MSDN AES Sample Secure? I don't see it.

[Donald Adams]

Hi,

Excuse my ignorance but how is this secure? If I take the encipher text and
apply the 3 keysizes to decipher it, I'm bound to get the original.
Shouldn't there be a key string I can type that a hacker wouldn't know? The
only other thing I'd have to know is the byte size and I can loop that with
the 3 keysizes.

See MSDN's sample code below.

Thanks in Advance,
Donald


private Aes.KeySize keysize;

private void button1_Click(object sender, System.EventArgs e)
{
if (radioButton1.Checked)
keysize = Aes.KeySize.Bits128;
else if (radioButton2.Checked)
keysize = Aes.KeySize.Bits192;
else
keysize = Aes.KeySize.Bits256;

byte[] plainText = new byte[16];
byte[] cipherText = new byte[16];

plainText = Encoding.Unicode.GetBytes(textBox1.Text.PadRight(8,' '));
AesLib.Aes a = new Aes(keysize, new byte[16]);
a.Cipher(plainText, cipherText);
textBox2.Text = Encoding.Unicode.GetString(cipherText);
} // button1_Click()

private void button2_Click(object sender, System.EventArgs e)
{
if (radioButton1.Checked)
keysize = Aes.KeySize.Bits128;
else if (radioButton2.Checked)
keysize = Aes.KeySize.Bits192;
else
keysize = Aes.KeySize.Bits256;

byte[] cipherText = new byte[17];
byte[] decipheredText = new byte[17];

cipherText = Encoding.Unicode.GetBytes(textBox2.Text);
AesLib.Aes a = new Aes(keysize, new byte[17]);
a.InvCipher(cipherText, decipheredText);
textBox3.Text = Encoding.Unicode.GetString(decipheredText);;
} // button2_Click()

 

[Justin Rogers]

I don't think they are trying to be secure, I think they are just trying to show
how to use the API.
Unfortunately, when you are talking about a cryptography API then your sample
should be secure
as you suggest, IMO. The KB and MSDN are riddled with source code that teaches
usage of
some API without enforcing the principles behind why the API is used or was
created in the first
place. This is, however, a rant, and I've done plenty of that on my blog lately
in regards to several
articles.