2

In an app for a website, there is a method which needs to send user password to server(server is in .NET)

As sending plain text to server can expose user password over the network. Considering user privacy. We wish to encrypt the password with any encrypt algo before sending over the network.

Algo should conform following points 1. Should not generate any invalid XML character 2. Should give same result @ server side and iPhone side. As we tried simple XOR encryption with int key 129 it gives different result on iPHone compared to server side.

Please let me know if there are any recomendations on that.

Muhammad Uzair Arshad
  • 1,549
  • 1
  • 11
  • 9
  • Have you tried hashing? SHA1 or MD5? – Jorge Apr 19 '11 at 08:50
  • 1. XOR encryption with fixed key almost == no encryption, 2. Different result? Which byte is different? Is encoding the encoding the same? – Vi. Apr 19 '11 at 08:54
  • 1
    @Jorge: hashing wouldn't be secure because an eavesdropper could then send the same hash to login. – brain Apr 19 '11 at 10:22

4 Answers4

2

You could just use HTTPS to encrypt the network traffic. Then the only code to do is changing the URL. The only trouble is that you'll have to configure the server, however that's a very common thing to do.

WhiteFang34
  • 70,765
  • 18
  • 106
  • 111
0

A rather late answer! But, hope someone in the future finds it useful. What I suggest is the following.

  • Using SSL and sending the password as plaintext is quite okay
  • If you want to go the extra mile, then suggest that you encrypt the password using a shared key and a shared algorithm with the server and send the encrypted password over SSL. This will be very very difficult to hack.
Ruchira Randana
  • 4,021
  • 1
  • 27
  • 24
0

Feels like the True method is using asymmetric cyphers with pubkeys and privkeys. Think about password safety in case of somebody extracted the key from iPhone application.

You can use Base64 or hex encoding to store crypto things in XML.

Vi.
  • 37,014
  • 18
  • 93
  • 148
0

Do not encrypt the password but either send it via SSL-encrypted HTTP or, even better, transmit a hashed version of the password. For the latter, on the server-side, either store a hashed version in your database and not the clear-text at all OR hash the password on login and compare with the remote (mobile) hashed version.

Till
  • 27,559
  • 13
  • 88
  • 122