3

I have a native Win32 client application, and a .NET web application. I'd like to be able to encrypt a string on the client (given a user supplied password), and to be able to decrypt this string on the server given the same password. My client application is 32-bit, and my .NET web application is 64-bit. On the client, I'm not able to deploy the .NET framework.

I need a simple and robust solution. By simple, I mean I'd prefer a single function call. By robust, I mean I'd like an industry standard encryption algorithm like AES, and I don't want memory leaks.

Any suggestions on how I can accomplish this in a simple and robust way?

(Perhaps a DLL that comes in both a 32-bit and a 64-bit version? My .NET web application could P/Invoke to it, and my native application could just use it.)

Troy
  • 1,237
  • 2
  • 13
  • 27

3 Answers3

0

You should probably use Microsoft's Cryptography API. MSDN documentation starts here

This uses the crypt32.dll and is the same DLL that is used under the cover by the System.Security.Cryptography API in .NET. (You can check with an IL Disassembler that it already does P/Invoke on that DLL).

akhisp
  • 675
  • 3
  • 5
0

I'm afraid that there is no "magic" function that will do this for both your server and the client. It is not hard to write a simple encryption / decryption scheme that will work across both though, since the algorithms are standard. Building your own will also help you to understand how the encryption and decryption works in your software.

For .NET, you can use the System.Security.Cryptography namespace and for Win32 you should use the CryptoAPI.

As for the encryption scheme, going by your use case, you can use a simple symmetric encryption scheme.

Encryption:

  1. Hash the user password together with a constant salt to create a 32-bit buffer. You can use SHA256 for this. The CryptoAPI SHA256 is only supported XP SP3 and up though. Otherwise you can find many open source implementations online.
  2. Take the first 16-bytes as the key and last 16 as the IV.
  3. Use the AES CryptoProvider in the CryptoAPI to do the encryption using the key and the IV.

Decryption:

  1. and 2. will be same as for encryption. .NET has built in classes for SHA256 that you can use for this. Doing these steps should give you the same key as you have during encryption.
  2. Use the AesCryptoServiceProvider class to decrypt the data, using the key and the IV. See example here: https://gist.github.com/1833986 (this one doesn't use any salt).
Can Gencer
  • 8,822
  • 5
  • 33
  • 52
  • Are there any (non-.NET) dlls that wrap up all this complexity of using the CryptoAPI? – Troy Feb 14 '12 at 14:58
  • @Troy, not sure about that, but here's a lot of examples: http://stackoverflow.com/questions/4796590/window-c-c-crypto-api-examples-and-tips – Can Gencer Feb 14 '12 at 17:19
  • @Troy, alternatively, if you are ok with using other components, there's http://www.cryptopp.com/ as well as http://www.chilkatsoft.com/chilkatcrypt.asp (has both C++ and .NET, but costs money) – Can Gencer Feb 14 '12 at 17:21
  • I found this example (http://stackoverflow.com/questions/970114/cryptapi-native-interop-with-net-code) of a Delphi native RC2 and a .NET/C# RC2. I was able to get this working for me. Works on .NET, Win32 and Wine! Like the person who posted this example, I'd like to be able to upgrade it to use AES. I was able to change the Delphi CryptoAPI to use AES easily (just had to change a few parameters). But I can't figure out who to convert the .NET side to AES in a compatible way. – Troy Feb 14 '12 at 19:32
  • 1
    @Troy, you can just use the AESCryptoProvider. See an example I created here: https://gist.github.com/1833986. This one doesn't use any salt. – Can Gencer Feb 15 '12 at 07:15
  • Thank you so much, Can Gencer! This is just the example I was looking for. I tweaked my working RC2/CryptoAPI code on the native (Delphi) side to use the AES128/SHA256 providers, and now it matches the output of your example.I have AES-128 simple string encryption (using a password as the key) on both Win32 and .NET – Troy Feb 15 '12 at 17:52
  • I posted my compatible Delphi and C# examples here: http://stackoverflow.com/questions/9188045/how-to-aes-128-encrypt-a-string-using-a-password-in-delphi-and-decrypt-in-c – Troy Feb 15 '12 at 18:10
  • @Troy, great, glad I could be of help:) – Can Gencer Feb 15 '12 at 22:14
0

Can it be the user's log in password and not one they supply directly?. Windows supports encrypting data robustly under the users log in credentials( this usually is a password, but could be a smart card). When used with Active Directory, it is even possible to configure password recovery options.

This is called the Data Protection API. It can be accessed from native code via calls documented here and from native code via calls here

kichik
  • 33,220
  • 7
  • 94
  • 114
imichaelmiers
  • 3,449
  • 2
  • 19
  • 25
  • The password has to be supplied directly. Other than that, it does seem like a simple api! – Troy Feb 14 '12 at 14:57
  • You can pass additional entropy to the function. This would be equivalent to encrypting under two passwords. Use password derived bytes to get the entropy. – imichaelmiers Feb 14 '12 at 15:44
  • The decryption must be able to occur independently of any Windows login. It must be able to occur on the client computer, as well as via the web application. So the DPAPI is a no-go. – Troy Feb 14 '12 at 15:46