How can I Encrypt on iPhone Decrypt the same data in an ASP.NET application?
Should I not worry about it and just send all data by SSL?
Thanks
Depends on what the data is. If it's highly sensitive, you're probably better off using SSL. But for general information, Encryption and Decryption shouldn't matter as long as use the same encryption/decryption method (and keys) on both ends.
Related
I am planning to use cryptosupport API to encryp/decrypt certain cookie keys bearing PCI/PII customer data. I am setting/reading these cookies at both client and server side. At server end (java), I am able to call API and encrypt/decrypt. How do I call the API from clientside (javascript) ? The usage is quite huge at clientside and I dont want to make ajax calls to server.
Is it advisable to use this API with requirement of encrypting cookie data used at both client and server side?
Or is there simpler encryption API for this purpose?
It is a server-side AEM capability only.
And think about it--if you were able to call an API to decrypt a cipher on the client side (JavaScript), what security would it provide? End users could easily also decrypt the cipher and see the secret, so it really would defeat the purpose of having an encrypted secret.
See What encryption algorithm is best for encrypting cookies? which says
Since this question is rather popular, I thought it useful to give
it an update.
Let me emphasise the correct answer as given by AviD to this question:
You should not store any data that needs encrypting in your cookie. Instead, store a good sized (128 bits/16 bytes) random key in
the cookie and store the information you want to keep secure on the
server, identified by the cookie's key.
I've been looking all over the internet on how to encrypt/decrypt a password or a String using AES in Spring Framework. Any links or tutorials? Explaining AES is good too but please use a non-nerd words.
If you're wondering why should I do this is because we need to encrypt the password and save it in the session and get it from the session to decrypt then use it.
Thanks in advance.
Spring security actually does not build encryption tools themselves - they deal more with authentication, login, sessions, and encoding (so, hashing passwords and that sort of thing). Take a look at http://www.jasypt.org/, which is commonly used with spring security if encryption/decryption is needed at the spring security level (http://www.jasypt.org/springsecurity.html).
I was wondering what the best (most secure) way to encrypt Web.Config files in an ASP.Net MVC 4 Application are? I have some background with developing in-house applications using C#, but we never focused too much on encryption due to other security that was already in place.
EDIT: My host Server is ORACLE if that changes anything? A friend mentioned perhaps using aspnet_regiis.exe after deployment of my code with the '-pe' argument. Anyone have any pros/cons for this method?
EDIT2: ORACLE is a Database, not a Server! Can I go home yet?! >_<
The typical way is to use a ProtectedConfigurationProvider to encrypt the sensitive sections. There are several existing implementations. You can also implement your own if needed.
I was wondering what the best (most secure) way to encrypt Web.Config files
"Most secure" depends on what threats you are trying to protect against. You can assume that all the standard cryptographic algorithms are secure, but by encrypting web.config, you've simply exchanged the problem of protecting plaintext credentials in web.config for the problem of protecting an encryption key.
Typically you'll use Protected Configuration to encrypt web.config.
If you use the DPAPI provider, you'll encrypt using the server's machine key. This means that the encryption can be broken by anyone who can log in to the server. Also by anyone with write access to a folder containing a web site on the server, because they can upload code, say an aspx page with embedded script, that can do the decryption. This is a good choice if:
your server is secure (not shared with other untrusted applications, e.g. a hosting environment)
you don't want to copy the web.config to other servers (e.g. in a web farm) - it needs to be encrypted independently on each server.
Alternatively, if DPAPI doesn't meet your requirements, you should probably use the RSA provider. You can protect the key with an ACL against unauthorized access by other users on the same server, and can share it across multiple servers.
You can use the CryptoAPI to encrypt individual configuration values.
You can use the DPAPI to encrypt entire sections.
I'm encrypting some data that needs to stay on the client, and so will the Salt, Key and IV. Is there a standard way of handling this data on the client to prevent people from discovering it and encryption your data?
I can think of plenty of things to obscure them, but there must be an industry standard way of dealing with this issue.
There's no additional security risk if the IV and salt are known. IV's are safe to store in the clear, and salts are to help prevent precomputation and rainbow tables.
So you're really just talking about the key. There's a couple solutions, each with it's own tradeoffs. In your question, you only mention you need to encrypt data on the client. Does the client not need to decrypt?
If this is a Windows client, you can use the Data Protection API to protect the key under the users credentials.
Protect the key with a passphrase. If you don't mind entering a passphrase each time the client needs the key, this can offer reasonable protection, and it's supported in most cryptosystems like OpenPGP.
If the client only needs to encrypt, you can use a hybrid approach with public keys (like OpenPGP). In this case, you only store the public key on the client, and the private key somewhere safe. When you encrypt data, you'll generate a random symmetric key, and encrypt that under the client's public key. Now if someone compromises the machine, they won't be able to decrypt any of the session keys.
Use specialized hardware like a hardware security module or smart card. This is the most expensive route, but depending on your threat model might be viable.
I have an ASP.NET 1.1 form gathering data on a public-facing site, within a DMZ. The data is represented by a serializable class. My problem is that I need to serialize, encrypt and transmit the data to a Web Service running on an internal server - the service logic should then decrypt and deserialize the data before writing the XML to a shared folder.
Can someone point me in the right direction? What's the most straightforward way of doing this?
Is it possible to use SSL to secure the Web Service on the internal server? This would seem to offer the protection you require.
If you don't have SSL, you will want to serialize the class to XML and then encrypt it. Then decrypt to the serialized XML format. You could then deserialize the XML files created on the share.
Encryption is fairly straightforward to program because you have a string of XML that you want to encrypt and decrypt. The challenge is with the choice of the encryption algorithm and the storage of encryption keys. You should read up on symmetric and assymetric encryption. If the key is exposed then an attacker can easily decrypt your data. Use file permissions to tightly control access.
The simplest option is to use symmetric keys and store the keys on the both ends. There are a number of examples and docs out there.