TripleDESCryptoServiceProvider - Vulnerable to Denial of Service?

We have an outdated ASP.NET site that uses encryption methods here:

http://www.codekeep.net/snippets/af1cd375-059a-4175-93d7-25eea2c5c660.aspx

When we call the following method, the page loads very slowly, and the result is a Reset message:

Decrypt(" ", true);

If this method is called several times in subsequent page requests, the application pool does not work .

This happens on a Windows 2008 server with the .NET v3.5 platform.

I narrowed the problem down to a call TransformFinalBlock().

NOTE. On Cassini, I do not get a connection timeout; instead, the following exception is thrown:

System.Security.Cryptography.CryptographicException: Bad Data

Calling Decrypt () for other strings does not cause problems in any environment.

Why is this happening? Is this a bug in TripleDESCryptoServiceProvider?

, cipherString, "" . , , cipherString, , DoS.

2011.06.28

:

// problem occurs when toEncryptArray is an empty array {}
      byte[] toEncryptArray = {};

      MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();
      byte[] keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes("dummy_key"));
      hashmd5.Clear();

      TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider();
      tdes.Key = keyArray;
      tdes.Mode = CipherMode.ECB;
      tdes.Padding = PaddingMode.PKCS7;
      ICryptoTransform cTransform = tdes.CreateDecryptor();

      // the following line can crashes the ASP.NET Application Pool (may need to call multiple times).
      byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);

      tdes.Clear();