Random characters at beginning of decrypted data

Question

I am using a TADOQuery component in Delphi to read the contents of a column in a database which have been encrypted by a 3rd party .net application using RijndaelManaged algorithm. I have "sucessfully" decrypted the data back to its original XML format but there are random characters at the beginning of decrypted data.

?_????g???M.0"?>
<template xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="846aaa43-dc42-4bc7-98bd-bf643fd324cb" xmlns="http://web.net/schema">
    etc, etc, etc...

I have a feeling that this is the BOM but cannot figure a way of ignoring it during the reading / decrypting of the data.

I read the data like this:

tmpMemoryStream : TMemoryStream;
Result : TByteArray; (array of byte)

tmpMemoryStream := TMemoryStream.Create;
tmpMemoryStream.LoadFromStream( ADOQuery1.CreateBlobStream(ADOQuery1.FieldByName('Design'), bmRead) );

setLength(Result, tmpMemoryStream.Size);
tmpMemoryStream.Read(Result, 0, tmpMemoryStream.size);

The resulting byte array is then passed to a function that decrypts the data.

Thanks in advance.

EDIT 1

Each encrypted file has the same header which looks like this:

A9 CD AA F5 AE 36 04 2F 04 2A A5 2F CE EF B0 83 C4 97 F7 CA 26 F7 28 ED F8 C3 26 F4 57 D5 CB EA 36 10 F9 9B A6 CE F2 67 6B 47 B9 16 6E A7 41 14 A2 CD 99 88 51 17 67 03 C0 C4 66 18 D6 2A 1F D2 DD 5F 24 83 14 87 96 35 90 B6 70 F1 E6 51 BD 7A AB 41 86 E8 4D F4 E0 B7 D4 0A 22 DA 26 BD 54 D4 DE D1 23 36 BE D8 C8 D9 EC D8 5B 0E 0B 1D BE D8 A3 BD B7 E4 37 40 EB 86 76 85 E5 F7 15 87 EB 47

The garbled first part of the decrypted data changes with each file, but as an example, looks like this:

3F 3F 3F 3F 3F 36 04 2F 04 2A 3F 2F 3F 3F 3F 3F 3F 3F 3F 3F 26 3F 28 3F 3F 3F 26 3F 57 3F 3F 3F 36 10 3F 3F 3F 3F 3F 67 6B 47 3F 16 6E 3F 41 14 3F 3F 3F 3F 51 17 67 03 3F 3F 66 18 3F 2A 1F 3F 3F 5F 24 3F 14 3F 3F 35 3F 3F 70 3F 3F 51 3F 7A 3F 41 3F 3F 4D 3F 3F 3F 3F 0A 22 3F 26 3F 54 3F 3F 3F 23 36 3F 3F 3F 3F 3F 3F 5B 0E 0B 1D 3F 3F 3F 3F 3F 3F 37 40 3F 3F 76 3F 3F 3F 15 3F 3F 47

EDIT 2 It was a problem with the IV... I was using the following code:

with myRijndaelManaged do
    begin
        BlockSize := 128;
        KeySize := 256;
        Key := myKey;
        IV := IV; <-- Should have been "myIV"
        Padding := PaddingMode.PKCS7;
        Mode := CipherMode.CBC;
    end;

Because it was in a with block, even though the IV variable wasn't set, it wasn't flagged as an error as it is a property of the myRijndaelManaged object. I changed IV to myIV which contained the correct byte array data.

Thanks for the pointer @bartonjs

First few bytes always the same? Perhaps encrypted content begins after that. — Sertac Akyuz, Dec 20 '16 at 22:55
Documentation does not mention it but the second parameter you pass to 'Read' is called "offset". I'd presume it is used to determine the starting position for reading. If not, advance by using 'Position' or 'Seek'. — Sertac Akyuz, Dec 20 '16 at 23:03
After decrypting - whatever it is you're getting that is unexpected *after* decrypting, which would allow us to see if it's a BOM or known signature of some sort. The ?_??? stuff you've posted doesn't provide any useful information. — Ken White, Dec 20 '16 at 23:23
@KenWhite - it changes with each data source. 3F 3F 19 52 5B 70 3F 2D 3F 3F 0A 3F 45 26 54 3F 2E 30 22 3F 3E 0D 0A — Gavin, Dec 20 '16 at 23:26
@KenWhite - Each encrypted file seems to have this header - 3F 3F 3F 3F 3F 36 04 2F 04 2A 3F 2F 3F 3F 3F 3F 3F 3F 3F 3F 26 3F 28 3F 3F 3F 26 3F 57 3F 3F 3F 36 10 3F 3F 3F 3F 3F 67 6B 47 3F 16 6E 3F 41 14 3F 3F 3F 3F 51 17 67 03 3F 3F 66 18 3F 2A 1F 3F 3F 5F 24 3F 14 3F 3F 35 3F 3F 70 3F 3F 51 3F 7A 3F 41 3F 3F 4D 3F 3F 3F 3F 0A 22 3F 26 3F 54 3F 3F 3F 23 36 3F 3F 3F 3F 3F 3F 5B 0E 0B 1D 3F 3F 3F 3F 3F 3F 37 40 3F 3F 76 3F 3F 3F 15 3F 3F 47 — Gavin, Dec 20 '16 at 23:30
@kenWhite - Just realised that was from a ascii encoded byte array, this is the original stream header - A9 CD AA F5 AE 36 04 2F 04 2A A5 2F CE EF B0 83 C4 97 F7 CA 26 F7 28 ED F8 C3 26 F4 57 D5 CB EA 36 10 F9 9B A6 CE F2 67 6B 47 B9 16 6E A7 41 14 A2 CD 99 88 51 17 67 03 C0 C4 66 18 D6 2A 1F D2 DD 5F 24 83 14 87 96 35 90 B6 70 F1 E6 51 BD 7A AB 41 86 E8 4D F4 E0 B7 D4 0A 22 DA 26 BD 54 D4 DE D1 23 36 BE D8 C8 D9 EC D8 5B 0E 0B 1D BE D8 A3 BD B7 E4 37 40 EB 86 76 85 E5 F7 15 87 EB 47 — Gavin, Dec 20 '16 at 23:35
For goodness sake! Don't bury it in the comments - [edit] your question and put it there, where it can be formatted and read easily. This is information that is highly relevant to your question, and it belongs there. — Ken White, Dec 21 '16 at 00:38

score 3 · Accepted Answer · answered Dec 21 '16 at 01:06

3

This looks a rather lot like you are not setting the IV value during decryption, leading to the first 16 bytes having plaintext recovery problems.

For full recovery you need the cipher text, key, and original IV (for modes other than ECB).

answered Dec 21 '16 at 01:06

bartonjs

30,352
2
71
111

Random characters at beginning of decrypted data

1 Answers1