SecureString With SecureKey Issues

Question

I have below code which works without any error.

SaveKeyPass.ps1 is storing an secure key (encrypted) and password (encrypted using the securekey)
GetKeyPass.ps1 gets the secure key and password from files then decrypts secure key and in the last decrypts the password using the decrypted securekey.

SaveKeyPass.ps1

$key = "1234567891234567" 
$textPassword = "securekey-textpassword"
$securePassword = ConvertTo-SecureString $textPassword -AsPlainText -Force
$secureKey = ConvertTo-SecureString $Key -AsPlainText -Force
$encryptedKey = ConvertFrom-SecureString $SecureKey -Key (1..16)
$encryptedPassword = ConvertFrom-SecureString  $SecurePassword -SecureKey $decryptedSecureKeyFromFile
$encryptedKey | Out-File "C:\temp\securekey-enckey.txt"
$encryptedPassword | Out-File "C:\temp\securekey-encpass.txt"


Write-Host "Key: $Key"
Write-Host "Text Password: $textPassword"
Write-Host "Encrypted Password: $encryptedPassword"
Write-Host "Encrypted Key: $encryptedKey"

GetKeyPass.ps1

$key = ""
$textPassword = ""
$encryptedPasswordFromFile = ""
$encryptedKeyFromFile = ""
$secureDecryptedPassword = ""
$BSTR1= ""
$BSTR2= ""
$encryptedKeyFromFile = Get-Content "C:\temp\securekey-enckey.txt"
$encryptedPasswordFromFile = Get-Content "C:\temp\securekey-encpass.txt"
$secureDecryptedKey = ConvertTo-SecureString $encryptedKeyFromFile -Key (1..16)
$secureDecryptedPassword = ConvertTo-SecureString  $encryptedPasswordFromFile -SecureKey $secureDecryptedKey


$BSTR1 = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureDecryptedPassword)
$textPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR1)

$BSTR2 = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureDecryptedKey)
$key = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR2)


Write-Host "Key: $key"
Write-Host "Text Password: $textPassword"
Write-Host "Encrypted Password: $encryptedPasswordFromFile"
Write-Host "Encrypted Key: $encryptedKeyFromFile"

Issue 1:

If I change first line (only last digit changed from 7 to 8) in SaveKeyPass.ps1 to and execute this script
$key = "1234567891234568"  
and subsequently execute GetKeyPass.ps1 I get this error
ConvertTo-SecureString : Padding is invalid and cannot be removed.
At [**]:11 char:28

Issue 2:

If I change first line (key length changed from 16 bytes to 32 bytes) in SaveKeyPass.ps1 to and execute this script
$key = "12345678912345671234567891234567"  
and subsequently execute GetKeyPass.ps1 I get this error
The specified key is not valid. Valid key length settings are either 128 bits, 192 bits, or 256 bits.
At [**]:11 char:28

I am really clueless on what is going on? In issue 1 only one digit is changed , so not sure where from padding exception is thrown. In issue 2 I have 32 byte (256 bits) key, but the exception is complaining about incorrect length of key.

Any help would be appreciated. Thanks for reading!

As Mathias pointed out your issue is on the 11th line and seems to stem from a runtime variable not referenced in your code. — Djarid, Mar 30 '16 at 11:18

score 0 · Accepted Answer · answered Mar 31 '16 at 09:28

Thanks Martin and Djarid for the spot, I have corrected the line 11 in SaveKeyPass.ps1 to

$encryptedPassword = ConvertFrom-SecureString  $SecurePassword -SecureKey $secureKey

Which has resolved Issue 1 fully and Issue 2 partially. For Issue 2:

I noticed that 1 char/digit in key is 16 bits (possibly on my 64 bit machines) that means "12345678912345671234567891234567" is 512 bits instead of 256 bits which I assumed thinking 1 char/digit is of 8 byte. Therefore this breaches the max length requirement of the key and fails.

That means If I provide 8,12,16 chars in key they are 128 bits, 192 bits, and 256 bits respectively.

It has nothing to do with your machine. Strings inside PowerShell are 16-bit Unicode, instances of .NET’s System.String class. — Mario Majcica, Nov 03 '17 at 09:47

SecureString With SecureKey Issues

1 Answers1