question

RobertCrockett-0890 avatar image
0 Votes"
RobertCrockett-0890 asked RobertCrockett-0890 commented

CNG encrypting in 32 bit and decrypting in 64 bit

We have some security interactions where our installer creates an encrypted file and our Windows service reads that file. The installer is InnoSetup which is a 32 bit application and the service is 64 bit. When the service decrypts the file we get:

"System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed"

If the installer encrypts the file it can successfully decrypt it. If we use a 64 bit test application to create the file the service can successfully read it.

Since the user who creates (must be admin) the file is different from the user who reads the file (LocalService account) we are using machine key based encryption/decryption.


 private static CngProvider keyStorageProvider = CngProvider.MicrosoftSoftwareKeyStorageProvider;
 ...
   if (!CngKey.Exists(KeyName, keyStorageProvider, CngKeyOpenOptions.MachineKey))
             {
                 CngKeyCreationParameters keyCreationParameters = new CngKeyCreationParameters()
                 {
                     ExportPolicy = CngExportPolicies.AllowPlaintextExport,
                     KeyCreationOptions = CngKeyCreationOptions.MachineKey | CngKeyCreationOptions.OverwriteExistingKey,
                     Provider = keyStorageProvider
                 };
                 CngKey.Create(new CngAlgorithm("AES"), KeyName, keyCreationParameters);
             }
             Aes aes = new AesCng(KeyName, keyStorageProvider, CngKeyOpenOptions.MachineKey);

Is the issue likely to be the bitness? How could we work around it?





dotnet-csharp
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RobertCrockett-0890
Would it help if you set aes.Padding to Zeros or None?

1 Vote 1 ·

I did try that. But it turns out the installer was overwriting the file with a version from a different machine, which of course had a different machine key. As far as I can tell there are no issues with using a 32 bit process and reading with a 64 bit process. Thanks for your help.

0 Votes 0 ·

I thought it might be something like this, even though I am not using IIS. I read somewhere that the machine level config files are different between 32 bit processes and 64 bit. I don't know if that is true. Anyway the whole thing turned out to be a red herring. Thanks for your help

0 Votes 0 ·

0 Answers