During a survey for the company, I was asked to provide some code samples that highlight my “best” job. I answered several questions regarding a specific code example, one of which referred to an error.
The sample code was a WCF web service that uses AES to encrypt an opaque blob. The blob is used by the service to identify all resources for a particular service request. The error was that the .NET RijndaelManaged class was used with CBC mode without a proper IV installation. The RijndaelManaged class automatically generates the corresponding IV during the instantiation of the class, which occurs in the code sample during the first use of encryption and is preserved throughout the life of the ASP.NET application. Because ASP.NET applications can be restarted for various reasons, it is possible that these opaque drops will be “invalid” from one service call to another due to a new IV value generated during application startup (error).
The question itself was "where is the IV set for decryption?"
My answer should already admit that this is a mistake; but since they asked for my “best” job, am SOL at this position for sending the sample with an error? Can I still say?
I hesitate to describe the situation because I do not want to seem like I am making an excuse, but the encryption code was disabled while our service was pre-alpha and the project was killed before we ever went into production.
source
share