public static byte[] Decrypt(byte[] encrypted, EncryptionType encType, string userPassword)
{
if (encType == EncryptionType.None)
{
return(encrypted);
}
// Decrypt second pass (AES/PBKDF2)
byte[] secondPassDecrypt;
if (encType.HasFlag(EncryptionType.Password))
{
try
{
secondPassDecrypt = AESDecrypt(encrypted, userPassword);
}
catch (Exception) { return(null); }
}
else
{
secondPassDecrypt = encrypted;
}
// Decrypt first pass (Machine/User Lock)
byte[] decrypted;
if (encType.HasFlag(EncryptionType.LocalUser) || encType.HasFlag(EncryptionType.LocalMachine))
{
try
{
decrypted = MachineDecrypt(secondPassDecrypt, encType);
}
catch (Exception) { return(null); }
}
else
{
decrypted = secondPassDecrypt;
}
// Verify token signature
if (decrypted.Length != 30)
{
return(null);
}
byte[] token = new byte[20];
Array.Copy(decrypted, token, 20);
byte[] signature = new byte[10];
Array.Copy(decrypted, 20, signature, 0, 10);
byte[] expectedSignature = SignToken(token);
if (expectedSignature.SequenceEqual(signature))
{
return(token);
}
return(null);
}
public static byte[] Decrypt(byte[] encrypted, EncryptionType encType, string userPassword)
{
if (encType == EncryptionType.None)
return encrypted;
// Decrypt second pass (AES/PBKDF2)
byte[] secondPassDecrypt;
if (encType.HasFlag(EncryptionType.Password))
{
try
{
secondPassDecrypt = AESDecrypt(encrypted, userPassword);
}
catch (Exception) { return null; }
}
else
{
secondPassDecrypt = encrypted;
}
// Decrypt first pass (Machine/User Lock)
byte[] decrypted;
if (encType.HasFlag(EncryptionType.LocalUser) || encType.HasFlag(EncryptionType.LocalMachine))
{
try
{
decrypted = MachineDecrypt(secondPassDecrypt, encType);
}
catch (Exception) { return null; }
}
else
{
decrypted = secondPassDecrypt;
}
// Verify token signature
if (decrypted.Length != 30)
return null;
byte[] token = new byte[20];
Array.Copy(decrypted, token, 20);
byte[] signature = new byte[10];
Array.Copy(decrypted, 20, signature, 0, 10);
byte[] expectedSignature = SignToken(token);
if (expectedSignature.SequenceEqual(signature))
return token;
return null;
}
public static byte[] Encrypt(byte[] token, EncryptionType encType, string userPassword)
{
if (encType == EncryptionType.None)
{
return(token);
}
// Sign Token (for verification at decryption time)
byte[] signature = SignToken(token);
byte[] plainText = new byte[30];
Array.Copy(token, plainText, 20);
Array.Copy(signature, 0, plainText, 20, 10);
// Encrypt first pass (Machine/User Lock)
byte[] firstPassEncrypted;
if (encType.HasFlag(EncryptionType.LocalUser) || encType.HasFlag(EncryptionType.LocalMachine))
{
firstPassEncrypted = MachineEncrypt(plainText, encType);
}
else
{
firstPassEncrypted = plainText;
}
// Encrypt second pass (AES/PBKDF2)
byte[] encrypted = null;
if (encType.HasFlag(EncryptionType.Password))
{
encrypted = AESEncrypt(firstPassEncrypted, userPassword);
}
else
{
return(firstPassEncrypted);
}
return(encrypted);
}
private static byte[] MachineEncrypt(byte[] plainText, EncryptionType encType)
{
DataProtectionScope scope = (encType.HasFlag(EncryptionType.LocalUser)) ? DataProtectionScope.CurrentUser : DataProtectionScope.LocalMachine;
return(ProtectedData.Protect(plainText, WINBMA_SECRET, scope));
}
private static byte[] MachineEncrypt(byte[] plainText, EncryptionType encType)
{
DataProtectionScope scope = (encType.HasFlag(EncryptionType.LocalUser)) ? DataProtectionScope.CurrentUser : DataProtectionScope.LocalMachine;
return ProtectedData.Protect(plainText, WINBMA_SECRET, scope);
}
public static byte[] Encrypt(byte[] token, EncryptionType encType, string userPassword)
{
if (encType == EncryptionType.None)
return token;
// Sign Token (for verification at decryption time)
byte[] signature = SignToken(token);
byte[] plainText = new byte[30];
Array.Copy(token, plainText, 20);
Array.Copy(signature, 0, plainText, 20, 10);
// Encrypt first pass (Machine/User Lock)
byte[] firstPassEncrypted;
if (encType.HasFlag(EncryptionType.LocalUser) || encType.HasFlag(EncryptionType.LocalMachine))
{
firstPassEncrypted = MachineEncrypt(plainText, encType);
}
else
{
firstPassEncrypted = plainText;
}
// Encrypt second pass (AES/PBKDF2)
byte[] encrypted = null;
if (encType.HasFlag(EncryptionType.Password))
{
encrypted = AESEncrypt(firstPassEncrypted, userPassword);
}
else
{
return firstPassEncrypted;
}
return encrypted;
}
