Re: About Encryption... code review and questions...
From: Claude Vernier (ClaudeVernier_at_discussions.microsoft.com)
Date: 09/21/04
- Next message: richlm: "Re: accessing a net share from a web application"
- Previous message: Nick Smith: "Problems with ASP.NET security"
- In reply to: Valery Pryamikov: "Re: About Encryption... code review and questions..."
- Next in thread: Valery Pryamikov: "Re: About Encryption... code review and questions..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 21 Sep 2004 05:47:02 -0700
Thanks you very much for all this, I read a lot of your blog and, I must
admit...
Did not understand everything ( but eh! did not fell asleep !! ).
I'll keep on reading and investigate this padding problem.
Have a nice day !
Claude
"Valery Pryamikov" wrote:
> Result is different due to padding. Default padding is PKCS 1.5. For
> encryption, string of nonzero pseudorandom bytes is generated and padded
> message is constructed by 0x00 || 0x02 || PseudoRandomNonzeroBytes ||
> Message.
> I'd strongly advise you against inventing your own authentication scheme.
> Try using something proven. It's hard do get it right. As an example - think
> of the infamous IEEE802.11 WEP. It was developed as an open process by group
> of very smart people and had rather wide public review, but obviously there
> wasn't enough cryptographic skill in the group. Shortly after it became a
> standard, whole bunch of errors was discovered in the protocol (see
> "Cryptanalysis of WEP, the stream cipher used in 802.11 WiFi networks" by
> Wagner, Borisov and Goldberg). And when it concerned WEP authenticaiton, it
> was shown that it actually reduced security (surprisingly enough
> unauthenticated WEP had better security than unauthenticated).
>
> BTW. if you interesting, I have 6 posts in my blog concerning passwords.
>
> -Valery.
> http://www.harper.no/valery
>
> "Claude Vernier" <ClaudeVernier@discussions.microsoft.com> wrote in message
> news:54117D64-0F76-4001-9EE3-EE12109E9422@microsoft.com...
> >
> > Hi,
> >
> > I'm quite new at encryption...
> >
> > We got a web service that asks for an encrypted password, I did some
> > experimentation with the code and now, there is something I do not
> > understand.
> >
> > I'm trying to do Unit Tests on a function that encrypts a string and it
> > always returns a different result...
> >
> > Is this normal or is my code wrong??
> >
> > If you could have a look at my code and tell me if I'm doing ok...
> > Thanks you very much!
> >
> > // --- This is the function I use in the program and seems to work ok for
> > now.
> >
> > public static string Encrypt( string StringToEncrypt, string PublicKey )
> > {
> > // Use machine key store.
> > CspParameters cspParams = new CspParameters();
> >
> > cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
> >
> > RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cspParams);
> >
> > rsa.FromXmlString(PublicKey);
> >
> > return
> > Convert.ToBase64String(rsa.Encrypt(System.Text.Encoding.Unicode.GetBytes(StringToEncrypt),
> > false));
> > }
> >
> >
> > // --- Here's my unit test with NUnit ( and C# )
> > [Test]
> > public void Test_Static_Method_Encrypt()
> > {
> > string sString = "Vive NUnit!!";
> > string sKey =
> > "<RSAKeyValue><Modulus>uNGVpq15ABx80Cwih5WPra0aiPZJyDxfe/FrKwk855ya1bcTiLAU0pdi6d2W6dlS8FNNzGMFjda3VKrjwV5H64WbxSG4HoSg96FiCvchbOwCt9oGH0wwztM7sQTiIX7V5pGG2NQ7hoAJxR4pjwGzv6jiMb2SntjOvXobW0S89CM=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>";
> > string sExpectedResult =
> > "p0hL1xz8xWSG9BEoxshFPXjKzoN/UQuS6OQYhdPuwN3KVp+052QegEtNdehiPL7WN5iWG8O0eTgX0hyMIKDFVrGxvOh3xBT8ILTyBZmDrWkxNKIaKzNL/TTCzjPCnhNKX9rfEg15LQf3TxZlgJnyceu7iFr3N+TnEoX/ITNiSIM=";
> > string sResult = string.Empty;
> >
> > sResult = CGeneratorWebService.Encrypt( sString, sKey );
> >
> > if( !sResult.Equals( sExpectedResult ) )
> > Console.WriteLine( "Test_Static_Method_Encrypt(): " + sResult );
> >
> > Assertion.AssertEquals( "Encrypt() Test.", sExpectedResult, sResult );
> > }
> >
> >
> > The thing is that the result is each time different...
> > ?sResult =
> > "eyHbhR/Z3p53C1LSGoslI2cBSFvjcn+1/V5un9ZvD+eBrTabFzXNik48AYGvQFt4g2jF2wkAXIjsJ3AgweCnWYzgb+LGmF80j57ZADimc965DIcQWO6veGgnfsCkyyOdmncHOo/qyy2kCHOTWKlKs09JYW469IBcw3gWW79ywWA="
> > ?sResult =
> > "Nfri+ZchZs8lcrzZ+jrAFXtj6lSHMCHDlVszD8Qp71/FqiRUp2dxXyEEKNFoniG/qUvPuuVDhmjSczYjCjjYFSYHnjXJ0rhgZahV1Nz4nEmDwGp46A5ENFzMfSN9yJ3rG5+llKu/eQzweKlIq6DBnurAijGzmAEa9S8yxJxFIh0="
> > ?sResult =
> > "mffgel7t+e9Wgm1BVFbsazP57vpYYB3RcoC8s8+lHnBt7yiO+XJ9p+O8POW9ysJfguwSsnz0q8YN1uNQQHzdvifQfrrXz4DrPAbbyaJvCnO3BoTrbAXSfj878KaJJXGgHjSwVqlXez7H6Wr8AMU4pOLVI/Cx6e2OI6QWae5993g="
> >
> > Besides that, I'd need some more info on how things get done elsewhere.
> > The web service that needs the domain, user and password expected that:
> > - The users would ask for the public key that is refreshed each time the
> > application starts,
> > - The application would generate the private key based on the public key
> > - The users encrypted the password and send it
> > - The application would decrypt the password and control it.
> >
> > This was to avoid keeping public and private keys in text files.
> > Is that a normal way of doing things?
> > Is there a better solution?
> >
> > We have this web service that needs to control password and a new one that
> > will encrypt the password provided by the user save this encrypted
> > password
> > in SQL and each time the user logs in, compare both encrypted password.
> >
> > Do I need 1 or 2 keys for that? And how do I keep them?
> >
> > Thanks for helping me sorting this out...
> > Claude Vernier
> >
>
>
>
- Next message: richlm: "Re: accessing a net share from a web application"
- Previous message: Nick Smith: "Problems with ASP.NET security"
- In reply to: Valery Pryamikov: "Re: About Encryption... code review and questions..."
- Next in thread: Valery Pryamikov: "Re: About Encryption... code review and questions..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
