TripleDES：指定的键是“TripleDES”的已知弱键，不能使用 [英] TripleDES: Specified key is a known weak key for 'TripleDES' and cannot be used

问题描述

我使用.NET 3.0类 System.Security.Cryptography.MACTripleDES 类来生成MAC值。不幸的是，我使用的硬件设备使用 1111111111111111 （十六进制）作为单长度DES密钥。 System.Security.Cryptography 库会对密钥进行一些正确性检查，如果您尝试使用密码较弱的密钥，则会返回一个异常。

I'm using the .NET 3.0 class System.Security.Cryptography.MACTripleDES class to generate a MAC value. Unfortunately, I am working with a hardware device that uses "1111111111111111" (as hex) as a single-length DES key. The System.Security.Cryptography library does some sanity checking on the key and returns a Exception if you try to use a cryptographically weak key.

例如：

byte[] key = new byte[24];
for (int i = 0; i < key.Length; i++)
  key[i] = 0x11;

byte[] data = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
byte[] computedMac = null;
using (MACTripleDES mac = new MACTripleDES(key))
{
  computedMac = mac.ComputeHash(data);
}

引发异常

System.Security.Cryptography.CryptographicException : Specified key is a known weak key for 'TripleDES' and cannot be used.

我知道这不是一个安全的密钥。在生产中，设备将使用新的安全密钥闪存。同时，有没有办法禁止这个异常被抛出？也许 app.config 或注册表设置？

I know this is not a secure key. In production, the device will be flashed with a new, secure key. In the mean time, is there any way to inhibit this Exception from being thrown? Perhaps an app.config or registry setting?

编辑：键实际上是101010 ...由于该算法强制奇校验。我不知道这是否是通用的DES算法或只是一个要求在支付处理工作，我做。

The key would actually be 101010... due to the algorithm forcing odd parity. I'm not sure if this is universal to the DES algorithm or just a requirement in the payment processing work I do.

编辑2：丹尼尔的答案下面有一些非常好有关黑客.NET的信息。不幸的是，我无法使用这种技术解决我的问题，但仍然有一些有趣的阅读。

Edit 2: Daniel's answer below has some very good information about hacking .NET. Unfortunately, I wasn't able to solve my problem using this technique, but there is still some interesting reading there.

推荐答案

使用MACTripleDES与DES密钥重复伪造单个DES CBC-MAC，您可以自己在 DESCryptoServiceProvider 。

Instead of using MACTripleDES with the DES key repeated to fake a single DES CBC-MAC, you could just implement CBC-MAC yourself on top of DESCryptoServiceProvider.

< 1111111111111111>不是弱DES密钥。

<1111111111111111> is not a weak DES key.

这将计算DES CBC-MAC：

This will calculate a DES CBC-MAC:

public static byte[] CalcDesMac(byte[] key, byte[] data){
        DESCryptoServiceProvider des = new DESCryptoServiceProvider();
        des.Key = key;
        des.IV = new byte[8];
        des.Padding = PaddingMode.Zeros;
        MemoryStream ms = new MemoryStream();
        using(CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(), CryptoStreamMode.Write)){
          cs.Write(data, 0, data.Length);
        }
        byte[] encryption = ms.ToArray();
        byte[] mac = new byte[8];
        Array.Copy(encryption, encryption.Length-8, mac, 0, 8);
        PrintByteArray(encryption);
        return mac;
    }

这篇关于TripleDES：指定的键是“TripleDES”的已知弱键，不能使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！