This article is contributed. See the original author and article here.

When you are using your .Net Core 3.0 and up application to decrypt a string from a different machine than it was encrypted, you may run into the following exception:


 


Exception:


System.Security.Cryptography.CryptographicException: The payload was invalid.


   at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData)


   at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment`1 ciphertext, ArraySegment`1 additionalAuthenticatedData)


   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)


   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)


   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)


   at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector protector, String protectedData)


 


Two things you will need to check:


1. Is the encryption key persists to a local path? – Needs to persists to a shared path


2. SetApplicationName must be used to set an explicit application name.


 


Code Example below:


 


            services.AddDataProtection()


               .ProtectKeysWithCertificate(x509Cert)


               .UseCryptographicAlgorithms(


                      new AuthenticatedEncryptorConfiguration()


                      {


                          EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,


                          ValidationAlgorithm = ValidationAlgorithm.HMACSHA256


                      }


                  )


              .PersistKeysToFileSystem(new System.IO.DirectoryInfo(Configuration.GetValue<string>(“KeyLocation”))) //shared network folder for key location


              .SetApplicationName(“MyApplicationName”)


              .SetDefaultKeyLifetime(TimeSpan.FromDays(600));


 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: