I've spent the last few days creating a file encryption / decryption class based on the Rijndael encryption standard available through the RijndaelManaged class and have scoured all the resources and examples I could find. The examples were either outdated, broken or limited but have at least managed to learn a lot and thought that I'd post an up to date version of it after ensuring it was robust and past your critique.
The only gotcha I've found so far is that the salt needs to be known as there's no way of storing it within the encrypted file like you would do for a string unless you convert the per byte read/write to a buffer based read/write but then you'd need to cater for that on decryption and would also need at least 4 bytes of data to encrypt (though I don't really see this as an issue but does need to be mentioned).
I'm also not entirely sure whether 1 salt would suffice for both the key and initialisation vector or if two is better for security reasons?
Any other observations and / or optimisations would also be much appreciated
class FileEncDec
{
private int keySize;
private string passPhrase;
internal FileEncDec( int keySize = 256, string passPhrase = @"This is pass phrase key to use for testing" )
{
this.keySize = keySize;
this.passPhrase = passPhrase; // Can be user selected and must be kept secret
}
private static byte[] GenerateSalt( int length )
{
byte[] salt = new byte[ length ];
// Populate salt with cryptographically strong bytes.
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetNonZeroBytes( salt );
// Split salt length (always one byte) into four two-bit pieces and store these pieces in the first four bytes
// of the salt array.
salt[ 0 ] = (byte)( ( salt[ 0 ] & 0xfc ) | ( length & 0x03 ) );
salt[ 1 ] = (byte)( ( salt[ 1 ] & 0xf3 ) | ( length & 0x0c ) );
salt[ 2 ] = (byte)( ( salt[ 2 ] & 0xcf ) | ( length & 0x30 ) );
salt[ 3 ] = (byte)( ( salt[ 3 ] & 0x3f ) | ( length & 0xc0 ) );
return salt;
}
internal bool EncryptFile( string inputFile, string outputFile )
{
try
{
byte[] salt = GenerateSalt( 16 ); // Salt needs to be known for decryption (can be safely stored in the file)
Rfc2898DeriveBytes derivedBytes = new Rfc2898DeriveBytes( passPhrase, salt, 10000 );
int bytesRead, bufferSize = keySize / 8;
byte[] data = new byte[ bufferSize ];
RijndaelManaged cryptor = new RijndaelManaged();
cryptor.Key = derivedBytes.GetBytes( keySize / 8 );
cryptor.IV = derivedBytes.GetBytes( cryptor.BlockSize / 8 );
using ( var fsIn = new FileStream( inputFile, FileMode.Open, FileAccess.Read, FileShare.Read, 4096, FileOptions.SequentialScan ) )
{
using ( var fsOut = new FileStream( outputFile, FileMode.Create, FileAccess.Write, FileShare.None, 4096, FileOptions.SequentialScan ) )
{
// Add the salt to the file
fsOut.Write( salt, 0, salt.Length );
using ( CryptoStream cs = new CryptoStream( fsOut, cryptor.CreateEncryptor(), CryptoStreamMode.Write ) )
{
while ( ( bytesRead = fsIn.Read( data, 0, bufferSize ) ) > 0 )
{
cs.Write( data, 0, bytesRead );
}
}
}
}
return true;
}
catch ( Exception )
{
return false;
}
}
internal bool DecryptFile( string inputFile, string outputFile )
{
try
{
int bytesRead = 0, bufferSize = keySize / 8, saltLen;
byte[] data = new byte[ bufferSize ], salt;
Rfc2898DeriveBytes derivedBytes;
RijndaelManaged cryptor = new RijndaelManaged(); // Create new cryptor so it's thread safe and don't need to use locks
using ( var fsIn = new FileStream( inputFile, FileMode.Open, FileAccess.Read, FileShare.Read, 4096, FileOptions.SequentialScan ) )
{
// Retrieve the salt length from the file
fsIn.Read( data, 0, 4 );
saltLen = ( data[ 0 ] & 0x03 ) |
( data[ 1 ] & 0x0c ) |
( data[ 2 ] & 0x30 ) |
( data[ 3 ] & 0xc0 );
salt = new byte[ saltLen ];
Array.Copy( data, salt, 4 );
// Retrieve the remaining salt from the file and create the cryptor
fsIn.Read( salt, 4, saltLen - 4 );
derivedBytes = new Rfc2898DeriveBytes( passPhrase, salt, 10000 );
cryptor.Key = derivedBytes.GetBytes( keySize / 8 );
cryptor.IV = derivedBytes.GetBytes( cryptor.BlockSize / 8 );
using ( var fsOut = new FileStream( outputFile, FileMode.Create, FileAccess.Write, FileShare.None, 4096, FileOptions.SequentialScan ) )
{
using ( var cs = new CryptoStream( fsIn, cryptor.CreateDecryptor(), CryptoStreamMode.Read ) )
{
while ( ( bytesRead = cs.Read( data, 0, bufferSize ) ) > 0 )
{
fsOut.Write( data, 0, bytesRead );
}
}
}
}
return true;
}
catch ( Exception )
{
return false;
}
}
}
Edit:
1. Added salt generator.
2. Refactored to single salt
and Rfc2898DerivedBytes
and now deduce IV
from password
+ salt
.
3. Made encryption / decryption thread safe (if I didn't do it correctly please let me know).
Edit 2:
1. Refactored so that reading / writing makes use of buffers instead of single byte read / write.
2. Embedded salt within the encrypted file and cleaned up variables (but still allows passPhrase
default for "copy/paste" example.
3. Refactored file handles.
You probably should use a different IV each time. If you use the same IV with the same data the result is the same. Attackers can now deduce that files are (partially) the same which is a leak. You can generate 16 strongly random bytes and use them as the salt for
Rfc2898DeriveBytes
. Prepend those bytes to the file. Use only oneRfc2898DeriveBytes
to generate both IV and key. Alternatively, you can use no salt at all for the key and randomly generate the IV. The salt can be used to make the key derivation unique to your use case, or for example to give each user of your app a different key derivation algorithm.Note, that processing streams byte-wise is extremely slow. Use buffers. Probably, you should use
Stream.Copy
.