Cross-platform Encryption / Decryption

jrahma

Hi,

I have .NET WinForm application in C# and I will make Web application for it using PHP.

I would like to ask what's the best way to encrypt / decrypt user authentication so it wll work on both WinForm and PHP portal?

I am currently using this in C#:

user_password = cipher_utility.Encrypt<RijndaelManaged>(result, "xxxx", "xxxx");

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;
using System.IO;

namespace Application_Class_Library
{
    public class cipher_utility
    {
        public static string Encrypt<T>(string value, string password, string salt) where T : SymmetricAlgorithm, new()
        {
            DeriveBytes rgb = new Rfc2898DeriveBytes(password, Encoding.Unicode.GetBytes(salt));

        SymmetricAlgorithm algorithm = new T();

        byte[] rgbKey = rgb.GetBytes(algorithm.KeySize >> 3);
        byte[] rgbIV = rgb.GetBytes(algorithm.BlockSize >> 3);

        ICryptoTransform transform = algorithm.CreateEncryptor(rgbKey, rgbIV);

        using (MemoryStream buffer = new MemoryStream())
        {
            using (CryptoStream stream = new CryptoStream(buffer, transform, CryptoStreamMode.Write))
            {
                using (StreamWriter writer = new StreamWriter(stream, Encoding.Unicode))
                {
                    writer.Write(value);
                }
            }

            return Convert.ToBase64String(buffer.ToArray());
        }
    }

    public static string Decrypt<T>(string text, string password, string salt) where T : SymmetricAlgorithm, new()
    {
        DeriveBytes rgb = new Rfc2898DeriveBytes(password, Encoding.Unicode.GetBytes(salt));

        SymmetricAlgorithm algorithm = new T();

        byte[] rgbKey = rgb.GetBytes(algorithm.KeySize >> 3);
        byte[] rgbIV = rgb.GetBytes(algorithm.BlockSize >> 3);

        ICryptoTransform transform = algorithm.CreateDecryptor(rgbKey, rgbIV);

        using (MemoryStream buffer = new MemoryStream(Convert.FromBase64String(text)))
        {
            using (CryptoStream stream = new CryptoStream(buffer, transform, CryptoStreamMode.Read))
            {
                using (StreamReader reader = new StreamReader(stream, Encoding.Unicode))
                {
                    return reader.ReadToEnd();
                }
            }
        }
    }
}
}

NogDog

For cross-platform use, my first thought would be OpenSSL, which I'm pretty sure must already have some .NET support?

sneakyimp

jrahma;11044841 wrote:
I have .NET WinForm application in C# and I will make Web application for it using PHP.

This sounds like you are writing some kind of desktop application for windows machines as a client for a PHP server. Is

jrahma;11044841 wrote:
I would like to ask what's the best way to encrypt / decrypt user authentication so it wll work on both WinForm and PHP portal?

Not sure what you mean by 'encrypt/decrypt user authentication.' Authentication refers to the process by which you verify that a user is in fact who they say they are. Do you mean to say that you want to encrypt the communications that establish authentication between client and server? If so, what's wrong with using HTTPS?

Note that your .NET code refers to RFC 2898 which is a document from RSA labs describing PKCS #5: Password-Based Cryptography Specification Version 2.0.

user_password = cipher_utility.Encrypt<RijndaelManaged>(result, "xxxx", "xxxx");

Looks like you are encrypting passwords. Is this simply because you want to encrypt a password just so you can send it to the server? I expect HTTPS would be a much more convenient and effective way to do this because the HTTPS protocol will automatically negotiate an encryption scheme and you won't have to store encryption keys/passwords on both client and server.

If you absolutely must be able to encrypt/decrypt messages to share with that .NET class, the key of course will be to make PHP functions that mirror your .NET encrypt/decrypt functions. It lookes to me like the code is using the salt and password to get rgb which is an object of type DeriveBytes (?) and then extracting a key and initialization vector from that object. Note also that the encryption and decryption steps involve base64 encoding.

It's been my experience that getting messages to decrypt is pretty hard. There's pretty much only one way to get something to decrypt. You need not just the right credentials but also the right process exactly. And because encrypted text is intentionally gibberish, you never really know if you are headed the right direction until the message is completely decrypted. You can't look at intermediate steps (e.g., the base64 decoded cipher text) and know if you are headed the right direction or not.

sneakyimp

Oh also, in addition to OpenSSL, there's [man]gnupg[/man] and [man]mcrypt[/man] which are PHP modules that help with encryption an decryption.