I have an iPhone app that will call web-service on asp.net server. e.g. http://server.ws.com/projects.wsdl?i=10. The web service is written in c#.
I want to encrypt the url on the iPhone app and decrypt it again on the asp.net website correctly so I don't lose any data.
Thanks.
C# has some really good native encryption classes. The trick is ensuring the implementation is the same for the C encryption, and the C# encryption.
After a quick google search this is what I've come up with:
The apple tutorial gives some information about encryption is Objective C on the iPhone: http://developer.apple.com/library/ios/#documentation/Security/Conceptual/cryptoservices/Introduction/Introduction.html#//apple_ref/doc/uid/TP40011172
Here are some things that you need to consider:
How you're going to make the connection,
How you're going to establish a key on both sides : http://en.wikipedia.org/wiki/Key_exchange
Encrypting the information using a predefined algorithm.
Transmitting the encrypted data along the connection. This last one shouldn't be too difficult.
Hopefully this will be helpful :)
Related
I have a question on the limitations of cryptography. May seem like a stupid question. I apologise in advance.
This is for a client which I myself am trying to wrap my head around it.
The information will be encrypted and then encoded in an accessible format e.g. QR or barcode. Decryption is using the application our developers are creating. The problem is that the application would be offline majority of the time when it is in used as the users would be in areas that have either intermittent or poor reception. So to be able to decrypt it, the application has to have the private key present on the device itself, correct? Would this even be a good solution? Even the developers have concerns on having all the apps offline with the same private key present. Note that the application will be used by multiple groups.
Is there an alternative that I can explore that any of you can suggest where we don't have to store the private key but still manage to secure the information for offline use? So far I've look into DRM for restricting copying information but not sure how it would help. I'm also willing to look into other solutions for this.
The database holding the information would be updated when they have an internet connection. I'm only assuming on this part since I'm not handling this part of the project.
Please and thank you in advance for your advice.
Maybe not the right way but found a suitable path.
Using a combination of asymmetric key and symmetric key where the symmetric key is used to decrypt data on the offline device. Asymmetric is used to encrypt the data. The asymmetric keys is only exchange when the devices are in need to be sync'd. This would put the trust on the devices itself so I'm not worried on this.
This idea came from Sectigo - Why Automotive Key Fob Encryption Hacks Are Making Headlines?
First, I'm working on a Master student's project, the project is a Web Bank System and apply encryption algorithms on this system.
The first algorithm which is a new encryption algorithm designed by the student who requested my help is to encrypt the sensitive data (Credit Cards information) on the database.
The second algorithm (which is a modified AES algorithm) is to encrypt the messages between the customer of the bank and the admin of the bank system using a web chat room.
Of course, there is no problem with the first algorithm because I can apply it to encrypt the Credit Card information submitted by the user and save it on the database.
But, the problem is that the professor that supervising on this student project insisted to secure the messages sent across the network by the admin and customer that they are using the web chat room and these messages must be secured using the second algorithm (modified AES).
As you all know, if I just code the second algorithm in Javascript to encrypt the messages on the browser client machine then send those encrypted messages to the server, that means this algorithm will be available to anyone who opens this webpage because we all know that Javascript is an open client source.
So, no more talking, I just want to ask that:
How to apply any encryption algorithm to secure the data transfer between client machine and server machine by using web application (for example web chat application) without to be this algorithm an open source to any client machine?
ADyson's comment contains the best solution to solve this problem practically, but it sounds like the professor has added constraints that prevent you from employing a practical solution.
It is not possible to execute an encryption algorithm on a client machine and at the same time keep the encryption algorithm a secret from the person and machine running the algorithm. They can always inspect the code.
As far as I am aware this is not possible, because the client will have to be able to both encrypt and decrypt messages; it logically requires the client understanding the encryption algorithm.
The strength of an encryption mechanism comes from the difficulty of reversing an encrypted message to plaintext without the key, even if one knows the algorithm.
If knowing an encryption algorithm allows someone to decipher a message without the key, then the algorithm is weak.
I'm thinking of using an MBaaS such as Firebase or Kinvey for my next app, and am wondering if any exist which encrypt application data end-to-end (i.e. such that the encryption keys are never shared with the service provider). This seems feasible in theory, since the server is not expected to do any computation on the data, only store it and deliver it to clients.
Does such a service exist? I've found ZeroDB and Crypton, but neither are available as services AFAICT, which means I'd have to administer, scale, and back them up myself. I also thought of using something like Firebase and encrypting my app's data before I pass it to the Firebase API, but I'm wary of writing a one-off crypto layer like that unless I have to (i.e. I'd rather use something that's been peer-reviewed).
Alternatively, if no such service currently exists, why not? Is it technically infeasible, or is there just no market for it?
Edit: This seems closest to what I'm looking for, but considering the broken links on their website I'm guessing it's defunct: Adreneline Mobility
The answer to your question is actually available on the market. CloudMine offers end-to-end encryption (disclosure - I work at CloudMine). They have a largely healthcare focused offering so it has to stand up to HIPAA and other government regs around data security.
Here's a good overview video on security featuring CloudMine's CTO. The first 45 sec. provide some more information on our encryption techniques.
I know I'm being the "sales guy" right now but I'm happy to hop on a call to share what we've built and discuss your specific use case. You can email me at nick at cloudmineinc.com if you're interested.
Virgil Security (full disclosure - I work there) has an end-to-end encryption SDK that works for any endpoint, and also has a special integration with Firebase. It's open source, of course. Check it out and feel free to ask any questions of the team here or on Slack - https://e3kit.readme.io/
I want to handle some confidential data in one of my web application. So that the data shouldn't able to read by the Developer or Database administrator.
We can easily hide the data from DB administrator by implementing some encryption technique. But still the developer can see the data since he only creating the decryption technique. I want only the end user should see his data.
I can't encrypt data using some algorithms like PBKDF2 or DB side encryption methods Like TDE & EKM because still I need to keep the encryption key somewhere. If I keep in server side or in db the developer can access and decrypt the data. If I keep it in client side, the user can't access the information from a separate machine.
So How to handle this situation? Thanks in advance.
You are heading the direction of Zero Knowledge Web Applications, such as implemented by SpiderOak (see also crypton). These applications typically work by deriving a key from the user's password using something like PBKDF2, and performing encryption/decryption on client side. However, there are a number of complexities to overcome to make it true zero-knowledge, and also to meet usability requirements. One could write an essay on this, but instead I suggest you start by reading the linked references. If you have any questions, let me know.
In a nutshell, the "more zero-knowledge" you want the system to be, the harder it is to realise without sacrificing usability (one example is overcoming the points made in Javascript Cryptography Considered Harmful). However, there are various tradeoffs you can make in order to make it sufficiently difficult to cheat without affecting usability too much.
I need to keep the encryption key somewhere
No you don't. The user only has to remember it. For convenience you could save it in the browser's local storage.
hey guys i need to implement a standard encryption decryption logic across an entire project platform which has different clients implemented using different platforms as follows:
iphone app (objectiv c)
website (classic asp)
webservice (asp.net)
samsung bada app (c++)
the iphone app as well as the website need to send info to webservice using encrypted query strings
the web service then decrypts this and processes the info further
wanted to know the simplest way to achieve this. is there some free and ready to use binary available with an easy to use api to achieve this?
encryption needs to be as secure as possible
edited: currently we use AES on the website and webservice front
thnx in advance
Can't this be solved by using HTTPS for the web service?
Luckily encryption algorithms are well defined by standards (at least the good ones), so you should be able to find inter operable implementations for the required platforms. You probably want to use AES for the encryption?
Any idea how you will distribute the keys?