Persisted-key AesCng in CFB mode always uses CFB8

[vcsjones]

Description

When using AesCng with the CipherMode in CFB mode with a persisted CNG key, it appears that CFB8 is always used for the actual feedback size, even if FeedbackSize is set to 128.

Steps to reproduce:

Run the following snippet (with package reference to System.Security.Cryptography.Cng):

using System;
using System.Security.Cryptography;

// Create the key
CngAlgorithm aesAlgorithm = new CngAlgorithm("AES");
CngKeyCreationParameters opts =  new CngKeyCreationParameters
{
    ExportPolicy = CngExportPolicies.AllowPlaintextExport,
};

try
{
    CngKey key = CngKey.Create(aesAlgorithm, "potato-key", opts);
    key.Dispose();
}
catch (CryptographicException ce) when ((uint)ce.HResult == 0x8009000F)
{
    // Don't worry about the key already existing.
}

static byte[] Encrypt(Aes aes, int feebackSizeBits)
{
    aes.FeedbackSize = feebackSizeBits;
    aes.Mode = CipherMode.CFB;
    aes.Padding = PaddingMode.PKCS7;
    aes.IV = new byte[aes.BlockSize / 8];

    var input = new byte[] { 1, 2, 3, 4, 5 };
    using ICryptoTransform transform = aes.CreateEncryptor();
    byte[] result = transform.TransformFinalBlock(input, 0, input.Length);
    return result;
}

AesCng cng = new AesCng("potato-key");
Aes aes = Aes.Create();
aes.Key = cng.Key;

byte[] cng8Result = Encrypt(cng, 8);
byte[] aes8Result = Encrypt(aes, 8);

Console.WriteLine("CNG  8: " + Convert.ToHexString(cng8Result));
Console.WriteLine("AES  8: " + Convert.ToHexString(aes8Result));


byte[] cng128Result = Encrypt(cng, 128);
byte[] aes128Result = Encrypt(aes, 128);

Console.WriteLine("CNG128: " + Convert.ToHexString(cng128Result));
Console.WriteLine("AES128: " + Convert.ToHexString(aes128Result));

It will produce an output that looks something like this. The output will be different from this one since the code generates a key, but this illustrates the pattern.

CNG  8: 3CF1DB609559
AES  8: 3CF1DB609559
CNG128: 3CF1DB6095538DD2611E7FBC7531083C
AES128: 3CD079280665EE399880253D9B40D035

AesCng and Aes.Create() agree for CFB8. However for CFB128, the results do not agree. The CNG128 line differs from the AES128 line. In this case, the CNG128 line's first 5 bytes match the result of CNG8, indicating CFB8 was actually used for the encryption, however it was padded as if CFB128 were used.

Configuration

Occurs in .NET 5 and main on all versions of Windows.

Other information

I suspect this is also the same for TripleDESCng with CFB64.

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

When using AesCng with the CipherMode in CFB mode with a persisted CNG key, it appears that CFB8 is always used for the actual feedback size, even if FeedbackSize is set to 128.

Steps to reproduce:

Run the following snippet (with package reference to System.Security.Cryptography.Cng):

using System;
using System.Security.Cryptography;

// Create the key
CngAlgorithm aesAlgorithm = new CngAlgorithm("AES");
CngKeyCreationParameters opts =  new CngKeyCreationParameters
{
    ExportPolicy = CngExportPolicies.AllowPlaintextExport,
};

try
{
    CngKey key = CngKey.Create(aesAlgorithm, "potato-key", opts);
    key.Dispose();
}
catch (CryptographicException ce) when ((uint)ce.HResult == 0x8009000F)
{
    // Don't worry about the key already existing.
}

static byte[] Encrypt(Aes aes, int feebackSizeBits)
{
    aes.FeedbackSize = feebackSizeBits;
    aes.Mode = CipherMode.CFB;
    aes.Padding = PaddingMode.PKCS7;
    aes.IV = new byte[aes.BlockSize / 8];

    var input = new byte[] { 1, 2, 3, 4, 5 };
    using ICryptoTransform transform = aes.CreateEncryptor();
    byte[] result = transform.TransformFinalBlock(input, 0, input.Length);
    return result;
}

AesCng cng = new AesCng("potato-key");
Aes aes = Aes.Create();
aes.Key = cng.Key;

byte[] cng8Result = Encrypt(cng, 8);
byte[] aes8Result = Encrypt(aes, 8);

Console.WriteLine("CNG  8: " + Convert.ToHexString(cng8Result));
Console.WriteLine("AES  8: " + Convert.ToHexString(aes8Result));


byte[] cng128Result = Encrypt(cng, 128);
byte[] aes128Result = Encrypt(aes, 128);

Console.WriteLine("CNG128: " + Convert.ToHexString(cng128Result));
Console.WriteLine("AES128: " + Convert.ToHexString(aes128Result));

It will produce an output that looks something like this. The output will be different from this one since the code generates a key, but this illustrates the pattern.

CNG  8: 3CF1DB609559
AES  8: 3CF1DB609559
CNG128: 3CF1DB6095538DD2611E7FBC7531083C
AES128: 3CD079280665EE399880253D9B40D035

AesCng and Aes.Create() agree for CFB8. However for CFB128, the results do not agree. The CNG128 line differs from the AES128 line. In this case, the CNG128 line's first 5 bytes match the result of CNG8, indicating CFB8 was actually used for the encryption, however it was padded as if CFB128 were used.

Configuration

Occurs in .NET 5 and main on all versions of Windows.

Other information

I suspect this is also the same for TripleDESCng with CFB64.

Author:	vcsjones
Assignees:	-
Labels:	area-System.Security, bug
Milestone:	-

[vcsjones]

I'm not sure persisted CNG keys can set the feedback size. There does not seem to be an equivalent of BCRYPT_MESSAGE_BLOCK_LENGTH for NCrypt keys. Attempting to do it anyway fails with an NTSTATUS of not supported.

CngAlgorithm aesAlgorithm = new CngAlgorithm("AES");
CngKeyCreationParameters opts =  new CngKeyCreationParameters
{
    ExportPolicy = CngExportPolicies.AllowPlaintextExport,
    KeyCreationOptions = CngKeyCreationOptions.OverwriteExistingKey,

};

opts.Parameters.Add(new CngProperty("MessageBlockLength", BitConverter.GetBytes(128 / 8), CngPropertyOptions.None));

I don't think we should leave things as-is, but the only thing we might be able to do is throw when the feedback size != 8 for persisted AES keys.

[vcsjones]

Perhaps a solution:

1. Make CFB128 and CFB64 throw NotSupportedException or CryptographicException for persisted CNG keys.
2. Folks that want to be able to go back to the existing behavior can get pretty close by setting FeedbackSize to 8. Since .NET Framework also produced block-length padded CFB8, the .NET 5 CFB decryption can handle the extra padding that it is currently producing (that is my recollection, need a test to confirm). Newly encrypted data will be padded with CFB8 though. So while it is a breaking change, they just need to change the feedback size to un-break.

I don't have a good feel for how popular it is to use AesCng with persisted keys, let alone in CFB128 mode. My instinct tells me very few. I would imagine the blast radius would be fairly small, but perhaps there is a popular use-case that I am not thinking of.

Obviously a preferred alternative to point 1 would be to "make it work", but I have so far been unable to do so.

[bartonjs]

I've reached out to the CNG team to see if there's something we're not seeing in how to make it work. Otherwise, yeah, probably make it throw.

[bartonjs]

I don't have a good feel for how popular it is to use AesCng with persisted keys

According to the telemetry data I have access to: We have literally never seen this occur outside of our tests.

let alone in CFB128 mode

Still zero, clearly 😄.

I've reached out to the CNG team to see if there's something we're not seeing in how to make it work.

They agree it doesn't seem possible. So, throwing it is.

[vcsjones]

I don't have a good feel for how popular it is to use AesCng with persisted keys

According to the telemetry data I have access to: We have literally never seen this occur outside of our tests

I'm going to take a wild guess and assume TripleDESCng isn't any popular.

[bartonjs]

I'm going to take a wild guess and assume TripleDESCng isn't any [more] popular.

Yeah, I looked at that one after hitting Comment. It was equally zero for the named key ctors. (Which could be due to poor sampling, but I'm willing to believe it's zero-to-epsilon usage)