C# Decrypting mp3 file using RijndaelManaged and CryptoStream

Question

I have decrypted and saved an mp3 file into a blob storage.

However, when I decrypt and download the file I cant play it. I used an Mp3 validation tool which says "unknown file format". I believe it is the decryption that does not work since it works to download an unencrypted Mp3 file. Below I first show the encryption code within its Azure webjob function. The I show the decryption method and the method using it. I have removed handling of keys and such or clarity.

Encrypt

public static void EncryptBlob(
      [BlobTrigger("callstest/{name}")]
      [Blob("callstest/{name}", FileAccess.Read)] Stream blobInput,
      [Blob("encryptedcalls/{name}.vega", FileAccess.Write)] Stream blobOutput)
    {
        try
        {
            var password = "myKey123";
            var ue = new UnicodeEncoding();
            var key = ue.GetBytes(password);
            var rmCrypto = new RijndaelManaged {Padding = PaddingMode.None};

            using (var cs = new CryptoStream(blobOutput,
                rmCrypto.CreateEncryptor(key, key),
                CryptoStreamMode.Write))
            {
                int data;
                while ((data = blobInput.ReadByte()) != -1)
                    cs.WriteByte((byte)data);
            }

        }
        catch
        {
            Trace.TraceError("an error occured during encryption of the file-get the name?");
        }
    }

AdminController

 public async Task<ActionResult> DownloadMp3FromUrl()
    {
        var file = await _recordingService.GetRecordingFromUrl();
        var fileName = "filetest.mp3";
        return File(file,"audio/mpeg", fileName);
    }

Recording Service handler

public async Task<byte[]> GetRecordingFromUrl()
    {
        var container = _blobClient.GetContainerReference("encryptedcalls");

        var blockBlob = container.GetBlockBlobReference("SearchFiles.mp3.vega");

        try
        {
            var password = "myKey123";
            var ue = new UnicodeEncoding();
            var key = ue.GetBytes(password);
            var rmCrypto = new RijndaelManaged { Padding = PaddingMode.None };

            using (var stream = new MemoryStream())
            {
                blockBlob.FetchAttributes();
                blockBlob.DownloadToStream(stream, null, null);
                using (var cs = new CryptoStream(stream, rmCrypto.CreateDecryptor(key, key), CryptoStreamMode.Read))
                {
                    int data;
                    while ((data = stream.ReadByte()) != -1)
                        cs.WriteByte((byte)data);

                    return stream.ToArray();
                }
            }
        }
        catch
        {
            Trace.TraceError("an error occured during encryption of the file-get the name?");
        }
        return null;
    }
Solution

You're trying to write the decrypted data back into the source-stream in your Recording Service handler. This will never work. I'm amazed this doesn't throw an exception.

You need to set up your input stream, pass it into a decrypting CryptoStream, then write that to another output stream:

using (var inStream = new MemoryStream())
using (var outStream = new MemoryStream())
{
    blockBlob.FetchAttributes();
    blockBlob.DownloadToStream(inStream, null, null);
    using (var cryptoStream = new CryptoStream(
        inStream, rmCrypto.CreateDecryptor(key, key), CryptoStreamMode.Read))
    {
        cryptoStream.CopyTo(outStream);
        return outStream.ToArray();
    }
}

As an aside, the implementation as you've presented it here is full of security issues:

  • Don't use a non-padded cipher. You can leak information this way.
  • Don't generate your key from a password. Use a cryptographically secure RNG to generate your keys.
  • If you must use a string as your key's password, use Rfc2898DeriveBytes to generate a cryptographically secure random key from the password.
  • Absolutely do not use your symmetric key as your IV. This is really, really bad practice. The IV is used to randomize the cipher's output - it is not a secret in the same way as the key, and should be unique to each 'message' (or file) being encrypted.