How to detect decryption failure using TurboPower Lockbox 3.5

Question

How do you detect decryption failure? I have the following test code:

procedure TForm1.Button1Click(Sender: TObject);
var 
 plainms, cipherms: TMemoryStream;
 tempstr: string;

begin
  plainms := TMemoryStream.Create;
  cipherms := TMemoryStream.Create;
  try
    cipherms.LoadFromFile('rwcx.ini');
    Codec1.Password := '122rkdkdk';  
    try
     Codec1.DecryptStream(plainms, cipherms);
    except on E: Exception do
      showmessage(e.Message);
    end;
    plainms.Position := 0;
    SetLength(tempstr, plainms.Size * 2);
    BinToHex(plainms.Memory, PChar(tempstr), plainms.Size);
    showmessage(tempstr);
  finally
    plainms.Free;
    cipherms.Free;
  end;
end;

The file "rwcx.ini" is just a plain text file that does not contain encrypted data. I am using AES 256 with CBC and version 3.5 of Lockbox installed with "GetIt." I expected the plainms memory stream to be empty or an exception to be raised as decryption is guaranteed to fail. Instead I get garbage in plainms and no exception.

How do you detect decryption has failed? I must be able to detect bad passwords or corrupted input data. What am I missing?

Answer 1

Encryption is just a transform, in itself it has no concept of correct decryption.

One method is to create HMAC of the encrypted data and prepend that to the encrypted data and on decryption HMAC the encrypted data and compare the HMACs. Be careful to use a HMAC compare function that takes the same amount of time for matching and non-matching values.