Re: About Encryption... code review and questions...

From: Claude Vernier (ClaudeVernier_at_discussions.microsoft.com)
Date: 09/21/04


Date: Tue, 21 Sep 2004 05:47:02 -0700


Thanks you very much for all this, I read a lot of your blog and, I must
admit...
Did not understand everything ( but eh! did not fell asleep !! ).

I'll keep on reading and investigate this padding problem.

Have a nice day !
Claude

"Valery Pryamikov" wrote:

> Result is different due to padding. Default padding is PKCS 1.5. For
> encryption, string of nonzero pseudorandom bytes is generated and padded
> message is constructed by 0x00 || 0x02 || PseudoRandomNonzeroBytes ||
> Message.
> I'd strongly advise you against inventing your own authentication scheme.
> Try using something proven. It's hard do get it right. As an example - think
> of the infamous IEEE802.11 WEP. It was developed as an open process by group
> of very smart people and had rather wide public review, but obviously there
> wasn't enough cryptographic skill in the group. Shortly after it became a
> standard, whole bunch of errors was discovered in the protocol (see
> "Cryptanalysis of WEP, the stream cipher used in 802.11 WiFi networks" by
> Wagner, Borisov and Goldberg). And when it concerned WEP authenticaiton, it
> was shown that it actually reduced security (surprisingly enough
> unauthenticated WEP had better security than unauthenticated).
>
> BTW. if you interesting, I have 6 posts in my blog concerning passwords.
>
> -Valery.
> http://www.harper.no/valery
>
> "Claude Vernier" <ClaudeVernier@discussions.microsoft.com> wrote in message
> news:54117D64-0F76-4001-9EE3-EE12109E9422@microsoft.com...
> >
> > Hi,
> >
> > I'm quite new at encryption...
> >
> > We got a web service that asks for an encrypted password, I did some
> > experimentation with the code and now, there is something I do not
> > understand.
> >
> > I'm trying to do Unit Tests on a function that encrypts a string and it
> > always returns a different result...
> >
> > Is this normal or is my code wrong??
> >
> > If you could have a look at my code and tell me if I'm doing ok...
> > Thanks you very much!
> >
> > // --- This is the function I use in the program and seems to work ok for
> > now.
> >
> > public static string Encrypt( string StringToEncrypt, string PublicKey )
> > {
> > // Use machine key store.
> > CspParameters cspParams = new CspParameters();
> >
> > cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
> >
> > RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cspParams);
> >
> > rsa.FromXmlString(PublicKey);
> >
> > return
> > Convert.ToBase64String(rsa.Encrypt(System.Text.Encoding.Unicode.GetBytes(StringToEncrypt),
> > false));
> > }
> >
> >
> > // --- Here's my unit test with NUnit ( and C# )
> > [Test]
> > public void Test_Static_Method_Encrypt()
> > {
> > string sString = "Vive NUnit!!";
> > string sKey =
> > "<RSAKeyValue><Modulus>uNGVpq15ABx80Cwih5WPra0aiPZJyDxfe/FrKwk855ya1bcTiLAU0pdi6d2W6dlS8FNNzGMFjda3VKrjwV5H64WbxSG4HoSg96FiCvchbOwCt9oGH0wwztM7sQTiIX7V5pGG2NQ7hoAJxR4pjwGzv6jiMb2SntjOvXobW0S89CM=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>";
> > string sExpectedResult =
> > "p0hL1xz8xWSG9BEoxshFPXjKzoN/UQuS6OQYhdPuwN3KVp+052QegEtNdehiPL7WN5iWG8O0eTgX0hyMIKDFVrGxvOh3xBT8ILTyBZmDrWkxNKIaKzNL/TTCzjPCnhNKX9rfEg15LQf3TxZlgJnyceu7iFr3N+TnEoX/ITNiSIM=";
> > string sResult = string.Empty;
> >
> > sResult = CGeneratorWebService.Encrypt( sString, sKey );
> >
> > if( !sResult.Equals( sExpectedResult ) )
> > Console.WriteLine( "Test_Static_Method_Encrypt(): " + sResult );
> >
> > Assertion.AssertEquals( "Encrypt() Test.", sExpectedResult, sResult );
> > }
> >
> >
> > The thing is that the result is each time different...
> > ?sResult =
> > "eyHbhR/Z3p53C1LSGoslI2cBSFvjcn+1/V5un9ZvD+eBrTabFzXNik48AYGvQFt4g2jF2wkAXIjsJ3AgweCnWYzgb+LGmF80j57ZADimc965DIcQWO6veGgnfsCkyyOdmncHOo/qyy2kCHOTWKlKs09JYW469IBcw3gWW79ywWA="
> > ?sResult =
> > "Nfri+ZchZs8lcrzZ+jrAFXtj6lSHMCHDlVszD8Qp71/FqiRUp2dxXyEEKNFoniG/qUvPuuVDhmjSczYjCjjYFSYHnjXJ0rhgZahV1Nz4nEmDwGp46A5ENFzMfSN9yJ3rG5+llKu/eQzweKlIq6DBnurAijGzmAEa9S8yxJxFIh0="
> > ?sResult =
> > "mffgel7t+e9Wgm1BVFbsazP57vpYYB3RcoC8s8+lHnBt7yiO+XJ9p+O8POW9ysJfguwSsnz0q8YN1uNQQHzdvifQfrrXz4DrPAbbyaJvCnO3BoTrbAXSfj878KaJJXGgHjSwVqlXez7H6Wr8AMU4pOLVI/Cx6e2OI6QWae5993g="
> >
> > Besides that, I'd need some more info on how things get done elsewhere.
> > The web service that needs the domain, user and password expected that:
> > - The users would ask for the public key that is refreshed each time the
> > application starts,
> > - The application would generate the private key based on the public key
> > - The users encrypted the password and send it
> > - The application would decrypt the password and control it.
> >
> > This was to avoid keeping public and private keys in text files.
> > Is that a normal way of doing things?
> > Is there a better solution?
> >
> > We have this web service that needs to control password and a new one that
> > will encrypt the password provided by the user save this encrypted
> > password
> > in SQL and each time the user logs in, compare both encrypted password.
> >
> > Do I need 1 or 2 keys for that? And how do I keep them?
> >
> > Thanks for helping me sorting this out...
> > Claude Vernier
> >
>
>
>



Relevant Pages

  • Re: How to use ADO fast?
    ... >> There are other protection mechanisms like encryption. ... >> Blog: http://cs.rthand.com/blogs/blog_with_righthand/ ... >>> than it is in my opinion harder to get the connectionstring from the DLL ... >>> however not for security reason but for deployment reason. ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: asymmetric encryption
    ... If you use symmetric encryption do the end users, ... their logging into the system grant them access to the encrypted data? ... Note that the YukonDoIt blog is not active anymore. ... Software Design Engineer ...
    (microsoft.public.sqlserver.security)
  • Re: asymmetric encryption
    ... It's an awesome encryption blog. ... it's *the* resource. ... For symmetric key encryption examples, ...
    (microsoft.public.sqlserver.security)
  • Re: 768-bit RSA cracked, 1024-bit safe (for now)
    ... factoring a number used for RSA 768-bit encryption. ... <snip plagiarized article that is actually a 3rd hand announcement ... disguised to advertise some guys blog> ...
    (sci.crypt)
  • Re: setup wireless connection
    ... Excuse my ignorance but I don't think I've ever encountered setting wep ... The only encryption setting for wep or wpa I'm ... aware of is on my router's configuration site and that is for the router ... that was lousy advice. ...
    (Ubuntu)