1

I have a security question about RijndaelManaged and ServicePointManager.

I have implemented a system where C# application is encrypting data, such as user credentials and some XML data. Then I use WebClient to send encrypted user credentials with some encrypted XML document containing instructions - to my Tomcat Java Web application. The job of the Java Application: is to decrypt user credentials and XML instructions – perform instructions and respond back to C# with an encrypted XML result.

All connections from my C# application to Tomcat server are with SSL enabled (Self signed certificate for now).

First Question: Given the fact that my C# application by default always connecting to my Server (only) with SSL enabled. Can I simply implement the call back function as:

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

As I understand that the call back function is used to Identify and validate certificate used by the Server I’m connecting to. If I were to give that application to – say one of my clients to connect to my Server (with SSL enabled) – is the code above satisfactory? If client uses my application to connect to another server that is not known and I have no Idea about its SSL certificate status – the code above should be replaced with an actual certificate validation function. Does my question make sense?

Second Question: I have encryption/decryption implemented using RijndaelManaged in my C# application. But the key I’m using is part of the C# application – the application is obfuscated. As I understand this is not a secure way.

Is there a reliable way for the C# application to receive the encryption/decryption key from my Web application. Or is there a way for the key to be generated in C# application that can be used by Web application to decrypt the data – if so: how do I generate that key and most important how do I send it to the server in a reliable secure way. Since the connection is SSL – can the key simply be a part of the encrypted stream?

Here is code that I’m using for encryption in my C# app.

private const string KEY = "samplekey";
private const int KEY_SIZE = 128;
private const int KEY_BITS = 16;
private string Encrypt(string textToEncrypt)
{
    RijndaelManaged rijndaelCipher = new RijndaelManaged();
    rijndaelCipher.Mode = CipherMode.CBC;
    rijndaelCipher.Padding = PaddingMode.PKCS7;

    rijndaelCipher.KeySize = KEY_SIZE;
    rijndaelCipher.BlockSize = KEY_SIZE;


    byte[] pwdBytes = Encoding.UTF8.GetBytes(KEY);
    byte[] keyBytes = new byte[KEY_BITS];

    int len = pwdBytes.Length;
    if (len > keyBytes.Length)
    {
        len = keyBytes.Length;
    }

    Array.Copy(pwdBytes, 0, keyBytes, 0, len);
    rijndaelCipher.Key = keyBytes;
    rijndaelCipher.IV = keyBytes;

    ICryptoTransform transform = rijndaelCipher.CreateEncryptor();
    byte[] plainText = Encoding.UTF8.GetBytes(textToEncrypt);

    return System.Convert.ToBase64String(transform.TransformFinalBlock(plainText, 0, plainText.Length));
}
SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
Daniel
  • 33
  • 1
  • 1
  • 6
  • http://blogs.msdn.com/b/ericlippert/archive/2011/09/27/keep-it-secret-keep-it-safe.aspx – SLaks Nov 04 '12 at 00:42
  • Thank you for the post. I did read the blog, and I know that the key is the issue here, that's why I've asked the question in the first place. How to generate, store and or transmit keys securely? The blog is of no use to me, as I am aware of the cause and effect, I need help with identifying the proper way to use the technology in question. As of yet I did not find any help on combining the SSL certificate with key generator for Cipher. – Daniel Nov 05 '12 at 02:40

0 Answers0