We have a legacy ASP.NET site which uses the encryption methods here:

http://www.codekeep.net/snippets/af1cd375-059a-4175-93d7-25eea2c5c660.aspx

When we call the following method, the page loads very slowly and eventually Connection Reset is returned:

Decrypt(" ", true);

If the method is called multiple times in subsequent page requests, the Application Pool goes down.

This is occurring on a Windows 2008 server running .NET framework v3.5.

I narrowed the problem down to the TransformFinalBlock() call.

NOTE: on Cassini, I do not get a connection timeout; instead the following exception is thrown:

System.Security.Cryptography.CryptographicException: Bad Data

Calling Decrypt() for other strings causes no problems in any environment.

Why is this happening? Is it a bug in TripleDESCryptoServiceProvider?

Obviously, I could filter the cipherString to reject ” ” and avoid this particular issue. However, I am worried that some other cipherString values that I am not suspecting will cause the DoS.

UPDATE 2011.06.28

The following is the minimal code to reproduce the issue:

// problem occurs when toEncryptArray is an empty array {}
      byte[] toEncryptArray = {};

      MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();
      byte[] keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes("dummy_key"));
      hashmd5.Clear();

      TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider();
      tdes.Key = keyArray;
      tdes.Mode = CipherMode.ECB;
      tdes.Padding = PaddingMode.PKCS7;
      ICryptoTransform cTransform = tdes.CreateDecryptor();

      // the following line can crashes the ASP.NET Application Pool (may need to call multiple times).
      byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);

      tdes.Clear();