How Not to Encrypt a File — Courtesy of Microsoft

Use of DES for encryption

And no, I don’t mean 3DES, just plain DES. The one that can be brute forced in a single digit number of days by a modern computer. Keep in mind the intended audience for this article isn’t cryptographers who know better, it’s programmers looking for a tutorial. It’s a good thing the caesar shift isn’t available in their library or it would probably have ended up in this tutorial.

Suggestion to use the encryption key as the IV

This was the first in a series of data points which suggest that the author has no idea what an IV is or how it’s supposed to be used. This suggestion actually comes up more than once in the article, here are the offending passages:

DES.Key = ASCIIEncoding.ASCII.GetBytes(sKey);
DES.IV = ASCIIEncoding.ASCII.GetBytes(sKey);

Advice against using the library’s key and IV generation functionality

Using a single password as the key and the IV is a pretty terrible suggestion, but luckily the library has a method for generating a key and IV for you so you don’t mess it up. Unfortunately the author explicitly advices against it for a nonsensical reason.

IV not included with the ciphertext

This one is subtle because you have to either really follow the logic or try running the code yourself. This probably explains why the author treats the IV as if it’s another secret key.

References get the IV wrong also

It may seem like I’m really raking this guy over the coals for his misunderstanding of what an IV is or how it’s used; after all this isn’t an article about block cipher modes or cryptographic keys, and it even links to a reference specifically about cryptographic keys. Surely that clears everything up, right? Right?? This is literally the second sentence in that article:

--

--

Graphical browsers ruined the internet

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store