Padding is invalid and cannot be removed.

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Dan Potter Dan Potter 1 year, 9 months ago.

  • Author
    Posts
  • #30451
    Profile photo of Venugopal
    Venugopal
    Participant

    Powershell version:

    Name : ConsoleHost
    Version : 5.0.10105.0

    Decryption issue

    PS C:\Users\Administrator> ConvertTo-SecureString -key $key -String $password
    ConvertTo-SecureString : Padding is invalid and cannot be removed.
    At line:1 char:1
    + ConvertTo-SecureString -key $key -String $password
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException
    + FullyQualifiedErrorId : ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.ConvertToSecure
    StringCommand

    No issues with earlier version of powershell. ( works fine on version 4 )
    Requesting help in this regards,

    Script:
    $file = "c:\securefile"
    $key = 1..32 | Get-Random -Count 16 -SetSeed 654321
    $password = Get-Content $File | ConvertTo-SecureString -key $key

    need some directions to fix this.

    Additional notes::

    just to add,
    https://technet.microsoft.com/en-us/library/hh849905.aspx?f=255&MSPPError=-2147217396

    Example 11 says
    # Commands with the same seed are not random.

    I got 2 different set of output for $key for version 4 and version 5.

    any suggestions?

  • #30452
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    Looks like something changed in Get-Random between those PS versions. Since you're essentially hard-coding your key either way, it would probably be safer just to save it that way, and avoid the problem.

    $key = [Convert]::FromBase64String('CwUCCg4QGxITESAJGQgBFw==')
    

    To get that key, I ran these commands in PowerShell v2:

    $bytes = 1..32 | Get-Random -Count 16 -SetSeed 654321
    [Convert]::ToBase64String($bytes)
    
  • #30453
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    On a side note, this doesn't really add any security, since anyone can retrieve your key using the same PowerShell commands. I did a talk on this subject at the PowerShell summit which might interest you: https://www.youtube.com/watch?v=Ta2hQHVKauo

  • #30463
    Profile photo of Venugopal
    Venugopal
    Participant

    Hello Dave,

    Thank you.. i've already seen your talk on crypto and it had helped me a lot , this is the type 1 , the script executes and it gets deleted and it happens even before the server is ready.

    for now, i've hard-coded the working key.. waiting to know what has changed in get-random even though there is a work around ..

    Thank you once again...

  • #30464
    Profile photo of Dan Potter
    Dan Potter
    Participant

    The only change I see.

    Beginning in Windows PowerShell 3.0, Get-Random supports 64-bit integers. In Windows PowerShell 2.0, all values are cast to System.Int32

You must be logged in to reply to this topic.