Refactor password encryption with AES-256 and PBKDF2

Replaced the old `StringCipher` encryption with a new `SecurePasswordManager` class using AES-256 and PBKDF2 for machine-specific password encryption. Added support for automatic migration of passwords from the old format to the new secure method. Enhanced error handling, logging, and user prompts for decryption failures.

Updated `MainForm.cs` to integrate the new encryption system and handle password migration. Improved configuration persistence by saving migrated passwords in the new format.

Documented changes in `CHANGELOG.md` and added `SecurePasswordManager.cs` to the project. Ensured backward compatibility and compatibility with `.NET Framework 4.8`.

These changes improve security, reliability, and maintainability, particularly for environments requiring robust certificate and password management.

Author: michaelmsonne

CHANGELOG.MD

@@ -6,35 +6,60 @@
   - New `TimestampServerEditForm` for adding and editing individual timestamp servers
   - New `TimestampServerManagementForm` for centralized server configuration management
   - Added `TimestampServer` and `TimestampManager` classes for server handling and orchestration
+  - Dynamic interface adaptation: "Timestamp Servers" for PFX/Certificate Store and "Endpoints" for Trusted Signing
 - Built-in timestamp server availability testing and health monitoring
 - Support for server prioritization, enabling/disabling, and timeout configuration
+- Added certificate type persistence - application now remembers your preferred signing method (Windows Certificate Store, PFX Certificate, or Trusted Signing)
 
 ### 🎨 User Interface Enhancements
 - Enhanced MainForm UI with new menu options for certificate monitoring and timestamp server management
 - Introduced color-coded alerts for certificate expiry in both Windows Certificate Store and PFX scenarios
 - Improved certificate information display with better visual feedback
 - Added intuitive forms for managing timestamp server configurations
+- Context-aware UI labels that change based on signing type (Trusted Signing vs. traditional methods)
+
+### 🔒 Security Improvements
+- **Major Security Enhancement**: Completely redesigned password encryption system
+  - Replaced hardcoded encryption keys with machine-specific key derivation
+  - Upgraded from basic encryption to AES-256 with PBKDF2 key derivation (100,000 iterations)
+  - Implemented automatic migration from old encryption format to new secure method
+  - Added machine-specific entropy sources (hardware identifiers, system properties)
+  - Passwords encrypted on one machine cannot be decrypted on another (intentional security feature)
+- Enhanced certificate validation and password security handling
 
 ### 🏗️ Architecture Improvements
 - Refactored signing classes (`SignerPfx`, `SignerThumbprint`, `SignerTrustedSigning`) to inherit from new `SignerBase` abstract class
 - Centralized common signing logic, reducing code redundancy and improving maintainability
+- Added new `SecurePasswordManager` class for robust password encryption/decryption
 - Enhanced certificate validation and monitoring capabilities
 - Improved error handling and validation for certificate paths and passwords
+- Better separation of concerns with dedicated security and configuration management classes
 
 ### ⚡ Performance & Reliability
 - Implemented asynchronous operations for better application responsiveness
 - Enhanced logging system for improved troubleshooting and debugging
 - Added automatic failover to backup timestamp servers when primary servers are unavailable
 - Improved stability when handling certificate operations and network-related timestamp failures
+- Better configuration persistence and loading mechanisms
 
 ### 🐛 Bug Fixes
 - Better error recovery for network-related timestamp failures
 - Enhanced validation for certificate operations
 - Improved stability in certificate monitoring scenarios
+- Fixed configuration loading order to prevent UI overrides
+- Better handling of corrupted or incompatible password data
+
+### 🔧 Technical Details
+- Enhanced compatibility with .NET Framework 4.8
+- Improved machine-specific key generation using multiple entropy sources
+- Added comprehensive error handling and logging for security operations
+- Backward compatibility maintained through automatic password migration system
 
 ---
 
-*This release significantly enhances the reliability, user experience, and enterprise-readiness of the SignTool GUI, particularly for environments requiring robust certificate management and timestamping
+*This release represents a major milestone in security and usability, significantly enhancing the reliability, user experience, and enterprise-readiness of the SignTool GUI. The new security architecture ensures that sensitive certificate passwords are protected with industry-standard encryption while maintaining seamless user experience through automatic migration and intelligent configuration management.*
+
+---
 
 ## Version 1.4.0.0 (17-03-2025):
 

src/SignToolGUI/Class/SecurePasswordManager.cs

@@ -0,0 +1,259 @@
+using System;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+using static SignToolGUI.Class.FileLogger;
+
+namespace SignToolGUI.Class
+{
+    /// <summary>
+    /// Provides secure password encryption/decryption using machine-specific keys
+    /// </summary>
+    public static class SecurePasswordManager
+    {
+        private const int KeySize = 256; // AES-256
+        private const int IvSize = 128;  // AES block size
+        private const int SaltSize = 256; // Salt size in bits
+        private const int DerivationIterations = 100000; // PBKDF2 iterations (increased for better security)
+
+        /// <summary>
+        /// Generates a machine-specific encryption key based on hardware identifiers
+        /// </summary>
+        /// <returns>Base64 encoded machine-specific key</returns>
+        private static string GenerateMachineSpecificKey()
+        {
+            try
+            {
+                var machineInfo = new StringBuilder();
+
+                // Combine multiple hardware/system identifiers for uniqueness
+                machineInfo.Append(Environment.GetEnvironmentVariable("PROCESSOR_IDENTIFIER") ?? "UNKNOWN_PROCESSOR");
+                machineInfo.Append(Environment.MachineName);
+                machineInfo.Append(Environment.OSVersion.Platform.ToString());
+                machineInfo.Append(Environment.OSVersion.Version.ToString());
+                machineInfo.Append(Environment.UserDomainName);
+                machineInfo.Append(Environment.Is64BitOperatingSystem ? "x64" : "x86");
+
+                // Add additional entropy from system drive serial (if available)
+                try
+                {
+                    var systemDrive = Environment.SystemDirectory.Substring(0, 3);
+                    var driveInfo = new DriveInfo(systemDrive);
+                    if (driveInfo.IsReady)
+                    {
+                        // Note: VolumeLabel might not always be available, but we try
+                        machineInfo.Append(driveInfo.DriveFormat);
+                        machineInfo.Append(driveInfo.TotalSize.ToString());
+                    }
+                }
+                catch
+                {
+                    // Ignore drive info errors, we have other entropy sources
+                    machineInfo.Append("DEFAULT_DRIVE_ENTROPY");
+                }
+
+                // Create a hash of the combined information
+                using (var sha256 = SHA256.Create())
+                {
+                    var hash = sha256.ComputeHash(Encoding.UTF8.GetBytes(machineInfo.ToString()));
+                    return Convert.ToBase64String(hash);
+                }
+            }
+            catch (Exception ex)
+            {
+                Message($"Error generating machine-specific key: {ex.Message}", EventType.Error, 3031);
+                // Fallback to a machine name based key if hardware info is unavailable
+                using (var sha256 = SHA256.Create())
+                {
+                    var fallbackData = $"FALLBACK_{Environment.MachineName}_{Environment.UserName}";
+                    var hash = sha256.ComputeHash(Encoding.UTF8.GetBytes(fallbackData));
+                    return Convert.ToBase64String(hash);
+                }
+            }
+        }
+
+        /// <summary>
+        /// Encrypts a password using AES with machine-specific key derivation
+        /// </summary>
+        /// <param name="plainText">Password to encrypt</param>
+        /// <returns>Base64 encoded encrypted password with metadata</returns>
+        public static string EncryptPassword(string plainText)
+        {
+            if (string.IsNullOrEmpty(plainText))
+                return string.Empty;
+
+            try
+            {
+                var machineKey = GenerateMachineSpecificKey();
+                var plainTextBytes = Encoding.UTF8.GetBytes(plainText);
+
+                // Generate random salt and IV
+                var salt = GenerateRandomBytes(SaltSize / 8);
+                var iv = GenerateRandomBytes(IvSize / 8);
+
+                // Derive key from machine-specific data and salt
+                using (var pbkdf2 = new Rfc2898DeriveBytes(machineKey, salt, DerivationIterations))
+                {
+                    var keyBytes = pbkdf2.GetBytes(KeySize / 8);
+
+                    using (var aes = Aes.Create())
+                    {
+                        aes.KeySize = KeySize;
+                        aes.BlockSize = IvSize;
+                        aes.Mode = CipherMode.CBC;
+                        aes.Padding = PaddingMode.PKCS7;
+                        aes.Key = keyBytes;
+                        aes.IV = iv;
+
+                        using (var encryptor = aes.CreateEncryptor())
+                        using (var msEncrypt = new MemoryStream())
+                        {
+                            // Write salt and IV first
+                            msEncrypt.Write(salt, 0, salt.Length);
+                            msEncrypt.Write(iv, 0, iv.Length);
+
+                            // Encrypt the password
+                            using (var csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
+                            {
+                                csEncrypt.Write(plainTextBytes, 0, plainTextBytes.Length);
+                                csEncrypt.FlushFinalBlock();
+                            }
+
+                            return Convert.ToBase64String(msEncrypt.ToArray());
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Message($"Error encrypting password: {ex.Message}", EventType.Error, 3032);
+                throw new InvalidOperationException("Failed to encrypt password", ex);
+            }
+        }
+
+        /// <summary>
+        /// Decrypts a password using AES with machine-specific key derivation
+        /// </summary>
+        /// <param name="cipherText">Base64 encoded encrypted password</param>
+        /// <returns>Decrypted password</returns>
+        public static string DecryptPassword(string cipherText)
+        {
+            if (string.IsNullOrEmpty(cipherText))
+                return string.Empty;
+
+            try
+            {
+                var machineKey = GenerateMachineSpecificKey();
+                var cipherBytes = Convert.FromBase64String(cipherText);
+
+                // Extract salt, IV, and encrypted data
+                var saltSize = SaltSize / 8;
+                var ivSize = IvSize / 8;
+
+                if (cipherBytes.Length < saltSize + ivSize)
+                {
+                    throw new ArgumentException("Invalid cipher text format");
+                }
+
+                var salt = new byte[saltSize];
+                var iv = new byte[ivSize];
+                var encryptedData = new byte[cipherBytes.Length - saltSize - ivSize];
+
+                Array.Copy(cipherBytes, 0, salt, 0, saltSize);
+                Array.Copy(cipherBytes, saltSize, iv, 0, ivSize);
+                Array.Copy(cipherBytes, saltSize + ivSize, encryptedData, 0, encryptedData.Length);
+
+                // Derive key from machine-specific data and extracted salt
+                using (var pbkdf2 = new Rfc2898DeriveBytes(machineKey, salt, DerivationIterations))
+                {
+                    var keyBytes = pbkdf2.GetBytes(KeySize / 8);
+
+                    using (var aes = Aes.Create())
+                    {
+                        aes.KeySize = KeySize;
+                        aes.BlockSize = IvSize;
+                        aes.Mode = CipherMode.CBC;
+                        aes.Padding = PaddingMode.PKCS7;
+                        aes.Key = keyBytes;
+                        aes.IV = iv;
+
+                        using (var decryptor = aes.CreateDecryptor())
+                        using (var msDecrypt = new MemoryStream(encryptedData))
+                        using (var csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
+                        {
+                            var decryptedBytes = new byte[encryptedData.Length];
+                            var bytesRead = csDecrypt.Read(decryptedBytes, 0, decryptedBytes.Length);
+                            return Encoding.UTF8.GetString(decryptedBytes, 0, bytesRead);
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Message($"Error decrypting password: {ex.Message}", EventType.Error, 3033);
+                // Return empty string if decryption fails (might be old format or corrupted)
+                return string.Empty;
+            }
+        }
+
+        /// <summary>
+        /// Migrates passwords encrypted with the old StringCipher method to the new secure method
+        /// </summary>
+        /// <param name="oldEncryptedPassword">Password encrypted with StringCipher</param>
+        /// <param name="oldPassPhrase">The passphrase used with StringCipher</param>
+        /// <returns>Password encrypted with new method, or empty string if migration fails</returns>
+        public static string MigrateFromStringCipher(string oldEncryptedPassword, string oldPassPhrase)
+        {
+            try
+            {
+                // Try to decrypt with old StringCipher method
+                var decryptedPassword = StringCipher.Decrypt(oldEncryptedPassword, oldPassPhrase);
+
+                // Re-encrypt with new secure method
+                var newEncryptedPassword = EncryptPassword(decryptedPassword);
+
+                Message("Successfully migrated old encrypted password to new encryption method", EventType.Information, 3034);
+                return newEncryptedPassword;
+            }
+            catch (Exception ex)
+            {
+                Message($"Failed to migrate old encrypted password: {ex.Message}", EventType.Warning, 3035);
+                return string.Empty;
+            }
+        }
+
+        /// <summary>
+        /// Generates cryptographically secure random bytes
+        /// </summary>
+        /// <param name="size">Number of bytes to generate</param>
+        /// <returns>Array of random bytes</returns>
+        private static byte[] GenerateRandomBytes(int size)
+        {
+            var bytes = new byte[size];
+            using (var rng = RandomNumberGenerator.Create())
+            {
+                rng.GetBytes(bytes);
+            }
+            return bytes;
+        }
+
+        /// <summary>
+        /// Validates if the current machine can decrypt a given encrypted password
+        /// </summary>
+        /// <param name="encryptedPassword">Encrypted password to test</param>
+        /// <returns>True if the password can be decrypted on this machine</returns>
+        public static bool CanDecryptOnThisMachine(string encryptedPassword)
+        {
+            try
+            {
+                var decrypted = DecryptPassword(encryptedPassword);
+                return !string.IsNullOrEmpty(decrypted);
+            }
+            catch
+            {
+                return false;
+            }
+        }
+    }
+}

src/SignToolGUI/Forms/MainForm.cs

@@ -1025,8 +1025,46 @@ private void MainForm_Load(object sender, EventArgs e)
                 // Set the certificate password from the configuration file if it exists and decrypt it
                 if (settingCertificatePasswordEncrypted != "")
                 {
-                    // TODO - Decrypt the certificate password based on hardware hash
-                    textBoxPFXPassword.Text = StringCipher.Decrypt(settingCertificatePasswordEncrypted, "pMmInS?m24Caae#?2EySvsFUgDsUG06Qzz8R0X8F8WUNn04#g%mP02*36datrZka?cQh/Q2E/Oc4/21%");
+                    try
+                    {
+                        // First try new secure encryption method
+                        var decryptedPassword = SecurePasswordManager.DecryptPassword(settingCertificatePasswordEncrypted);
+
+                        if (string.IsNullOrEmpty(decryptedPassword))
+                        {
+                            // If new method fails, try to migrate from old StringCipher method
+                            Message("Attempting to migrate password from old encryption method", EventType.Information, 3036);
+                            var migratedPassword = SecurePasswordManager.MigrateFromStringCipher(
+                                settingCertificatePasswordEncrypted,
+                                "pMmInS?m24Caae#?2EySvsFUgDsUG06Qzz8R0X8F8WUNn04#g%mP02*36datrZka?cQh/Q2E/Oc4/21%");
+
+                            if (!string.IsNullOrEmpty(migratedPassword))
+                            {
+                                // Save the migrated password immediately
+                                iniFile.WriteValue("Program", "CertificatePassword", migratedPassword);
+                                decryptedPassword = SecurePasswordManager.DecryptPassword(migratedPassword);
+                                Message("Password successfully migrated and saved with new encryption", EventType.Information, 3037);
+                            }
+                        }
+
+                        textBoxPFXPassword.Text = decryptedPassword;
+                    }
+                    catch (Exception ex)
+                    {
+                        Message($"Failed to decrypt certificate password: {ex.Message}", EventType.Error, 3038);
+                        textBoxPFXPassword.Text = "";
+
+                        // Optionally clear the corrupted password from config
+                        if (MessageBox.Show("The saved password could not be decrypted. This may be due to " +
+                            "the password being encrypted on a different machine or corrupted data. " +
+                            "Would you like to clear the saved password?",
+                            "Password Decryption Failed",
+                            MessageBoxButtons.YesNo,
+                            MessageBoxIcon.Question) == DialogResult.Yes)
+                        {
+                            iniFile.WriteValue("Program", "CertificatePassword", "");
+                        }
+                    }
                 }
                 else
                 {
@@ -1131,8 +1169,7 @@ private void MainForm_FormClosing(object sender, FormClosingEventArgs e)
                             }
 
                             // Encrypt the certificate password and save it to the configuration file
-                            var encryptedstring = StringCipher.Encrypt(textBoxPFXPassword.Text,
-                                "pMmInS?m24Caae#?2EySvsFUgDsUG06Qzz8R0X8F8WUNn04#g%mP02*36datrZka?cQh/Q2E/Oc4/21%");
+                            var encryptedstring = SecurePasswordManager.EncryptPassword(textBoxPFXPassword.Text);
 
                             // Save the encrypted certificate password to the configuration file
                             iniFile.WriteValue("Program", "CertificatePassword", encryptedstring);

src/SignToolGUI/SignToolGUI.csproj

@@ -90,6 +90,7 @@
     <Compile Include="Class\FileLogger.cs" />
     <Compile Include="Class\HighDpi.cs" />
     <Compile Include="Class\NativeMethods.cs" />
+    <Compile Include="Class\SecurePasswordManager.cs" />
     <Compile Include="Class\SignerBase.cs" />
     <Compile Include="Class\SignerTrustedSigning.cs" />
     <Compile Include="Class\SignTool.cs" />