">0xF9</span><span class="p">,</span> <span class="m">0x26</span><span class="p">,</span> <span class="m">0x34</span><span class="p">,</span> <span class="m">0x31</span><span class="p">,</span> <span class="m">0x25</span><span class="p">,</span> <span class="m">0xDD</span><span class="p">,</span> <span class="m">0x26</span><span class="p">,</span> <span class="m">0x50</span><span class="p">,</span> <span class="m">0x13</span><span class="p">,</span> <span class="m">0x68</span><span class="p">,</span> <span class="m">0xC1</span><span class="p">,</span> <span class="m">0x99</span><span class="p">,</span> <span class="m">0x26</span><span class="p">,</span> <span class="m">0x71</span><span class="p">,</span> <span class="m">0x19</span><span class="p">,</span> <span class="m">0xA2</span><span class="p">,</span> <span class="m">0xDE</span><span class="p">,</span> <span class="m">0x81</span><span class="p">,</span> <span class="p">};</span> <span class="k">using</span> <span class="p">(</span><span class="kt">var</span> <span class="n">rsa</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">RSACng</span><span class="p">())</span> <span class="p">{</span> <span class="n">rsa</span><span class="p">.</span><span class="nf">ImportParameters</span><span class="p">(</span><span class="k">new</span> <span class="n">RSAParameters</span> <span class="p">{</span> <span class="n">Modulus</span> <span class="p">=</span> <span class="n">n</span><span class="p">,</span> <span class="n">Exponent</span> <span class="p">=</span> <span class="n">e</span> <span class="p">});</span> <span class="kt">var</span> <span class="n">valid</span> <span class="p">=</span> <span class="n">rsa</span><span class="p">.</span><span class="nf">VerifyHash</span><span class="p">(</span><span class="n">digest</span><span class="p">,</span> <span class="n">signature</span><span class="p">,</span> <span class="n">HashAlgorithmName</span><span class="p">.</span><span class="n">SHA1</span><span class="p">,</span> <span class="n">RSASignaturePadding</span><span class="p">.</span><span class="n">Pkcs1</span><span class="p">);</span> <span class="n">Console</span><span class="p">.</span><span class="nf">WriteLine</span><span class="p">(</span><span class="n">valid</span><span class="p">);</span> <span class="p">}</span> <span class="k">using</span> <span class="p">(</span><span class="kt">var</span> <span class="n">rsa</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">RSACryptoServiceProvider</span><span class="p">())</span> <span class="p">{</span> <span class="n">rsa</span><span class="p">.</span><span class="nf">ImportParameters</span><span class="p">(</span><span class="k">new</span> <span class="n">RSAParameters</span> <span class="p">{</span> <span class="n">Modulus</span> <span class="p">=</span> <span class="n">n</span><span class="p">,</span> <span class="n">Exponent</span> <span class="p">=</span> <span class="n">e</span> <span class="p">});</span> <span class="kt">var</span> <span class="n">valid</span> <span class="p">=</span> <span class="n">rsa</span><span class="p">.</span><span class="nf">VerifyHash</span><span class="p">(</span><span class="n">digest</span><span class="p">,</span> <span class="n">signature</span><span class="p">,</span> <span class="n">HashAlgorithmName</span><span class="p">.</span><span class="n">SHA1</span><span class="p">,</span> <span class="n">RSASignaturePadding</span><span class="p">.</span><span class="n">Pkcs1</span><span class="p">);</span> <span class="n">Console</span><span class="p">.</span><span class="nf">WriteLine</span><span class="p">(</span><span class="n">valid</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <aside> <p>Note: to avoid bloating this blog post with large signatures and RSA keys, I omitted them. However the full example with public keys is available <a href="https://gist.github.com/vcsjones/ab4c2327b53ed018eada76b75ef4fd99"> on GitHub here</a>. </p> </aside> <p>When used with one of the curious signatures that exhibits this behavior, such as the one in the GitHub link, the first result will be false, and the second will be true.</p> <p>Nothing jumped out at me as being problematic. The signature padding is PKCS, the public exponent is the very typical 67,537, and the RSA key is sensible in size.</p> <p>To make it stranger, this signature came off the timestamp of Firefox’s own signed installer. So why are the results different?</p> <p>Jeremy Barton from Microsoft on .NET Core made the observation that the padding in the RSA signature itself is incorrect, but in a way that CAPI tollerates and CNG does not, at least by default. Let’s look at the raw signature. To do that, we need the public key and signature on disk, and we can poke at them with OpenSSL.</p> <p>Using the command:</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>openssl rsautl <span class="nt">-verify</span> <span class="nt">-in</span> sig.bin <span class="nt">-inkey</span> key.der <span class="se">\</span> <span class="nt">-pubin</span> <span class="nt">-hexdump</span> <span class="nt">-raw</span> <span class="nt">-keyform</span> der </code></pre></div></div> <p>We get the following output:</p> <pre> 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0070 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0080 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0090 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 00a0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 00b0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 00c0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 00d0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 00e0 - ff ff ff ff ff ff ff ff-ff ff ff 00 68 b4 f9 26 00f0 - 34 31 25 dd 26 50 13 68-c1 99 26 71 19 a2 de 81 </pre> <p>This is a PKCS#1 v1.5 padded signature, as indicated by by starting with 00 01. The digest at the end can be seen, <code class="language-plaintext highlighter-rouge">68 b4 f9 26 ... 19 a2 de 81</code> which matches the digest above, so we know that the signature is for the right digest.</p> <p>What is not correct in this signature is how the digest is encoded. The signature contains the bare digest. It <em>should</em> be encoded as an ASN.1 sequence along with the AlgorithmIdentifer of the digest:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DigestInfo ::= SEQUENCE { digestAlgorithm AlgorithmIdentifier, digest OCTET STRING } </code></pre></div></div> <p>This goes back all the way to <a href="ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1.asc">a document</a> (warning: link is to an ftp:// site) written in 1993 by RSA labratories explaining how PKCS#1 v1.5 works,and was standardized in to <a href="https://tools.ietf.org/html/rfc2313">an RFC</a> in 1998.</p> <p>The RSA signature we have only contains the raw digest. It is not part of a <code class="language-plaintext highlighter-rouge">DigestInfo</code>. If the digest were properly encoded, it would look something like this:</p> <pre> 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0070 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0080 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 0090 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 00a0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 00b0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 00c0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff 00d0 - ff ff ff ff ff ff ff ff-ff ff ff ff 00 30 21 30 00e0 - 09 06 05 2b 0e 03 02 1a-05 00 04 14 68 b4 f9 26 00f0 - 34 31 25 dd 26 50 13 68-c1 99 26 71 19 a2 de 81 </pre> <p>The signature now includes <code class="language-plaintext highlighter-rouge">DigestInfo</code> along with the OID 1.3.14.3.2.26 to indicate that the digest is SHA1.</p> <p>At this point we know what the difference is, and the original specification in part 10.1.2 makes it fairly clear that the “data” should be a digest and should be encoded as DigestInfo, not a bare digest.</p> <p>The source of this signature is from Verisign's timestamp authority at http://timestamp.verisign.com/&#x200B;scripts/&#x200B;timstamp.dll. After checking with someone at DigiCert (now running this TSA), it was launched in May 1995.</p> <p>I suspect that the TSA is old enough that the implementation was made before the specification was complete or simply got the specification wrong and no one noticed. Bringing this back to CNG and CAPI, CNG can validate this signatures, but you must explicitly tell CNG that the signature does not have an object identifier. <a href="https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-_bcrypt_pkcs1_padding_info"><code class="language-plaintext highlighter-rouge">BCRYPT_PKCS1_PADDING_INFO</code>’s</a> documentation has the detail there, but gist of it is</p> <blockquote> <p>If there is no OID in the signature, then verification fails unless this member is NULL.</p> </blockquote> <p>This would be used with <code class="language-plaintext highlighter-rouge">{B,N}CryptVerifySignature</code>. To bring this back around to the .NET Framework, how do we use <code class="language-plaintext highlighter-rouge">RSACng</code> and give <code class="language-plaintext highlighter-rouge">null</code> in for the padding algorithm? The short answer is: you cannot. If you try, you will get an explicit <code class="language-plaintext highlighter-rouge">ArgumentException</code> saying that the hash algorithm name cannot be null.</p> <p>For .NET Framework, this solution “keep using <code class="language-plaintext highlighter-rouge">RSACryptoServiceProvider</code>”. If you need to validate these signatures, chances are you do not need to use CNG’s newer capabilities like PSS since these malformed signatures appear to be coming from old systems. Higher level things like <code class="language-plaintext highlighter-rouge">SignedCms</code> and <code class="language-plaintext highlighter-rouge">SignedXml</code> use <code class="language-plaintext highlighter-rouge">RSACryptoServiceProvider</code> by default, so they will continue to work.</p> <p>To bring in .NET Core, the situation is a little more difficult. If you are using <code class="language-plaintext highlighter-rouge">SignedCms</code> like so:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">var</span> <span class="n">signedCms</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">SignedCms</span><span class="p">();</span> <span class="n">signedCms</span><span class="p">.</span><span class="nf">Decode</span><span class="p">(</span><span class="n">File</span><span class="p">.</span><span class="nf">ReadAllBytes</span><span class="p">(</span><span class="s">"cms-with-sig.bin"</span><span class="p">));</span> <span class="n">signedCms</span><span class="p">.</span><span class="nf">CheckSignature</span><span class="p">(</span><span class="k">true</span><span class="p">);</span> </code></pre></div></div> <p>This will start throwing when you migrate to .NET Core. .NET Core will use CNG when run on Windows to validate RSA signatures for <code class="language-plaintext highlighter-rouge">SignedCms</code> and <code class="language-plaintext highlighter-rouge">SignedXml</code>. This is currently not configurable, either. When used with <code class="language-plaintext highlighter-rouge">SignedCms</code>, it ultimately calls the <code class="language-plaintext highlighter-rouge">X509Certificate2.GetRSAPublicKey()</code> extension method, and that will <a href="https://github.com/dotnet/corefx/blob/b26339b6f6c7537875c70b5f3c8af376d0bbded5/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Windows/X509Pal.PublicKey.cs#L43">always</a> return an implementation based on CNG.</p> <p>If you are using <code class="language-plaintext highlighter-rouge">SignedCms</code> on .NET Core and need to validate a CMS that is signed with these problematic signatures, you are currently out of luck using in-the-box components. As far as other platforms go, both macOS and Linux environments for .NET Core will agree with CNG - that the signature is invalid.</p> <p>The good news is, these signatures are not easy to come by. So far, only the old Verisign timestamp authority is known to have produced signatures like this.</p> Thu, 18 Jul 2019 17:27:00 +0000 https://vcsjones.dev/sometimes-valid-rsa-dotnet/ https://vcsjones.dev/sometimes-valid-rsa-dotnet/ General C# ReadOnlySpan<byte> and static data <p>Since C# 7 there have been a lot of point releases that contain all kinds of goodies. Many of them are performance focused, such as safe stack allocations using <code class="language-plaintext highlighter-rouge">Span&lt;T&gt;</code>, or interoperability with improvements to <code class="language-plaintext highlighter-rouge">fixed</code>.</p> <p>One that I love, but is not documented well, is some special treatment that <code class="language-plaintext highlighter-rouge">ReadOnlySpan&lt;byte&gt;</code> gets when its contents are known at compile time.</p> <p>Here’s an example of a lookup table I used to aide with hex encoding that uses a <code class="language-plaintext highlighter-rouge">byte[]</code>:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">private</span> <span class="k">static</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">LookupTable</span> <span class="p">=&gt;</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[]</span> <span class="p">{</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'0'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'1'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'2'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'3'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'4'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'5'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'6'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'7'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'8'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'9'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'A'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'B'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'C'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'D'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'E'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'F'</span><span class="p">,</span> <span class="p">};</span> </code></pre></div></div> <p>This binary data has to get stored <em>somewhere</em> in our produced library. If we use <code class="language-plaintext highlighter-rouge">dumpbin</code> we can see it in the .text section of the binary.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dumpbin /RAWDATA /SECTION:.text mylib.dll </code></pre></div></div> <p>Right at the bottom, we see:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>00402A40: 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 0123456789ABCDEF </code></pre></div></div> <p>I won’t go into the a lot of the details on how this data is compiled into the <code class="language-plaintext highlighter-rouge">.text</code> section, but at this point we need to get that data into the array somehow.</p> <p>If we look at the jit assembly of <code class="language-plaintext highlighter-rouge">LookupTable</code>, we see:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sub rsp, 0x28 vzeroupper mov rcx, 0x7ffc4638746a mov edx, 0x10 call 0x7ffc49b52630 mov rdx, 0x1b51450099c lea rcx, [rax+0x10] vmovdqu xmm0, [rdx] vmovdqu [rcx], xmm0 add rsp, 0x28 ret </code></pre></div></div> <p>Where <code class="language-plaintext highlighter-rouge">0x7ffc49b52630</code> is <code class="language-plaintext highlighter-rouge">InitializeArray</code>.</p> <p>With an array, our property leans on <code class="language-plaintext highlighter-rouge">InitializeArray</code>, the source of which is <a href="https://github.com/dotnet/coreclr/blob/a28b25aacdcd2adb0fdfa70bd869f53ba6565976/src/classlibnative/bcltype/arraynative.cpp#L1377">in the CoreCLR</a>. For little-endian platforms, it boils down to a <code class="language-plaintext highlighter-rouge">memcpy</code> from a runtime field handle.</p> <p>Indeed, with a debugger we finally see:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>00007ffd`b18b701a e831a40e00 call coreclr!memcpy (00007ffd`b19a1450) </code></pre></div></div> <p>Dumping <code class="language-plaintext highlighter-rouge">@rdx L10</code> yields:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>000001f0`4c552a90 30 31 32 33 34 35 36 37-38 39 41 42 43 44 45 46 0123456789ABCDEF </code></pre></div></div> <p>So that was a very long-winded way of saying that when using arrays, initializing a field or variable with bytes results in <code class="language-plaintext highlighter-rouge">memcpy</code> from the image into the array, which results in more data on the heap.</p> <p>Now, starting in 7.3, we can avoid that <code class="language-plaintext highlighter-rouge">memcpy</code> when using <code class="language-plaintext highlighter-rouge">ReadOnlySpan&lt;byte&gt;</code>.</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">private</span> <span class="k">static</span> <span class="n">ReadOnlySpan</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">LookupTable</span> <span class="p">=&gt;</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[]</span> <span class="p">{</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'0'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'1'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'2'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'3'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'4'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'5'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'6'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'7'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'8'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'9'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'A'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'B'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'C'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'D'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'E'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'F'</span><span class="p">,</span> <span class="p">};</span> </code></pre></div></div> <p>Looking at the jit assembly:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mov eax, 0x10 xor edx, edx mov r8, 0x1b5144c0968 mov [rcx], rdx mov [rcx+0x8], r8 mov [rcx+0x10], eax mov rax, rcx ret </code></pre></div></div> <p>We see that there is <code class="language-plaintext highlighter-rouge">mov r8, 0x1b5144c0968</code>. The contents of <code class="language-plaintext highlighter-rouge">0x1b5144c0968</code> are:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>000001b5`144c0968 30 31 32 33 34 35 36 37-38 39 41 42 43 44 45 46 0123456789ABCDEF </code></pre></div></div> <p>So we see that the method is now returning the data directly and omitting the <code class="language-plaintext highlighter-rouge">memcpy</code> entirely, so our <code class="language-plaintext highlighter-rouge">ReadOnlySpan&lt;byte&gt;</code> is pointing directly to the <code class="language-plaintext highlighter-rouge">.text</code> section.</p> <p>This works for property getters as shown above, but also as the return of a method:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">ReadOnlySpan</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="nf">GetBytes</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[]</span> <span class="p">{</span> <span class="p">...</span> <span class="p">};</span> <span class="p">}</span> </code></pre></div></div> <p>Which works similar to the getter of the property. In addition, this also works for locals in a method body as well:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">void</span> <span class="nf">Write200Ok</span><span class="p">(</span><span class="n">Stream</span> <span class="n">s</span><span class="p">)</span> <span class="p">{</span> <span class="n">ReadOnlySpan</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">data</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[]</span> <span class="p">{</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'H'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'T'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'T'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'P'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'/'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'1'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'.'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'1'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">' '</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'2'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'0'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'0'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">' '</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'O'</span><span class="p">,</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'K'</span> <span class="p">};</span> <span class="n">s</span><span class="p">.</span><span class="nf">Write</span><span class="p">(</span><span class="n">data</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>Which also produces a reasonable JIT disassembly:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sub rsp, 0x38 xor eax, eax mov qword ptr [rsp+0x28], rax mov qword ptr [rsp+0x30], rax mov rcx, 0x1e595b42ade mov eax, 0x0F lea r8, [rsp+0x28] mov qword ptr [r8], rcx mov dword ptr [r8+8], eax mov rcx, rdx lea rdx, [rsp+0x28] cmp dword ptr [rcx], ecx call 0x7ff89ede10c8 (Stream.Write(System.ReadOnlySpan`1&lt;Byte&gt;), mdToken: 0000000006000001) add rsp, 0x38 ret </code></pre></div></div> <p>Here we see <code class="language-plaintext highlighter-rouge">mov rcx, 0x1e595b42ade</code> which moves the address of the static data directly in to the register with no additional work to create a byte array.</p> <p>These optimizations currently only works with <code class="language-plaintext highlighter-rouge">ReadOnlySpan&lt;byte&gt;</code> right now. Other types will continue to use <code class="language-plaintext highlighter-rouge">InitializeArray</code> due to needing to handle different platforms and how they handle endianness.</p> Fri, 01 Feb 2019 14:20:00 +0000 https://vcsjones.dev/csharp-readonly-span-bytes-static/ https://vcsjones.dev/csharp-readonly-span-bytes-static/ General C# 8 using declarations <p>Visual Studio 2019 preview 2 was released a few days ago and I took the time to install it. Visual Studio itself is actually rather uninteresting to me, however the inclusion of the next C# 8 preview got my attention. I glanced at the feature highlights and posted “looks nice” on Twitter.</p> <p>Predictably, I got a few responses like “I’m not sure I like that”, and there is always a guarantee that if F# has a similar feature, an F# developer will appear and tell you F# has had this feature for 600 years.</p> <p>The one I like a lot is using declarations. This allows a local to automatically be disposed at the end of the block. Essentially, it hides the <code class="language-plaintext highlighter-rouge">try</code>/<code class="language-plaintext highlighter-rouge">finally</code> or the <code class="language-plaintext highlighter-rouge">using() {...}</code>. The .NET team’s blog kind of gave a bad example of this, so I’ll use one from <a href="https://github.com/vcsjones/FiddlerCert">Open OPC SignTool</a>. Here is the original snippet:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">private</span> <span class="k">static</span> <span class="n">X509Certificate2</span> <span class="nf">GetCertificateFromCertificateStore</span><span class="p">(</span><span class="kt">string</span> <span class="n">sha1</span><span class="p">)</span> <span class="p">{</span> <span class="k">using</span> <span class="p">(</span><span class="kt">var</span> <span class="n">store</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">X509Store</span><span class="p">(</span><span class="n">StoreName</span><span class="p">.</span><span class="n">My</span><span class="p">,</span> <span class="n">StoreLocation</span><span class="p">.</span><span class="n">LocalMachine</span><span class="p">))</span> <span class="p">{</span> <span class="n">store</span><span class="p">.</span><span class="nf">Open</span><span class="p">(</span><span class="n">OpenFlags</span><span class="p">.</span><span class="n">OpenExistingOnly</span> <span class="p">|</span> <span class="n">OpenFlags</span><span class="p">.</span><span class="n">ReadOnly</span><span class="p">);</span> <span class="kt">var</span> <span class="n">certificates</span> <span class="p">=</span> <span class="n">store</span><span class="p">.</span><span class="n">Certificates</span><span class="p">.</span><span class="nf">Find</span><span class="p">(</span><span class="n">X509FindType</span><span class="p">.</span><span class="n">FindByThumbprint</span><span class="p">,</span> <span class="n">sha1</span><span class="p">,</span> <span class="k">false</span><span class="p">);</span> <span class="k">return</span> <span class="n">certificates</span><span class="p">.</span><span class="n">Count</span> <span class="p">&gt;</span> <span class="m">0</span> <span class="p">?</span> <span class="n">certificates</span><span class="p">[</span><span class="m">0</span><span class="p">]</span> <span class="p">:</span> <span class="k">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>A <code class="language-plaintext highlighter-rouge">using var</code> can make this:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">private</span> <span class="k">static</span> <span class="n">X509Certificate2</span> <span class="nf">GetCertificateFromCertificateStore</span><span class="p">(</span><span class="kt">string</span> <span class="n">sha1</span><span class="p">)</span> <span class="p">{</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">store</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">X509Store</span><span class="p">(</span><span class="n">StoreName</span><span class="p">.</span><span class="n">My</span><span class="p">,</span> <span class="n">StoreLocation</span><span class="p">.</span><span class="n">LocalMachine</span><span class="p">);</span> <span class="n">store</span><span class="p">.</span><span class="nf">Open</span><span class="p">(</span><span class="n">OpenFlags</span><span class="p">.</span><span class="n">OpenExistingOnly</span> <span class="p">|</span> <span class="n">OpenFlags</span><span class="p">.</span><span class="n">ReadOnly</span><span class="p">);</span> <span class="kt">var</span> <span class="n">certificates</span> <span class="p">=</span> <span class="n">store</span><span class="p">.</span><span class="n">Certificates</span><span class="p">.</span><span class="nf">Find</span><span class="p">(</span><span class="n">X509FindType</span><span class="p">.</span><span class="n">FindByThumbprint</span><span class="p">,</span> <span class="n">sha1</span><span class="p">,</span> <span class="k">false</span><span class="p">);</span> <span class="k">return</span> <span class="n">certificates</span><span class="p">.</span><span class="n">Count</span> <span class="p">&gt;</span> <span class="m">0</span> <span class="p">?</span> <span class="n">certificates</span><span class="p">[</span><span class="m">0</span><span class="p">]</span> <span class="p">:</span> <span class="k">null</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>This has the same effect of <code class="language-plaintext highlighter-rouge">store</code> having <code class="language-plaintext highlighter-rouge">Dispose</code> called on it at the end of the method. The benefit here being that there is less indentation and braces. This keeps me focused on the code that matters. I don’t care when <code class="language-plaintext highlighter-rouge">store</code> is disposed in the method, I can just observe that it has a <code class="language-plaintext highlighter-rouge">using</code> modifier on the local and be assured that <code class="language-plaintext highlighter-rouge">Dispose</code> will be called.</p> <p>This isn’t the same as garbage collection or finalizers. Both of those are non- deterministic, and can lead to unexpected program behavior. That’s less so in the case of <code class="language-plaintext highlighter-rouge">X509Store</code>, so let’s look at another example:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">using</span> <span class="nn">Stream</span> <span class="n">stream</span> <span class="p">=</span> <span class="n">entry</span><span class="p">.</span><span class="nf">Open</span><span class="p">();</span> <span class="kt">var</span> <span class="n">xmlDocument</span> <span class="p">=</span> <span class="n">XDocument</span><span class="p">.</span><span class="nf">Load</span><span class="p">(</span><span class="n">stream</span><span class="p">,</span> <span class="n">LoadOptions</span><span class="p">.</span><span class="n">PreserveWhitespace</span><span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">OpcRelationships</span><span class="p">(</span><span class="n">location</span><span class="p">,</span> <span class="n">xmlDocument</span><span class="p">,</span> <span class="n">readOnlyMode</span><span class="p">);</span> </code></pre></div></div> <p>Not disposing a stream that is backed by a file can cause access errors later in software that might try to open that file again - it is already open, so not only is it a bad idea it leave streams to the GC, it is just simply incorrect.</p> <p>However again <code class="language-plaintext highlighter-rouge">using</code> on the local ensures it is deterministically closed.</p> <p><em>When</em> it gets disposed I can see being slightly unclear to the developer. The quick explanation is when the local is no longer reachable, not when it is last used. The C# 8 above gets compiled roughly to:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">var</span> <span class="n">stream</span> <span class="p">=</span> <span class="n">entry</span><span class="p">.</span><span class="nf">Open</span><span class="p">();</span> <span class="k">try</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">xmlDocument</span> <span class="p">=</span> <span class="n">XDocument</span><span class="p">.</span><span class="nf">Load</span><span class="p">(</span><span class="n">stream</span><span class="p">,</span> <span class="n">LoadOptions</span><span class="p">.</span><span class="n">PreserveWhitespace</span><span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">OpcRelationships</span><span class="p">(</span><span class="n">location</span><span class="p">,</span> <span class="n">xmlDocument</span><span class="p">,</span> <span class="n">readOnlyMode</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">stream</span> <span class="p">!=</span> <span class="k">null</span><span class="p">)</span> <span class="p">{</span> <span class="p">((</span><span class="n">IDisposable</span><span class="p">)</span><span class="n">stream</span><span class="p">).</span><span class="nf">Dispose</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>The disposal is done after the return, when the local is no longer reachable, not after <code class="language-plaintext highlighter-rouge">XDocument</code> is created.</p> <p>I find this very helpful to keep code readable. This doesn’t work when you need fine control over when <code class="language-plaintext highlighter-rouge">Dispose</code> is called. A place where this does not work well is when the <code class="language-plaintext highlighter-rouge">Dispose</code> pattern is used for scopes, such as logging. The AzureSignTool project has code similar to this in <code class="language-plaintext highlighter-rouge">SignCommand</code>:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">var</span> <span class="n">logger</span> <span class="p">=</span> <span class="n">loggerFactory</span><span class="p">.</span><span class="n">CreateLogger</span><span class="p">&lt;</span><span class="n">SignCommand</span><span class="p">&gt;();</span> <span class="n">Parallel</span><span class="p">.</span><span class="nf">ForEach</span><span class="p">(</span><span class="n">AllFiles</span><span class="p">,</span> <span class="n">options</span><span class="p">,</span> <span class="p">()</span> <span class="p">=&gt;</span> <span class="p">(</span><span class="n">succeeded</span><span class="p">:</span> <span class="m">0</span><span class="p">,</span> <span class="n">failed</span><span class="p">:</span> <span class="m">0</span><span class="p">),</span> <span class="p">(</span><span class="n">filePath</span><span class="p">,</span> <span class="n">pls</span><span class="p">,</span> <span class="n">state</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">using</span> <span class="p">(</span><span class="kt">var</span> <span class="n">loopScope</span> <span class="p">=</span> <span class="n">logger</span><span class="p">.</span><span class="nf">BeginScope</span><span class="p">(</span><span class="s">"File: {Id}"</span><span class="p">,</span> <span class="n">filePath</span><span class="p">))</span> <span class="p">{</span> <span class="n">logger</span><span class="p">.</span><span class="nf">LogInformation</span><span class="p">(</span><span class="s">"Signing file."</span><span class="p">);</span> <span class="c1">//Sign the file. omit a bunch of other code.</span> <span class="n">logger</span><span class="p">.</span><span class="nf">LogInformation</span><span class="p">(</span><span class="s">"Done signing the file."</span><span class="p">);</span> <span class="p">}</span> <span class="n">logger</span><span class="p">.</span><span class="nf">LogDebug</span><span class="p">(</span><span class="s">"Incrementing success count."</span><span class="p">);</span> <span class="k">return</span> <span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">succeeded</span> <span class="p">+</span> <span class="m">1</span><span class="p">,</span> <span class="n">state</span><span class="p">.</span><span class="n">failed</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>Here, we cannot change this to a <code class="language-plaintext highlighter-rouge">using var</code> because then the <code class="language-plaintext highlighter-rouge">LogDebug</code> would be inside of that logging scope, which it wasn’t before. This is a place where we continue to want <code class="language-plaintext highlighter-rouge">Dispose</code> to be called at a different time from the when <code class="language-plaintext highlighter-rouge">loopScope</code> would no longer be in scope.</p> <p>My impression from C# developers is that they do not tend to call <code class="language-plaintext highlighter-rouge">Dispose</code> on resources as soon as it can be disposed, just at a reasonable point in the same method. Most developers do not write this code:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">public</span> <span class="kt">bool</span> <span class="nf">MightBeExe</span><span class="p">(</span><span class="kt">string</span> <span class="n">filePath</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">firstBytes</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[</span><span class="m">2</span><span class="p">];</span> <span class="kt">int</span> <span class="n">bytesRead</span><span class="p">;</span> <span class="k">using</span> <span class="p">(</span><span class="kt">var</span> <span class="n">file</span> <span class="p">=</span> <span class="n">File</span><span class="p">.</span><span class="nf">Open</span><span class="p">(</span><span class="n">filePath</span><span class="p">,</span> <span class="n">FileMode</span><span class="p">.</span><span class="n">Open</span><span class="p">))</span> <span class="p">{</span> <span class="n">bytesRead</span> <span class="p">=</span> <span class="n">file</span><span class="p">.</span><span class="nf">Read</span><span class="p">(</span><span class="n">firstBytes</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">2</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">bytesRead</span> <span class="p">==</span> <span class="m">2</span> <span class="p">&amp;&amp;</span> <span class="n">firstBytes</span><span class="p">[</span><span class="m">0</span><span class="p">]</span> <span class="p">==</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'M'</span> <span class="p">&amp;&amp;</span> <span class="n">firstBytes</span><span class="p">[</span><span class="m">1</span><span class="p">]</span> <span class="p">==</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'Z'</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>They will instead write something like:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">public</span> <span class="kt">bool</span> <span class="nf">MightBeExe</span><span class="p">(</span><span class="kt">string</span> <span class="n">filePath</span><span class="p">)</span> <span class="p">{</span> <span class="k">using</span> <span class="p">(</span><span class="kt">var</span> <span class="n">file</span> <span class="p">=</span> <span class="n">File</span><span class="p">.</span><span class="nf">Open</span><span class="p">(</span><span class="n">filePath</span><span class="p">,</span> <span class="n">FileMode</span><span class="p">.</span><span class="n">Open</span><span class="p">))</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">firstBytes</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[</span><span class="m">2</span><span class="p">];</span> <span class="kt">var</span> <span class="n">bytesRead</span> <span class="p">=</span> <span class="n">file</span><span class="p">.</span><span class="nf">Read</span><span class="p">(</span><span class="n">firstBytes</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">2</span><span class="p">);</span> <span class="k">return</span> <span class="n">bytesRead</span> <span class="p">==</span> <span class="m">2</span> <span class="p">&amp;&amp;</span> <span class="n">firstBytes</span><span class="p">[</span><span class="m">0</span><span class="p">]</span> <span class="p">==</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'M'</span> <span class="p">&amp;&amp;</span> <span class="n">firstBytes</span><span class="p">[</span><span class="m">1</span><span class="p">]</span> <span class="p">==</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'Z'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>Which is a perfect candidate for <code class="language-plaintext highlighter-rouge">using var</code>:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">public</span> <span class="kt">bool</span> <span class="nf">MightBeExe</span><span class="p">(</span><span class="kt">string</span> <span class="n">filePath</span><span class="p">)</span> <span class="p">{</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">file</span> <span class="p">=</span> <span class="n">File</span><span class="p">.</span><span class="nf">Open</span><span class="p">(</span><span class="n">filePath</span><span class="p">,</span> <span class="n">FileMode</span><span class="p">.</span><span class="n">Open</span><span class="p">);</span> <span class="kt">var</span> <span class="n">firstBytes</span> <span class="p">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="p">[</span><span class="m">2</span><span class="p">];</span> <span class="kt">var</span> <span class="n">bytesRead</span> <span class="p">=</span> <span class="n">file</span><span class="p">.</span><span class="nf">Read</span><span class="p">(</span><span class="n">firstBytes</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">2</span><span class="p">);</span> <span class="k">return</span> <span class="n">bytesRead</span> <span class="p">==</span> <span class="m">2</span> <span class="p">&amp;&amp;</span> <span class="n">firstBytes</span><span class="p">[</span><span class="m">0</span><span class="p">]</span> <span class="p">==</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'M'</span> <span class="p">&amp;&amp;</span> <span class="n">firstBytes</span><span class="p">[</span><span class="m">1</span><span class="p">]</span> <span class="p">==</span> <span class="p">(</span><span class="kt">byte</span><span class="p">)</span><span class="sc">'Z'</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>There are of course some reasonable limitations to this feature. For example, it cannot be combined with out-variables.</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">if</span> <span class="p">(</span><span class="n">Crypto32</span><span class="p">.</span><span class="nf">CryptEncodeObjectEx</span><span class="p">(</span> <span class="c1">// other stuff</span> <span class="k">out</span> <span class="kt">var</span> <span class="n">handle</span><span class="p">,</span> <span class="k">ref</span> <span class="n">size</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="k">using</span> <span class="p">(</span><span class="n">handle</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Do stuff</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>This does not work:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">if</span> <span class="p">(</span><span class="n">Crypto32</span><span class="p">.</span><span class="nf">CryptEncodeObjectEx</span><span class="p">(</span> <span class="c1">// other stuff</span> <span class="k">out</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">handle</span><span class="p">,</span> <span class="k">ref</span> <span class="n">size</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="c1">// Do stuff</span> <span class="p">}</span> </code></pre></div></div> <p>Jared Parsons said <a href="https://twitter.com/jaredpar/status/1088832515861663744">on Twitter</a> that C# folks thought of this, and decided that it had “Too much confusion about ownership.” Thinking about it myself, I agree, so it’s nice that the feature is limited in that regard.</p> <p>Another limitation is that the variable cannot be reassigned. For example:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">using</span> <span class="nn">var</span> <span class="n">stream</span> <span class="p">=</span> <span class="n">entry</span><span class="p">.</span><span class="nf">Open</span><span class="p">();</span> <span class="n">stream</span> <span class="p">=</span> <span class="n">entry2</span><span class="p">.</span><span class="nf">Open</span><span class="p">();</span> </code></pre></div></div> <p>This will produce error CS1656, “Cannot assign to ‘stream’ because it is a ‘using variable’”.</p> <p>All in all, I very much like this small feature in C# 8. It has reasonable guard rails on it from doing something too weird like re-assigning to it, while giving the benefit of less blocks, braces, indentation.</p> Wed, 30 Jan 2019 23:20:00 +0000 https://vcsjones.dev/csharp-8-using-declarations/ https://vcsjones.dev/csharp-8-using-declarations/ General Secure Random Integers in .NET Core 3 <p>.NET Core 3.0 is tentatively <a href="https://apisof.net/catalog/System.Security.Cryptography.RandomNumberGenerator.GetInt32(Int32,Int32)">set to include</a> a new API for <em>securely</em> generating a random integer bound to a specific range.</p> <p>I won’t be shy in admitting that it was something <a href="https://github.com/dotnet/corefx/issues/30873">I pushed for</a> and made the initial attempt <a href="https://github.com/dotnet/corefx/pull/31243">at implementing</a>, though it’s unfair to say that I implemented it by myself given all of the outstanding feedback I got on the initial pull request (thanks Levi and Jeremy!)</p> <p>It’s been known for a while that <code class="language-plaintext highlighter-rouge">System.Random</code> shouldn’t be used when cryptographic randomness is required. Despite that, there wasn’t anything built in to .NET that made creating bounded random integers easy. You could either use <code class="language-plaintext highlighter-rouge">System.Random</code> and hope for the best, or use a CSPRNG like <code class="language-plaintext highlighter-rouge">RandomNumberGenerator</code> that gave back raw bytes, which requires some thought on how to to properly convert it to a random integer without introducing any kind of bias.</p> <p>Starting in .NET Core 3.0, you’ll be able to do:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">var</span> <span class="n">min</span> <span class="p">=</span> <span class="m">1</span><span class="p">;</span> <span class="kt">var</span> <span class="n">max</span> <span class="p">=</span> <span class="m">1_000</span><span class="p">;</span> <span class="kt">var</span> <span class="n">randomNumber</span> <span class="p">=</span> <span class="n">RandomNumberGenerator</span><span class="p">.</span><span class="nf">GetInt32</span><span class="p">(</span><span class="n">min</span><span class="p">,</span> <span class="n">max</span><span class="p">);</span> </code></pre></div></div> <p>If you need this before .NET Core 3, well, <a href="https://github.com/dotnet/corefx/pull/31243">the source</a> is right there. It can be adapted with a bit of effort to work on the .NET Framework as well as other environments that don’t have <code class="language-plaintext highlighter-rouge">Span&lt;T&gt;</code>.</p> Tue, 23 Oct 2018 22:35:00 +0000 https://vcsjones.dev/random-integers-dotnet-core/ https://vcsjones.dev/random-integers-dotnet-core/ Security FixedTimeEquals in .NET Core <p>.NET Core introduced <a href="https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.cryptographicoperations.fixedtimeequals?view=netcore-2.1"><code class="language-plaintext highlighter-rouge">FixedTimeEquals</code></a> which I have personally found to be very helpful. It’s a small method, but given the kind of code I tend to write, I was writing it a lot from project to project, and am happy to see it in the box.</p> <p>This API is meant to prevent a timing side-channel when comparing two sequences of bytes. The goal is, the comparison should take the same amount of time regardless of the contents of the bytes, assuming they are the same length. This is often required when doing comparisons of MACs or simple possession demonstrations for APIs.</p> <p>Consider you had a web API that required an API key and was implemented in such a way that it just expected a magic string to act as a password to interact with the API.</p> <p>It required an HTTP header, like</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>X-Api-Key: SecretVooDooWord </code></pre></div></div> <p>and TLS was used to ensure it was kept confidential in transit. The API did a naive implementation like this:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">SuperSensitiveApi</span><span class="p">()</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">key</span> <span class="p">=</span> <span class="n">Request</span><span class="p">.</span><span class="n">Headers</span><span class="p">[</span><span class="s">"X-Api-Key"</span><span class="p">].</span><span class="nf">Single</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="n">key</span> <span class="p">!=</span> <span class="s">"SecretVooDooWord"</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Unauthorized</span><span class="p">();</span> <span class="p">}</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JsonResult</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">AllTheSecretData</span> <span class="p">=</span> <span class="s">"tada"</span> <span class="p">});</span> <span class="p">}</span> </code></pre></div></div> <aside> <p> This is a very problematic design! A much better solution would be to use something that is well defined and specified for API authentication like OIDC, WS-*, however you want to accomplish it. At the very least, communicating raw secrets is much less than ideal. Instead, a <em>proof of possession</em> or challenge should be used. That still isn't enough to prevent replays and a myriad of other things that are desirable in API authentication. </p> <p> But let's focus on the timing side channel for now. </p> </aside> <p>The issue here is that neither <code class="language-plaintext highlighter-rouge">!=</code> or <code class="language-plaintext highlighter-rouge">==</code> are fixed-time, and will return false as soon as there is an immediate difference. In pseudo code, it might look something like this:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>compare(word1, word2) { if word1.length != word2.length return false i = 0 while (i &lt; word1.length) { letter1 = word1[i] letter2 = word2[i] if letter1 != letter2 return false else i = i + 1 } return true } </code></pre></div></div> <p>This function will compare the letters one by one. As soon as it encounters a difference, it returns false and doesn’t bother checking the rest. Why should it? The answer is going to be false every time.</p> <p>To an attacker that is trying to figure out the contents of the string, carefully measuring the time can leak the contents of the string. For argument’s sake, let’s say that checking each letter takes 2ns and the attacker has a very accurate way of measuring time over a network and can account for jitter and latency.</p> <pre> GET /SuperSensitiveApi HTTP/1.1 X-Api-Key: Raaaaaaaaaaaaaaa </pre> <p>Checking the API key will take 2ns because the first letters do not match. The attacker moves on to the next letter.</p> <pre> GET /SuperSensitiveApi HTTP/1.1 X-Api-Key: Saaaaaaaaaaaaaaa </pre> <p>This time, checking the API key takes 4ns because the first letter matched (2ns) and the second failed (another 2ns)</p> <pre> GET /SuperSensitiveApi HTTP/1.1 X-Api-Key: Sbaaaaaaaaaaaaaa </pre> <p>Fails again taking 4ns to check the API key. After a few more tries…</p> <pre> GET /SuperSensitiveApi HTTP/1.1 X-Api-Key: Seaaaaaaaaaaaaaa </pre> <p>This time it took 6ns to check the API key because the first and second letter were checked, and the third failed.</p> <p>The attacker can keep doing this by observing the amount of time each call takes. The longer it takes, the attacker can assume they have guessed the next letter. In practice, this is extremely difficult to do over a network and to get accurate enough timing information, but it is believed that it might be possible given enough persistence and an adversary that has the means to be in a network position that is very stable.</p> <p>These kinds of attacks do exist, an example timing side-channel is <a href="https://en.wikipedia.org/wiki/Lucky_Thirteen_attack">Lucky 13</a>, which affected many library’s approach to handling CBC padding in TLS.</p> <p>So <code class="language-plaintext highlighter-rouge">==</code> in C# is a bad way to check strings for equality where timing side channels need to be mitigated. So you say, perhaps you’ll do something like this:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">private</span> <span class="k">static</span> <span class="kt">bool</span> <span class="nf">CheckStringsFixedTime</span><span class="p">(</span><span class="kt">string</span> <span class="n">str1</span><span class="p">,</span> <span class="kt">string</span> <span class="n">str2</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">str1</span><span class="p">.</span><span class="n">Length</span> <span class="p">!=</span> <span class="n">str2</span><span class="p">.</span><span class="n">Length</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">false</span><span class="p">;</span> <span class="p">}</span> <span class="kt">var</span> <span class="n">allTheSame</span> <span class="p">=</span> <span class="k">true</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span><span class="kt">var</span> <span class="n">i</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="p">&lt;</span> <span class="n">str1</span><span class="p">.</span><span class="n">Length</span><span class="p">;</span> <span class="n">i</span><span class="p">++)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">str1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="p">!=</span> <span class="n">str2</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="p">{</span> <span class="n">allTheSame</span> <span class="p">=</span> <span class="k">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">allTheSame</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>This <em>looks</em> like it’s constant time, but on modern CPUs and .NET, it’s not. Branch statements, like <code class="language-plaintext highlighter-rouge">if</code>, have timing implications. We can’t take a branch.</p> <p>OK, what about this?</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">private</span> <span class="k">static</span> <span class="kt">bool</span> <span class="nf">CheckStringsFixedTime</span><span class="p">(</span><span class="kt">string</span> <span class="n">str1</span><span class="p">,</span> <span class="kt">string</span> <span class="n">str2</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">str1</span><span class="p">.</span><span class="n">Length</span> <span class="p">!=</span> <span class="n">str2</span><span class="p">.</span><span class="n">Length</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">false</span><span class="p">;</span> <span class="p">}</span> <span class="kt">var</span> <span class="n">allTheSame</span> <span class="p">=</span> <span class="k">true</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span><span class="kt">var</span> <span class="n">i</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="p">&lt;</span> <span class="n">str1</span><span class="p">.</span><span class="n">Length</span><span class="p">;</span> <span class="n">i</span><span class="p">++)</span> <span class="p">{</span> <span class="n">allTheSame</span> <span class="p">&amp;=</span> <span class="n">str1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="p">==</span> <span class="n">str2</span><span class="p">[</span><span class="n">i</span><span class="p">];</span> <span class="p">}</span> <span class="k">return</span> <span class="n">allTheSame</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>This looks somewhat promising for C#. We know from the language specification that <code class="language-plaintext highlighter-rouge">&amp;=</code> does not short circuit, so <code class="language-plaintext highlighter-rouge">str1[i] == str2[i]</code> will always be evaluated.</p> <p>We still have a few problems though, and this is where the JIT and x86 can make things more complicated for us.</p> <p>The first issue is that <code class="language-plaintext highlighter-rouge">allTheSame</code> is a simple true/false flag. That still leaves the .NET JIT and x86 instruction execution to make a few optimizations that introduce timing attacks. Timing side channel mitigation should avoid all <em>decisions</em> until the very end. <code class="language-plaintext highlighter-rouge">&amp;</code> is a decision. However, we can improve that some:</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">private</span> <span class="k">static</span> <span class="kt">bool</span> <span class="nf">CheckStringsFixedTime</span><span class="p">(</span><span class="kt">string</span> <span class="n">str1</span><span class="p">,</span> <span class="kt">string</span> <span class="n">str2</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">str1</span><span class="p">.</span><span class="n">Length</span> <span class="p">!=</span> <span class="n">str2</span><span class="p">.</span><span class="n">Length</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">false</span><span class="p">;</span> <span class="p">}</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span><span class="kt">var</span> <span class="n">i</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="p">&lt;</span> <span class="n">str1</span><span class="p">.</span><span class="n">Length</span><span class="p">;</span> <span class="n">i</span><span class="p">++)</span> <span class="p">{</span> <span class="n">result</span> <span class="p">|=</span> <span class="n">str1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="p">^</span> <span class="n">str2</span><span class="p">[</span><span class="n">i</span><span class="p">];</span> <span class="p">}</span> <span class="k">return</span> <span class="n">result</span> <span class="p">==</span> <span class="m">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>This is fairly close to being time-fixed. We update an integer using <code class="language-plaintext highlighter-rouge">|</code> to combine the bits from the result of an XOR. XOR anything with itself, and the the result is zero. Anything else, and you get a non-zero value. We use a binary OR to combine any bits. At the end, if we have a non-zero value, we know one of the comparison checks failed.</p> <p>There is some debate as to what arithmetic operators are better for fixed time operations between <code class="language-plaintext highlighter-rouge">str1[x]</code> and <code class="language-plaintext highlighter-rouge">str2[x]</code>. Some implementations use XOR, like above, other may use SUB for subtraction. Unfortunately, most CPU architectures make no guarantee if any operations are constant-time.</p> <p>We <em>still</em> have a problem to address. The JIT could be making unintended optimizations. The C# compiler itself makes very little optimizations. The JIT on the other hand may do all sorts of things, like unroll a loop or make a variety of optimizations so the code executes faster.</p> <p>We can tell the JIT to leave it alone, like so.</p> <div class="language-csharp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">[</span><span class="nf">MethodImpl</span><span class="p">(</span><span class="n">MethodImplOptions</span><span class="p">.</span><span class="n">NoInlining</span> <span class="p">|</span> <span class="n">MethodImplOptions</span><span class="p">.</span><span class="n">NoOptimization</span><span class="p">)]</span> <span class="k">private</span> <span class="k">static</span> <span class="kt">bool</span> <span class="nf">CheckStringsFixedTime</span><span class="p">(</span><span class="kt">string</span> <span class="n">str1</span><span class="p">,</span> <span class="kt">string</span> <span class="n">str2</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">str1</span><span class="p">.</span><span class="n">Length</span> <span class="p">!=</span> <span class="n">str2</span><span class="p">.</span><span class="n">Length</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">false</span><span class="p">;</span> <span class="p">}</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span><span class="kt">var</span> <span class="n">i</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="p">&lt;</span> <span class="n">str1</span><span class="p">.</span><span class="n">Length</span><span class="p">;</span> <span class="n">i</span><span class="p">++)</span> <span class="p">{</span> <span class="n">result</span> <span class="p">|=</span> <span class="n">str1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="p">^</span> <span class="n">str2</span><span class="p">[</span><span class="n">i</span><span class="p">];</span> <span class="p">}</span> <span class="k">return</span> <span class="n">result</span> <span class="p">==</span> <span class="m">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>So now the JIT will cease to optimize this method at all and it will be closer to as-written.</p> <p>This is close to time-independent as possible with the String type. We can improve things a bit by making the parameters <code class="language-plaintext highlighter-rouge">ReadOnlySpan&lt;char&gt;</code> which will generate very similar x86 as <code class="language-plaintext highlighter-rouge">string</code> parameters, however the null checks will be eliminated since a ROS cannot be null.</p> <p>This is what .NET Core 2.1’s <code class="language-plaintext highlighter-rouge">FixedTimeEquals</code> does. It just does it over a <code class="language-plaintext highlighter-rouge">ReadOnlySpan&lt;byte&gt;</code> instead of characters. The x86 produced by the current JIT will be identical for <code class="language-plaintext highlighter-rouge">ReadOnlySpan&lt;char&gt;</code> and <code class="language-plaintext highlighter-rouge">ReadOnlySpan&lt;byte&gt;</code> with the exception of the size of the <code class="language-plaintext highlighter-rouge">MOVZX</code>.</p> <p>It’s handy that this is just in the box for .NET Core now.</p> Thu, 04 Oct 2018 22:35:00 +0000 https://vcsjones.dev/fixed-time-equals-dotnet-core/ https://vcsjones.dev/fixed-time-equals-dotnet-core/ Security Playing with RISC-V <p>Over the past few years I’ve started to sour on x86 architecture for just about everything. From servers, desktop, and mobile, I’ve long wished we had architectures competing with x86 at the high end.</p> <p>Fortunately, there are plenty of architectures out there. From ARM and ARM64, to MIPS, there are choices. There is one recent one that has been getting my attention lately, and I’ve thought it’s time to start diving in to it.</p> <h1 id="risc-v">RISC-V</h1> <p>RISC-V (pronounced “Risk Five”) is a fairly new architecture that has some interesting ideas behind it that make it worth looking it. Originally designed at UC Berkeley, it is an open architecture with the goal of being applicable to a wide range of devices.</p> <p>An open ISA that is available for commercial use is not unique, but it is rare. Contrast to ARM, if you want to make your own ARM CPU, you need to license the ISA from ARM Holdings Group, to the tune of millions of dollars. While “open” is not a direct benefit to developers, it does mean that a variety of companies that fabricate their own silicon are interested.</p> <p>RISC-V is also designed for multiple device profiles. It supports 32-bit and 64-bit, and is broken down in to a set of extension instruction sets, plus the always available integer base set. The ISA also documents and reserves a 128-bit architecture.</p> <p>This “base” integer instruction set is present on any RISC-V implementation. Often called “RV32I” for 32-bit, or “RV64I”, this instruction set consists of 47 instructions required to move memory, perform computations, and arithmetic.</p> <p>As of writing, some of the designs of the RISC-V architecture are still under active development, while others are finalized. The RV64I and RV32I are complete, while RV128I is still open for changes. The RV64I and RV32I set guarantees 32 registers. For smaller implementations, there is RV32E which limits the register count to 16.</p> <p>The extensions are are follows</p> <ul> <li>“M” extension instructions offer multiplication and division.</li> <li>“A” extension instructions offer atomic instructions.</li> <li>“C” extension instructions are a few compressed for smaller encoding.</li> <li>“F” extension instructions offer single-precision floating point.</li> <li>“D” extension instructions offer double-precision floating point.</li> <li>“Q” extension instructions offer quad-precision floating point.</li> <li>“L” extension instructions offer decimal floating point.</li> </ul> <p>There are more than that, but these are the basic and complete extensions. A vendor may choose to implement any, or none, of these extensions. Most of these extensions can be emulated with the base Integer instructions using compiler replacements, save for the atomic instruction set.</p> <p>A key aspect though is that the ISA leaves open guidance and design for allowing a vendor to implement their own extensions and describing how they would be encoded.</p> <p>The extension set is not entirely meant to be pick and choose whatever. The RV32E base set was designed with only supporting the M, A, C extensions in mind, plus any additional extensions sets implemented on top of it.</p> <h1 id="hardware">Hardware</h1> <p>That all sounds swell. But what about actual hardware? Currently, there is not a lot of hardware out there. SiFive though, makes a board called the HiFive 1 which is a small board with an RV32IMAC capable processor.</p> <p><img class="retina" src="/images/risc-v-hifive.jpg" title="HiFive 1" /></p> <p>Notably, it works with the Arduino Studio, so there is a plenty easy way to get started with that.</p> <p>I however didn’t have a lot of interest in using it as a board to run code that I already knew, I wanted to learn the instruction set, which meant I wanted to write assembly and throw it at the board and see what it did.</p> <p>I initially struggled doing this in WSL for some reason, the details of which I haven’t quite fully comprehended yet. After switching to MacOS, things went a lot smoother, since much of the documentation was for Linux and Unix-like systems.</p> <p>I decided to start with a very simple program. Add two numbers.</p> <pre><code class="language-asm">.section .text .globl _start _start: li t1, 42 li t2, 48 add t3, t1, t2 nop </code></pre> <p><code class="language-plaintext highlighter-rouge">li</code> is “load immediate” which allows putting numbers in to registers immediately. The <code class="language-plaintext highlighter-rouge">t</code> prefixed registers are temporary registers. A simple compile might look something like this:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>riscv32-unknown-elf-gcc example.S -nostdlib -o example.elf </code></pre></div></div> <p>This will produce a binary that is <em>close</em> to working but has a problem that took me a while to track down. The disassembly looks like this:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.elf: file format elf32-littleriscv Disassembly of section .text: 00010054 &lt;_start&gt;: 10054: 02a00313 li t1,42 10058: 03000393 li t2,48 1005c: 00730e33 add t3,t1,t2 10060: 0001 nop </code></pre></div></div> <p>Loading this on the HiFive 1 doesn’t work because it doesn’t load at the correct address. Reading through the HiFive 1 ISA and their documentation, the entry point must be at the address <code class="language-plaintext highlighter-rouge">0x20400000</code>. Fortunately, the HiFive 1 comes with a GCC linker script that does all the right things. It handles the start address as well as other memory layout concerns. After re-compiling with their linker script:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>riscv32-unknown-elf-gcc example.S -nostdlib -o example.elf -T link.lds </code></pre></div></div> <p>Re-dumping the assembly shows that <code class="language-plaintext highlighter-rouge">_start</code> appears in the correct location. Loading the program can be done with <code class="language-plaintext highlighter-rouge">openocd</code>, which is included in the HiFive software kit.</p> <p>Starting it with the correct configuration:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>openocd -f ~/.openocd/config/hifive1.cfg </code></pre></div></div> <p>I moved some files around to make things easier, but they should be easy enough to track down in their software kit.</p> <p>Once <code class="language-plaintext highlighter-rouge">openocd</code>, I can use the included RISC-V GDB debugger to remotely debug it. <code class="language-plaintext highlighter-rouge">openocd</code> will start a GDB server on <code class="language-plaintext highlighter-rouge">localhost:3333</code>. Firing up the RISC-V GDB, like <code class="language-plaintext highlighter-rouge">riscv32-unknown-elf-gdb ~/Projects/riscv/example.elf</code>, I can run the following commands to load the software and start debugging it.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>target extended-remote localhost:3333 monitor reset halt monitor flash protect 0 64 last off load layout asm </code></pre></div></div> <p>and if all goes well, we get something like this:</p> <p><img class="retina" src="/images/risc-v-terminal.png" title="Debugging HiFive 1" /></p> <p>Which is fairly exciting! Debugging my first RISC-V process, even if it does something simple like addition. Performing a few <code class="language-plaintext highlighter-rouge">stepi</code> to step a few instructions up to the <code class="language-plaintext highlighter-rouge">nop</code>, I can then use <code class="language-plaintext highlighter-rouge">info register t3</code> (or just <code class="language-plaintext highlighter-rouge">i r t3</code> for short) we see we have 90 in the register, which the result of adding 42 and 48.</p> <p>I’m hopeful that RISC-V will be competitive in the embedded and mobile CPU ISA space. It will take a very long time to get there, and even longer for less homogeneous environment like desktops and laptops, but I believe everyone will be better off if we simply had more to choose from. Even those that will firmly continue to use x86 would benefit from additional innovation and research into architecture design.</p> <p>I’ll continue to play with RISC-V. If something interesting pops up, I’ll do my best to write about it.</p> Fri, 31 Aug 2018 00:45:00 +0000 https://vcsjones.dev/playing-with-riscv/ https://vcsjones.dev/playing-with-riscv/ General Authenticated Encryption <p>There’s been some buzz lately about authenticated encryption. The buzz comes from some interesting issues in OpenGPG, and more recently the folks at Microsoft put out an advisory stating that unauthenticated encryption is simply not advisable anymore.</p> <p>I thought it would be fun to write about cryptography, despite rarely doing it, even though I find it part of what defines me as an engineer and developer.</p> <p>When we think of “encryption”, we usually think of an entity that has sensitive information they want to protect with a “key” of some kind.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ciphertext = encrypt(plaintext, key) </code></pre></div></div> <p>Something like that. “Decryption” is usually visualized as the process in reverse. The entity has encrypted data that they want to decrypt into its plaintext form because they know the key.</p> <p>The truth is, well designed systems that rely on cryptography aren’t this simple for a variety of reasons. Further on top of that, software developers struggle to encrypt and decrypt information correctly because many frameworks or libraries that developers depend on offer <em>primitives</em>.</p> <p>A primitive is a cryptographic function that does very little, but it does its job and it does its job well. That doesn’t mean though that the primitive is enough to fully complete the task. “AES” is a widely known primitive encryption function.</p> <p>Its most common mode of operation is Cipher Block Chaining, or CBC, which is not authenticated. To put another way, it is <em>malleable</em>. Let’s demonstrate with some ruby code.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">require</span> <span class="s1">'openssl'</span> <span class="n">encrypt_me</span> <span class="o">=</span> <span class="s2">"what a fine day for coding"</span> <span class="c1"># Data to encrypt</span> <span class="n">aes_key</span> <span class="o">=</span> <span class="p">(</span><span class="mi">1</span><span class="o">..</span><span class="mi">16</span><span class="p">).</span><span class="nf">to_a</span><span class="p">.</span><span class="nf">pack</span><span class="p">(</span><span class="s2">"C*"</span><span class="p">)</span> <span class="c1"># Dummy bad key</span> <span class="n">aes_iv</span> <span class="o">=</span> <span class="p">(</span><span class="mi">17</span><span class="o">..</span><span class="mi">32</span><span class="p">).</span><span class="nf">to_a</span><span class="p">.</span><span class="nf">pack</span><span class="p">(</span><span class="s2">"C*"</span><span class="p">)</span> <span class="c1"># Dummy bad initialization vector</span> <span class="n">cipher</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">Cipher</span><span class="o">::</span><span class="no">AES</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="mi">128</span><span class="p">,</span> <span class="ss">:CBC</span><span class="p">)</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">encrypt</span> <span class="c1"># Put it in "encrypt" mode, doesn't actually encrypt</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">key</span> <span class="o">=</span> <span class="n">aes_key</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">iv</span> <span class="o">=</span> <span class="n">aes_iv</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">encrypt_me</span><span class="p">)</span> <span class="o">+</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">final</span> <span class="nb">puts</span> <span class="n">ciphertext</span><span class="p">.</span><span class="nf">bytes</span><span class="p">.</span><span class="nf">inspect</span> </code></pre></div></div> <p>Which produces</p> <div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[15, 90, 144, 183, 105, 160, 17, 219, 160, 166, 20, 201, 53, 30, 2, 29, 217, 115, 3, 249, 2, 170, 203, 32, 37, 234, 147, 188, 167, 254, 254, 192] </code></pre></div></div> <p>There are some <em>bad</em> things in the code example above - it uses a hard-coded, easy to guess key and initialization vector. If you borrow this code, please be wary that it is to demonstrate.</p> <p>Decryption is a similar process.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">aes_key</span> <span class="o">=</span> <span class="p">(</span><span class="mi">1</span><span class="o">..</span><span class="mi">16</span><span class="p">).</span><span class="nf">to_a</span><span class="p">.</span><span class="nf">pack</span><span class="p">(</span><span class="s2">"C*"</span><span class="p">)</span> <span class="c1"># Dummy bad key</span> <span class="n">aes_iv</span> <span class="o">=</span> <span class="p">(</span><span class="mi">17</span><span class="o">..</span><span class="mi">32</span><span class="p">).</span><span class="nf">to_a</span><span class="p">.</span><span class="nf">pack</span><span class="p">(</span><span class="s2">"C*"</span><span class="p">)</span> <span class="c1"># Dummy bad initialization vector</span> <span class="n">cipher</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">Cipher</span><span class="o">::</span><span class="no">AES</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="mi">128</span><span class="p">,</span> <span class="ss">:CBC</span><span class="p">)</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">decrypt</span> <span class="c1"># Put it in "decrypt" mode, doesn't actually decrypt</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">key</span> <span class="o">=</span> <span class="n">aes_key</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">iv</span> <span class="o">=</span> <span class="n">aes_iv</span> <span class="n">plaintext</span> <span class="o">=</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="o">+</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">final</span> <span class="nb">puts</span> <span class="n">plaintext</span> </code></pre></div></div> <p>Which produces the original string, “what a fine day for coding”.</p> <p>What if we just… changed the first byte of the cipher text though?</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">ciphertext</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="s2">"</span><span class="se">\1</span><span class="s2">"</span> <span class="c1"># same decryption code as above</span> </code></pre></div></div> <p>That decrypts to “,=m1aH-q8hor coding”. The decryption process didn’t fail in any clear way, it just produced some garbage. We’ve broken the entire “block” of data that we changed a byte in, plus the Nth byte of the next block which was changed. Since we changed the first (0th) byte, the first byte in the second block is “h”, not “f”.</p> <p>If we slice the data:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">plaintext</span><span class="p">[</span><span class="mi">0</span><span class="o">..</span><span class="mi">15</span><span class="p">]</span> <span class="c1"># produces ,=m1aH-q8</span> <span class="n">plaintext</span><span class="p">[</span><span class="mi">16</span><span class="o">..-</span><span class="mi">1</span><span class="p">]</span> <span class="c1"># produces hor coding</span> </code></pre></div></div> <p>If we change the second value of the cipher text:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">ciphertext</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="s2">"</span><span class="se">\1</span><span class="s2">"</span> <span class="c1"># Decrypt...</span> <span class="n">plaintext</span><span class="p">[</span><span class="mi">0</span><span class="o">..</span><span class="mi">15</span><span class="p">]</span> <span class="c1"># produces non-ASCII characters</span> <span class="n">plaintext</span><span class="p">[</span><span class="mi">16</span><span class="o">..-</span><span class="mi">1</span><span class="p">]</span> <span class="c1"># produces f4r coding</span> </code></pre></div></div> <p>We see that the “f” is correct for the first byte, but wrong for the second byte.</p> <p>This is malleable encryption. It allows an attacker to change bits or whole bytes. However the decryption process doesn’t “know” that it is producing invalid data. It’s obvious when you are processing something like text, but it can be less obvious if the data being encrypted is binary data, like a JPEG image.</p> <p>More interestingly, let’s try changing the last byte of the cipher text:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">ciphertext</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="s2">"</span><span class="se">\1</span><span class="s2">"</span> <span class="c1"># Decrypt...</span> </code></pre></div></div> <p>Boom! We get an error, <code class="language-plaintext highlighter-rouge">in 'final': bad decrypt (OpenSSL::Cipher::CipherError)</code>. Why is that? What we just changed was a padding byte. You might have noticed that when we encrypted our string, the resulting cipher text was bigger than then plain text.</p> <p>That’s because AES-CBC is a block cipher. It has to operate on chunks of data that are 16 bytes in size. Many implementations will pad the data for you. So when we encrypted “what a fine day for coding”, what actually got encrypted was “what a fine day for coding\6\6\6\6\6\6”.</p> <p>Where did those \6 bytes come from? That how many bytes it took to reach a multiple of 16. During decryption, it looks at the last byte to determine how much padding to remove.</p> <p>We can demonstrate this by telling the AES cipher during decryption that there is no padding.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">cipher</span><span class="p">.</span><span class="nf">padding</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1"># Continue decryption...</span> <span class="nb">puts</span> <span class="n">plaintext</span><span class="p">.</span><span class="nf">bytes</span><span class="p">.</span><span class="nf">inspect</span> </code></pre></div></div> <p>Which produces:</p> <div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[119, 104, 97, 116, 32, 97, 32, 102, 105, 110, 101, 32, 100, 97, 121, 32, 102, 111, 114, 32, 99, 111, 100, 105, 110, 103, 6, 6, 6, 6, 6, 6] </code></pre></div></div> <p>So we can see the padding is left there. Six bytes of padding.</p> <p>Most implementations of AES will automatically apply and remove padding for you.</p> <p>A poor implementation of AES padding removal will look at the last byte and blindly remove that many bytes:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># Bad padding removal</span> <span class="n">last_octet</span> <span class="o">=</span> <span class="n">plaintext</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">].</span><span class="nf">ord</span> <span class="n">unpadded</span> <span class="o">=</span> <span class="n">plaintext</span><span class="p">[</span><span class="mi">0</span><span class="o">...-</span><span class="n">last_octet</span><span class="p">]</span> </code></pre></div></div> <p>A better implementation of AES padding removal will check that all of the padding bytes are equal to the amount of padding removed.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># Better</span> <span class="n">last_octet</span> <span class="o">=</span> <span class="n">plaintext</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">].</span><span class="nf">ord</span> <span class="n">padding</span> <span class="o">=</span> <span class="n">plaintext</span><span class="p">[</span><span class="o">-</span><span class="n">last_octet</span><span class="o">..-</span><span class="mi">1</span><span class="p">]</span> <span class="n">is_padding_valid</span> <span class="o">=</span> <span class="n">padding</span><span class="p">.</span><span class="nf">bytes</span><span class="p">.</span><span class="nf">all?</span> <span class="p">{</span> <span class="o">|</span><span class="n">b</span><span class="o">|</span> <span class="n">b</span> <span class="o">==</span> <span class="n">last_octet</span> <span class="p">}</span> <span class="c1"># Handle "false" for is_padding_valid</span> <span class="n">unpadded</span> <span class="o">=</span> <span class="n">plaintext</span><span class="p">[</span><span class="mi">0</span><span class="o">...-</span><span class="n">last_octet</span><span class="p">]</span> </code></pre></div></div> <p>An even better implementation of AES padding removal would validate the padding in constant time, which is out of my hands with ruby.</p> <p>It turns out that “false” case for <code class="language-plaintext highlighter-rouge">is_padding_valid</code> has caused a lot of problems with AES-CBC, resulting in a <em>padding oracle</em>.</p> <p>For fun, let’s change the last byte of the <em>first</em> block, and look at the decrypted result and leave the padding on. Remember as we saw previously, changing the Nth byte of the previous block affects the Nth byte of the current block. That’s true for padding as well, it get encrypted like any other data.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">ciphertext</span><span class="p">[</span><span class="mi">15</span><span class="p">]</span> <span class="o">=</span> <span class="s2">"</span><span class="se">\1</span><span class="s2">"</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">padding</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1">#Decrypt...</span> </code></pre></div></div> <p>We get:</p> <pre><code class="language-test">[... 110, 103, 6, 6, 6, 6, 6, 26] </code></pre> <p>Clearly this padding is invalid, because the padding bytes are not all equal to 26. In our home-grown padding removal, <code class="language-plaintext highlighter-rouge">is_padding_valid</code> would be false and an error would be returned.</p> <p>There is one other value that is valid padding, which is 1. If we can change the last byte of the first block so that the last padding byte is one, the padding will appear valid and no error is raised. Let’s use our bad padding removal code and throw an exception if the padding is bad.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">decrypt</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">aes_key</span> <span class="o">=</span> <span class="p">(</span><span class="mi">1</span><span class="o">..</span><span class="mi">16</span><span class="p">).</span><span class="nf">to_a</span><span class="p">.</span><span class="nf">pack</span><span class="p">(</span><span class="s2">"C*"</span><span class="p">)</span> <span class="c1"># Dummy bad key</span> <span class="n">aes_iv</span> <span class="o">=</span> <span class="p">(</span><span class="mi">17</span><span class="o">..</span><span class="mi">32</span><span class="p">).</span><span class="nf">to_a</span><span class="p">.</span><span class="nf">pack</span><span class="p">(</span><span class="s2">"C*"</span><span class="p">)</span> <span class="c1"># Dummy bad initialization vector</span> <span class="n">cipher</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">Cipher</span><span class="o">::</span><span class="no">AES</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="mi">128</span><span class="p">,</span> <span class="ss">:CBC</span><span class="p">)</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">padding</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">decrypt</span> <span class="c1"># Put it in "decrypt" mode, doesn't actually decrypt</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">key</span> <span class="o">=</span> <span class="n">aes_key</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">iv</span> <span class="o">=</span> <span class="n">aes_iv</span> <span class="n">plaintext</span> <span class="o">=</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">last_octet</span> <span class="o">=</span> <span class="n">plaintext</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">].</span><span class="nf">ord</span> <span class="n">padding</span> <span class="o">=</span> <span class="n">plaintext</span><span class="p">[</span><span class="o">-</span><span class="n">last_octet</span><span class="o">..-</span><span class="mi">1</span><span class="p">]</span> <span class="n">is_padding_valid</span> <span class="o">=</span> <span class="n">padding</span><span class="p">.</span><span class="nf">bytes</span><span class="p">.</span><span class="nf">all?</span> <span class="p">{</span> <span class="o">|</span><span class="n">b</span><span class="o">|</span> <span class="n">b</span> <span class="o">==</span> <span class="n">last_octet</span> <span class="p">}</span> <span class="k">raise</span> <span class="s2">"BAD PADDING"</span> <span class="k">unless</span> <span class="n">is_padding_valid</span> <span class="k">return</span> <span class="n">plaintext</span><span class="p">[</span><span class="mi">0</span><span class="o">...-</span><span class="n">last_octet</span><span class="p">]</span> <span class="k">end</span> </code></pre></div></div> <p>Our test string is made up of two blocks. We happen to know the padding length is 6, but let’s pretend we don’t. Here is the cipher text. Let’s try and break the last block.</p> <div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Block 1: [15, 90, 144, 183, 105, 160, 17, 219, 160, 166, 20, 201, 53, 30, 2, 29] Block 2: [217, 115, 3, 249, 2, 170, 203, 32, 37, 234, 147, 188, 167, 254, 254, 192] </code></pre></div></div> <p>Let’s assume we have a server that we can submit a cipher text to and we have some encrypted data we want to decrypt. The server can accept encrypted data, but it never actually reveals what the plaintext is. The server will either give a padding error back, or say “OK, I was able to decrypt and process the data”.</p> <p>Remember earlier we said:</p> <blockquote> <p>We’ve broken the entire “block” of data that we changed a byte in, plus the Nth byte of the next block which was changed.</p> </blockquote> <p>It goes to reason then, that if we change the last value of the first block, it will affect the last byte of the second block. We are assuming that this encrypted data has padding, but we don’t know how much. Perhaps we can fiddle with the last byte of the penultimate block.</p> <p>Fortunately, our decryption process makes a nice big fat error when the padding is wrong. The byte of the padding has one or two possible values. The value it is supposed to be (remember, it’s six because we are cheating for now) and one. If it’s one, the padding remover will just remove the last byte. If we just try all combinations for the last byte of the first block, perhaps we can figure out what value makes a padding value of one.</p> <div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code> Change this ↓ Block 1: [15, 90, 144, 183, 105, 160, 17, 219, 160, 166, 20, 201, 53, 30, 2, 29] Block 2: [217, 115, 3, 249, 2, 170, 203, 32, 37, 234, 147, 188, 167, 254, 254, 192] ↑ To affect this </code></pre></div></div> <p>Let’s loop over it.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">(</span><span class="mi">0</span><span class="o">..</span><span class="mi">255</span><span class="p">).</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">b</span><span class="o">|</span> <span class="c1"># Set last byte of first block</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">15</span><span class="p">]</span> <span class="o">=</span> <span class="n">b</span><span class="p">.</span><span class="nf">chr</span> <span class="k">begin</span> <span class="n">decrypt</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="nb">puts</span> <span class="n">b</span> <span class="k">rescue</span> <span class="c1"># The decryption process an error. Skip it and move on.</span> <span class="k">next</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <p>We get two values back. We get 29 and 26. We already know that the value 29 is valid because that’s the actual value from the ciphertext. So 26 forces the padding to one.</p> <p>Let’s cheat for a moment and verify our findings so that we are comfortable. Given:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">ciphertext</span><span class="p">[</span><span class="mi">15</span><span class="p">]</span> <span class="o">=</span> <span class="mi">26</span><span class="p">.</span><span class="nf">chr</span> <span class="n">decrypt</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="k">return</span> </code></pre></div></div> <p>and if we peek inside the decrypted result with the padding left on, we get:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[95, 9, 61, 149, 138, 173, 150, 56, 255, 200, 46, 73, 45, 145, 185, 77, 102, 111, 114, 32, 99, 111, 100, 105, 110, 103, 6, 6, 6, 6, 6, 1] </code></pre></div></div> <p>The first block is garbage, but crucially we see that we indeed coerce the padding byte to 1.</p> <p>OK, no more pretending. We know that if we tweak the cipher text’s 15th byte to 26, we end up with a padding of one. What can we learn from that? Let’s take the original ciphertext value, 29, and xor it with our guessed value 26, and then with 1 which is the plaintext value we know it happens to be because the padding was removed successfully.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mi">29</span> <span class="o">^</span> <span class="mi">26</span> <span class="o">^</span> <span class="mi">1</span> <span class="o">=&gt;</span> <span class="mi">6</span> </code></pre></div></div> <p>We were able to figure out the plaintext last byte of the second block. This isn’t “sensitive”, yet, this is the only a padding value. However, we did successfully decrypt a byte without explicit knowledge of the key or the decryption process telling it was 6.</p> <p>Let’s see if we can figure out how to get the padding to (2, 2).</p> <p>We can control the last byte of the plaintext now. We can force it to 2 using</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ciphertext_value xor known_plaintext_value xor 2 </code></pre></div></div> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">original_ct</span> <span class="o">=</span> <span class="n">ciphertext</span><span class="p">.</span><span class="nf">dup</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">15</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">original_ct</span><span class="p">[</span><span class="mi">15</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="mi">6</span> <span class="o">^</span> <span class="mi">2</span><span class="p">).</span><span class="nf">chr</span> <span class="p">(</span><span class="mi">0</span><span class="o">..</span><span class="mi">255</span><span class="p">).</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">b</span><span class="o">|</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">14</span><span class="p">]</span> <span class="o">=</span> <span class="n">b</span><span class="p">.</span><span class="nf">chr</span> <span class="k">begin</span> <span class="n">decrypt</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="nb">puts</span> <span class="n">b</span> <span class="k">rescue</span> <span class="k">next</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <p>The result we get back is 6 for this one. If we follow the same formula of</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ciphertext_byte xor guess xor result </code></pre></div></div> <p>We get <code class="language-plaintext highlighter-rouge">2 ^ 6 ^ 2</code>, which is 6. So we we have decrypted another byte. Let’s use that to force our padding to three.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">ciphertext</span><span class="p">[</span><span class="mi">15</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">original_ct</span><span class="p">[</span><span class="mi">15</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="mi">6</span> <span class="o">^</span> <span class="mi">3</span><span class="p">).</span><span class="nf">chr</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">14</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">original_ct</span><span class="p">[</span><span class="mi">14</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="mi">6</span> <span class="o">^</span> <span class="mi">3</span><span class="p">).</span><span class="nf">chr</span> <span class="p">(</span><span class="mi">0</span><span class="o">..</span><span class="mi">255</span><span class="p">).</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">b</span><span class="o">|</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">13</span><span class="p">]</span> <span class="o">=</span> <span class="n">b</span><span class="p">.</span><span class="nf">chr</span> <span class="k">begin</span> <span class="n">decrypt</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="nb">puts</span> <span class="n">b</span> <span class="k">rescue</span> <span class="k">next</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <p>The result is 27. <code class="language-plaintext highlighter-rouge">30 ^ 27 ^ 3</code> is yet again, 6. Which is what we expect since we expect 6 padding bytes with a value of 6.</p> <p>For the sake of brevity, let’s skip ahead a bit. Let’s see what happens if we trick it in to thinking there are 7 padding bytes.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">ciphertext</span><span class="p">[</span><span class="mi">15</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">original_ct</span><span class="p">[</span><span class="mi">15</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="mi">6</span> <span class="o">^</span> <span class="mi">7</span><span class="p">).</span><span class="nf">chr</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">14</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">original_ct</span><span class="p">[</span><span class="mi">14</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="mi">6</span> <span class="o">^</span> <span class="mi">7</span><span class="p">).</span><span class="nf">chr</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">13</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">original_ct</span><span class="p">[</span><span class="mi">13</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="mi">6</span> <span class="o">^</span> <span class="mi">7</span><span class="p">).</span><span class="nf">chr</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">12</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">original_ct</span><span class="p">[</span><span class="mi">12</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="mi">6</span> <span class="o">^</span> <span class="mi">7</span><span class="p">).</span><span class="nf">chr</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">11</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">original_ct</span><span class="p">[</span><span class="mi">11</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="mi">6</span> <span class="o">^</span> <span class="mi">7</span><span class="p">).</span><span class="nf">chr</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">10</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">original_ct</span><span class="p">[</span><span class="mi">10</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="mi">6</span> <span class="o">^</span> <span class="mi">7</span><span class="p">).</span><span class="nf">chr</span> <span class="p">(</span><span class="mi">0</span><span class="o">..</span><span class="mi">255</span><span class="p">).</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">b</span><span class="o">|</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">9</span><span class="p">]</span> <span class="o">=</span> <span class="n">b</span><span class="p">.</span><span class="nf">chr</span> <span class="k">begin</span> <span class="n">decrypt</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="nb">puts</span> <span class="n">b</span> <span class="k">rescue</span> <span class="k">next</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <p>The result is 198. <code class="language-plaintext highlighter-rouge">166 ^ 198 ^ 7</code> is 103. 103 on the ASCII table is “g”. Our plaintext string ends in a “g”. Let’s keep advancing.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">ciphertext</span><span class="p">[</span><span class="mi">10</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">original_ct</span><span class="p">[</span><span class="mi">10</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="mi">6</span> <span class="o">^</span> <span class="mi">8</span><span class="p">).</span><span class="nf">chr</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">9</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">original_ct</span><span class="p">[</span><span class="mi">9</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="mi">103</span> <span class="o">^</span> <span class="mi">8</span><span class="p">).</span><span class="nf">chr</span> <span class="c1"># etc...</span> </code></pre></div></div> <p>We get 198, and <code class="language-plaintext highlighter-rouge">160 ^ 198 ^ 8</code> is “n”. If we repeat this pattern, we can fully decrypt the block. Let’s automate this a bit now.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">ciphertext</span><span class="p">.</span><span class="nf">freeze</span> <span class="n">decrypt_data</span> <span class="o">=</span> <span class="n">ciphertext</span><span class="p">.</span><span class="nf">dup</span> <span class="n">recovered</span> <span class="o">=</span> <span class="p">{}</span> <span class="p">(</span><span class="mi">1</span><span class="o">..</span><span class="mi">16</span><span class="p">).</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">i</span><span class="o">|</span> <span class="n">position</span> <span class="o">=</span> <span class="mi">16</span><span class="o">-</span><span class="n">i</span> <span class="p">(</span><span class="mi">0</span><span class="o">..</span><span class="mi">255</span><span class="p">).</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">guess</span><span class="o">|</span> <span class="n">decrypt_data</span><span class="p">[</span><span class="n">position</span><span class="p">]</span> <span class="o">=</span> <span class="n">guess</span><span class="p">.</span><span class="nf">chr</span> <span class="k">begin</span> <span class="n">decrypt</span><span class="p">(</span><span class="n">decrypt_data</span><span class="p">)</span> <span class="k">rescue</span> <span class="k">next</span> <span class="c1"># Bad padding.</span> <span class="k">end</span> <span class="n">recovered</span><span class="p">[</span><span class="n">position</span><span class="p">]</span> <span class="o">=</span> <span class="n">ciphertext</span><span class="p">[</span><span class="n">position</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="n">guess</span> <span class="o">^</span> <span class="n">i</span> <span class="p">(</span><span class="mi">1</span><span class="o">..</span><span class="n">i</span><span class="p">).</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">j</span><span class="o">|</span> <span class="n">z</span> <span class="o">=</span> <span class="mi">16</span> <span class="o">-</span> <span class="n">j</span> <span class="n">decrypt_data</span><span class="p">[</span><span class="n">z</span><span class="p">]</span> <span class="o">=</span> <span class="p">(</span><span class="n">ciphertext</span><span class="p">[</span><span class="n">z</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="n">recovered</span><span class="p">[</span><span class="n">z</span><span class="p">]</span> <span class="o">^</span> <span class="p">(</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">)).</span><span class="nf">chr</span> <span class="k">end</span> <span class="k">break</span> <span class="k">end</span> <span class="k">end</span> <span class="n">pp</span> <span class="n">recovered</span><span class="p">.</span><span class="nf">sort</span><span class="p">.</span><span class="nf">map</span> <span class="p">{</span> <span class="o">|</span><span class="n">k</span><span class="p">,</span> <span class="n">v</span><span class="o">|</span> <span class="n">v</span> <span class="p">}.</span><span class="nf">pack</span><span class="p">(</span><span class="s2">"c*"</span><span class="p">)</span> </code></pre></div></div> <p>The final output is:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>for coding\x06\x06\x06\x06\x06\x06 </code></pre></div></div> <p>The everything put together example of attacking padding is <a href="https://gist.github.com/vcsjones/f9d52327c31a822cdc2f73423cace383#file-break-cbc-padding-rb">available on GitHub</a>. You can run that in most online ruby REPLs, like <a href="https://repl.it/languages/ruby">repl.it</a>.</p> <p>The crucial thing about this is that the “decrypt” process never returns the decrypted data, it either raises an exception or returns “Data processed”. Yet we were still able to determine the contents.</p> <p>A common example of this is encrypted data over insecure transports and home-grown transport protocols. Such an example might be two servers that need to communicate with each other securely. The owners of the servers are able to pre-share an AES key for data transmission, say with a configuration file of sorts, so they assume they don’t need to use HTTPS because they can use AES-CBC to communicate data with their preshared keys. If that encrypted data is intercepted, and the intercepter is able to re-submit that data to one of the servers with padding changed, they are now able to decrypt this data.</p> <blockquote> <p>Aside: You really should just use TLS with a modern configuration of protocol and cipher suites.</p> </blockquote> <p>The solution for this is to <em>authenticate</em> our cipher text, which is to say, make it tamper-proof. This is easier said than done.</p> <p>Let’s clean up symmetric encryption a bit to make it less of an example.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">process_data</span><span class="p">(</span><span class="n">iv</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> <span class="n">cipher</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">Cipher</span><span class="o">::</span><span class="no">AES</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="mi">128</span><span class="p">,</span> <span class="ss">:CBC</span><span class="p">)</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">padding</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">decrypt</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">key</span> <span class="o">=</span> <span class="vi">@aes_key</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">iv</span> <span class="o">=</span> <span class="n">iv</span> <span class="n">plaintext</span> <span class="o">=</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">last_octet</span> <span class="o">=</span> <span class="n">plaintext</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">].</span><span class="nf">ord</span> <span class="k">raise</span> <span class="no">PaddingError</span> <span class="k">if</span> <span class="n">plaintext</span><span class="p">.</span><span class="nf">length</span> <span class="o">-</span> <span class="n">last_octet</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="n">padding</span> <span class="o">=</span> <span class="n">plaintext</span><span class="p">[</span><span class="o">-</span><span class="n">last_octet</span><span class="o">..-</span><span class="mi">1</span><span class="p">]</span> <span class="n">is_padding_valid</span> <span class="o">=</span> <span class="n">padding</span><span class="p">.</span><span class="nf">bytes</span><span class="p">.</span><span class="nf">inject</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="o">|</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="o">|</span> <span class="n">a</span> <span class="o">|</span> <span class="p">(</span><span class="n">b</span> <span class="o">^</span> <span class="n">last_octet</span><span class="p">)</span> <span class="p">}.</span><span class="nf">zero?</span> <span class="k">raise</span> <span class="no">PaddingError</span> <span class="k">unless</span> <span class="n">is_padding_valid</span> <span class="c1"># Process data</span> <span class="k">return</span> <span class="kp">true</span> <span class="k">end</span> </code></pre></div></div> <p>There. We have a function that takes an independent initialization vector and the data, and does a little bit more error handling. It still has flaws mind you, regarding padding removal. There are also some short comings of our attack, such has handling the case where the amount of padding on the ciphertext really is one or decrypting multiple blocks. Both of those are currently left as an exercise.</p> <p>The usual means of authenticating AES-CBC is with an HMAC using Encrypt-then-MAC (EtM) to ensure the integrity of the ciphertext. Let’s cleanup our code a bit and reduce the amount of assumptions we make. No more hard coded keys and IVs. We’ll go with in-memory values, for now.</p> <p>The final cleaned up version of this is also <a href="https://gist.github.com/vcsjones/f9d52327c31a822cdc2f73423cace383#file-cleaned-up-aes-break-rb">available on GitHub</a>. For brevity, here are the function definitions:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">encrypt_data</span><span class="p">(</span><span class="n">plaintext</span><span class="p">);</span> <span class="c1"># return is [ciphertext, random_iv]</span> <span class="k">def</span> <span class="nf">process_data</span><span class="p">(</span><span class="n">iv</span><span class="p">,</span> <span class="n">data</span><span class="p">);</span> <span class="c1">#return is "true", or an exception is raised</span> </code></pre></div></div> <p>HMAC is a symmetric signature, or a “keyed hash”. If we sign the contents of the cipher text, then validate the HMAC before attempting to decrypt the data, then we have reasonable assurance that the cipher text has not been changed.</p> <p>Let’s update the <code class="language-plaintext highlighter-rouge">encrypt_data</code> function to include a MAC.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="no">HASH_ALGORITHM</span> <span class="o">=</span> <span class="s1">'sha256'</span><span class="p">.</span><span class="nf">freeze</span> <span class="k">def</span> <span class="nf">encrypt_data</span><span class="p">(</span><span class="n">plaintext</span><span class="p">)</span> <span class="n">new_iv</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">Random</span><span class="p">.</span><span class="nf">random_bytes</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> <span class="n">cipher</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">Cipher</span><span class="o">::</span><span class="no">AES</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="mi">128</span><span class="p">,</span> <span class="ss">:CBC</span><span class="p">)</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">encrypt</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">key</span> <span class="o">=</span> <span class="vi">@aes_key</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">iv</span> <span class="o">=</span> <span class="n">new_iv</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">plaintext</span><span class="p">)</span> <span class="o">+</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">final</span> <span class="n">digest</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">Digest</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="no">HASH_ALGORITHM</span><span class="p">)</span> <span class="n">mac</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">HMAC</span><span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="n">digest</span><span class="p">,</span> <span class="vi">@hmac_key</span><span class="p">,</span> <span class="n">ciphertext</span><span class="p">)</span> <span class="p">[</span><span class="n">mac</span><span class="p">.</span><span class="nf">freeze</span><span class="p">,</span> <span class="n">ciphertext</span><span class="p">.</span><span class="nf">freeze</span><span class="p">,</span> <span class="n">new_iv</span><span class="p">.</span><span class="nf">freeze</span><span class="p">]</span> <span class="k">end</span> </code></pre></div></div> <p>Our encrypt function now returns the MAC as well. Many uses of EtM simply prepend the MAC to the front of the cipher text. The MAC’s size will be consistent with the underlying algorithm. For example, HMAC-SHA256 will always produce a 256-bit length digest, or 32-bytes. When it comes time to decrypt the data, the HMAC is split off from the cipher text since the length is known.</p> <p>The <code class="language-plaintext highlighter-rouge">process_data</code> can be updated like this:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="no">HASH_ALGORITHM</span> <span class="o">=</span> <span class="s1">'sha256'</span><span class="p">.</span><span class="nf">freeze</span> <span class="k">def</span> <span class="nf">process_data</span><span class="p">(</span><span class="n">iv</span><span class="p">,</span> <span class="n">mac</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> <span class="k">raise</span> <span class="no">MacError</span> <span class="k">if</span> <span class="n">mac</span><span class="p">.</span><span class="nf">length</span> <span class="o">!=</span> <span class="mi">32</span> <span class="n">digest</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">Digest</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="no">HASH_ALGORITHM</span><span class="p">)</span> <span class="n">recomputed_mac</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">HMAC</span><span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="n">digest</span><span class="p">,</span> <span class="vi">@hmac_key</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> <span class="n">is_mac_valid</span> <span class="o">=</span> <span class="mi">0</span> <span class="p">(</span><span class="mi">0</span><span class="o">...</span><span class="mi">32</span><span class="p">).</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">index</span><span class="o">|</span> <span class="n">is_mac_valid</span> <span class="o">|=</span> <span class="n">recomputed_mac</span><span class="p">[</span><span class="n">index</span><span class="p">].</span><span class="nf">ord</span> <span class="o">^</span> <span class="n">mac</span><span class="p">[</span><span class="n">index</span><span class="p">].</span><span class="nf">ord</span> <span class="k">end</span> <span class="k">raise</span> <span class="no">MacError</span> <span class="k">if</span> <span class="n">is_mac_valid</span> <span class="o">!=</span> <span class="mi">0</span> <span class="c1"># Continue normal decryption</span> </code></pre></div></div> <p>Our attack on the padding no longer works. When we attempt to tweak the first block, the HMAC no longer matches the supplied value. As an attacker, we can’t feasibly re-compute the HMAC without the HMAC key, and trying to guess one that works is also not doable.</p> <p>We have some simple authenticated data applied to AES-CBC now, and defeated our padding oracle attack.</p> <p>Authenticated encryption is a bare <em>minimum</em> for properly encrypting data, it isn’t “bonus” security. This attack is not new, is have been known at least since Vaudenay described it in 2002. Yet application developers continue to use unauthenticated encryption. Part of that is because people have stated that this oracle attack can be mitigated by not revealing that there was a padding error during decryption and instead being generic about the failure. This was likely incorrect advice - the correct solution is to authenticate the data which mitigates the padding oracle attack quite well.</p> <p>We’re not quite done yet. In a later post, we’ll look at some of the problems with authenticating data using HMAC or using a mode of AES that is already authenticated like AES-GCM.</p> Sun, 24 Jun 2018 14:42:00 +0000 https://vcsjones.dev/authenticated-encryption/ https://vcsjones.dev/authenticated-encryption/ Security