0

I'm using the following Encrypt / Decrypt in my C# WCF:

    public static string EncryptString(string InputText, string Password)
    {
        RijndaelManaged RijndaelCipher = new RijndaelManaged();
        RijndaelCipher.Padding = PaddingMode.ISO10126;
        if (string.IsNullOrEmpty(Password) == true)
        {
            Password = "Test";
        }
        byte[] PlainText = System.Text.Encoding.Unicode.GetBytes(InputText);
        byte[] Salt = Encoding.ASCII.GetBytes(Password.Length.ToString());

        //This class uses an extension of the PBKDF1 algorithm defined in the PKCS#5 v2.0 
        //standard to derive bytes suitable for use as key material from a password. 
        //The standard is documented in IETF RRC 2898.

        PasswordDeriveBytes SecretKey = new PasswordDeriveBytes(Password, Salt);
        //Creates a symmetric encryptor object. 
        ICryptoTransform Encryptor = RijndaelCipher.CreateEncryptor(SecretKey.GetBytes(32), SecretKey.GetBytes(16));
        MemoryStream memoryStream = new MemoryStream();
        //Defines a stream that links data streams to cryptographic transformations
        CryptoStream cryptoStream = new CryptoStream(memoryStream, Encryptor, CryptoStreamMode.Write);
        cryptoStream.Write(PlainText, 0, PlainText.Length);
        //Writes the final state and clears the buffer
        cryptoStream.FlushFinalBlock();
        byte[] CipherBytes = memoryStream.ToArray();
        memoryStream.Close();
        memoryStream = null;
        cryptoStream.Close();
        cryptoStream = null;
        PlainText = null;
        Salt = null;
        try
        {
            GC.Collect();
        }
        catch { }
        return Convert.ToBase64String(CipherBytes);

    }


    public static string DecryptString(string InputText, string Password)
    {

        RijndaelManaged RijndaelCipher = new RijndaelManaged();
        RijndaelCipher.Padding = PaddingMode.ISO10126;
        if (string.IsNullOrEmpty(Password) == true)
        {
            Password = "Test";
        }
        byte[] EncryptedData = Convert.FromBase64String(InputText);
        byte[] Salt = Encoding.ASCII.GetBytes(Password.Length.ToString());
        //Making of the key for decryption
        PasswordDeriveBytes SecretKey = new PasswordDeriveBytes(Password, Salt);
        //Creates a symmetric Rijndael decryptor object.
        ICryptoTransform Decryptor = RijndaelCipher.CreateDecryptor(SecretKey.GetBytes(32), SecretKey.GetBytes(16));
        MemoryStream memoryStream = new MemoryStream(EncryptedData);
        //Defines the cryptographics stream for decryption.THe stream contains decrpted data
        CryptoStream cryptoStream = new CryptoStream(memoryStream, Decryptor, CryptoStreamMode.Read);
        byte[] PlainText = new byte[EncryptedData.Length];
        int DecryptedCount = cryptoStream.Read(PlainText, 0, PlainText.Length);
        memoryStream.Close();
        memoryStream = null;
        cryptoStream.Close();
        cryptoStream = null;
        Salt = null;
        try
        {
            GC.Collect();
        }
        catch { }
        //Converting to string
        return Encoding.Unicode.GetString(PlainText, 0, DecryptedCount);
    }

Now, I'm trying to use Java script to fit, want Encrypt data in my web and be able to Decrypt the data in my WCF, I tried to use this script but not work, where I can find Javascript or both JS & .Net sample ?

get the following error:{"Length of the data to decrypt is invalid."}

Thanks.

Joseph
  • 1,716
  • 3
  • 24
  • 42
  • Did you try [AESManaged](http://msdn.microsoft.com/en-us/library/system.security.cryptography.aesmanaged.aspx) with 'this script'? Also, can you post the error that you are receiving? And, are you Base64 decoding/encoding in javascript? – Davin Tryon Mar 06 '12 at 13:03
  • Where can find a javascript decryption for that example? – Joseph Mar 06 '12 at 18:30
  • The example you mansion need to send the myAes.Key, myAes.IV to my WCF, how I can send the key and the IV with the encrypted data? – Joseph Mar 06 '12 at 18:34
  • AES is symmetric encryption so both the client and the server must have the key. The key is usually shared through an asymmetric algorithm like RSA. Are you rebuilding SSL? What are you trying to accomplish? – Davin Tryon Mar 06 '12 at 23:55
  • No I'm not rebuilding SSL, I want to send the username & password to my WCF encrypted. – Joseph Mar 07 '12 at 06:15
  • I don't understand, I tried to encrypt a text="hello" using password="test" in the web site (http://bit.ly/z1aWFz). Then tried to decrypt using same password in my C#, I got the following error:{"Length of the data to decrypt is invalid."} – Joseph Mar 07 '12 at 06:26
  • So, why not use SSL? The error is just a general error saying that your data has the wrong padding. – Davin Tryon Mar 07 '12 at 13:56
  • I tried to change the padding type in my C# code to all options. – Joseph Mar 08 '12 at 16:23

1 Answers1

0

Ok, if I understand correctly, you want to encrypt a username/password in javascript in a browser in order to safely transport the data to a WCF service. And to accomplish this, you are using AES (symmetric) encryption on both sides.

If that is correct, then you should really be using SSL. Why? Because SSL does this, but much better. In simple terms, SSL will negotiate an AES key after authenticating the public key of an RSA key. So you get the added benefit of the client javascript knowing for sure that it is speaking to the correct server.

What I think is wrong with the roll-your-own AES approach is that at the very least, you have to expose your key (without the public key authentication step) to the client javascript. This means that you are instantly subverting the security, because anyone with that key can now send data to the server.

If I have misunderstood, then perhaps there is an appropriate time to do this, however, at the moment, I don't see one.

Hope this helps.

Davin Tryon
  • 66,517
  • 15
  • 143
  • 132
  • I understand the issue regarding the key, but I want to do that without SSL for now and I want to share the key for now, what is the problem in the code, why I get error?, I try to change the padding type in my C# code to all options. – Joseph Mar 08 '12 at 16:23