question

TyNguyen-3238 avatar image
0 Votes"
TyNguyen-3238 asked ChaoDeng-MSFT commented

What Causes "The payload was invalid" Error in .Net Core 3.1 Application?

We have a .Net Core 3.1 web app that uses Microsoft.AspNetCore.DataProtection version 3.1.0 to encrypt and decrypt data. The application all of the sudden fails to decrypt the data because of the error "The payload was invalid" as seen below:

[2021-08-18 08:12:19 ERR] [FoxCentral.Web.Api.ErrorController] Path: /api/botflows/2. Error: The payload was invalid.
Trace: at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData)
at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment`1 ciphertext, ArraySegment`1 additionalAuthenticatedData)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)

We store the keys in a database using Entity Framework Core and use X509 certificates to protect the keys. Below is how we set up data protection in our app:

var protectionBuilder = services.AddDataProtection();

protectionBuilder.PersistKeysToDbContext<KeysContext>();

protectionBuilder.ProtectKeysWithCertificate(certificates.KeyProtectCertificate)
.UnprotectKeysWithAnyCertificate(certificates.KeyUnprotectCertificates.ToArray());


All the data was encrypted and decrypted on the same server. What causes that decryption failure? How to recover the data?

dotnet-aspnet-core-general
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @TyNguyen-3238,
You encrypt and decrypt the data on the same server and store the key in the database, but by default, a new key will be regenerated every 90 days, so that if the ciphertext in the database is not updated, it will Failure, whether this is the reason, If not, can you provide more relevant configuration information?

In addition, the official documentation may also be helpful to you.

https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-5.0

0 Votes 0 ·

Do we have to manually update the ciphertext in the keys database? I thought that would be handled by the data protection API automatically. What causes the ciphertext update to fail? The biggest question is how to recover the data?

0 Votes 0 ·

Hi @TyNguyen-3238,
When a key expires, the app automatically generates a new key and sets the new key as the active key. As long as retired keys remain on the system, your app can decrypt any data protected with them. The data protection system manages key rotation internally and creates a new key when the old key expires.See key management for more information.
In addition,expired keys can be used to decrypt existing data, but they can't be used to encrypt new data. If you're running your application in a clustered scenario, you'll want to take a look at one of the alternative configuration approaches.


0 Votes 0 ·

0 Answers