ASP.NET 2.0 Encryption Changes
Dozing Dogs CMS uses TripleDES encryption quite often internally, but the latest ASP.NET 2.0 beta has subtly started enforcing some rules that weren't clear to me in 1.0.
As a result, we get a new exception being thrown under some versions of 2.0 beta:
"Specified initialization vector (IV) does not match the block size for this algorithm"
In simple terms, we use Guid's for the Key and IV like this:
Guid KeyValue = new Guid(DAL.StringSetting("EncryptionKey"));
Guid IVValue = new Guid(DAL.StringSetting("EncryptionIV"));
byte[] key = KeyValue.ToByteArray();
byte[] iv = IVValue.ToByteArray();
tripledes.CreateEncryptor(key,iv); // this throws in 2.0
This works in ASP.NET 1.x, but there's a problem with this code. It's sending in 128 bits of information for key and iv, where the code requires 192 and 64 bits respectively!
In ASP.NET 1.1 they must have programmed defensively and coped with this, but in 2.0 they throw if you don't pass in the correct number of bits.
So our code was modified to send in modified versions of our Guids and all is well.
P.S. We tried copying half of the Guid into the latter 64 bits, but got a different error "Specified key is a known weak key for TripleDES" because of the repeated bytes. Very slick. If you see this, make sure you don't repeat bytes.