CodeProject: Would you, please, take your eyes OFF my sensitive data?!. Free source code and programming help

Announcements

	Windows 7 Comp Win a laptop!
	Monthly Competition

Articles

Desktop Development

Web Development

Enterprise Systems

Content Management Server

Microsoft BizTalk Server

SQL Reporting Services

Platforms, Frameworks & Libraries

Windows Communication Foundation

Windows Presentation Foundation

Windows Workflow Foundation

Cryptography & Security

Threads, Processes & IPC

WinHelp / HTMLHelp

Uncategorised Quick Answers

Graphics / Design

Expression

Usability

Development Lifecycle

Debug Tips

Design and Architecture

Uncategorised Technical Blogs

Services

Code-signing Certificates

Job Board

CodeProject VS2008 Addin

Feature Zones

Product Showcase

Code Signing Resources

WhitePapers / Webcasts

ASP.NET Web Hosting

Advanced Search
Add to IE Search

Discuss

Report

10 votes for this article.

Popularity: 2.15 Rating: 2.15 out of 5

Preamble

I was rude!...
I know I was, when I said that...
but I had to say it!
That young and pretty beautiful lady was looking straight to my sensitive data!...
and we were in public...
at an internet cafe,
and my sensitive data was fully shown on the display screen!...
completely unprotected!
Fortunately, my data is large enough to be understood at first sight.

Whenever that beautiful lady's image comes to my mind, I only think in one thing...

Introduction

My obvious conclusion out of this fact was that I should design a C++ class (MFC dependent) to protect any data from prying (although very attractive) eyes... and this is exactly what I've did.

I've implemented a simple class, named Symmetric, inside a namespace named Encryption, to symmetrically encrypt/decrypt an array of bytes held by an object of type CArray<BYTE>, given a key in a form of another array of bytes, also held by an object of this same type.

This Symmetric class holds only 2 public methods:

void Encrypt(CArray<BYTE>& data
    ,  const CArray<BYTE>& key
    ,  const BOOL          throwException = _dontThrowException)
{
    //
    // code to throw or not exception...
    //
    Do(_encryption, data, key);
}

void Decrypt(CArray<BYTE>& data
    ,  const CArray<BYTE>& key
    ,  const BOOL          throwException = _dontThrowException)
{
    //
    // code to throw or not exception...
    //
    Do(_decryption, data, key);
}

The encryption/decryption is made in place, i.e., directly on the data object instance (no copy of it is made).

Any memory used for holding the key (or part of it) is, after usage, securely zeroed.

The key used to encrypt the data, makes no part of the encrypted data

Also, the encrypted data is always 8 bytes greater than the original data, for producing some avalanche effect in the encryption data, avoiding quite similar datas having almost the same encrypted result.

The Symmetric class deals with a zero-length key and/or a zero-length data, without needing to throw exceptions.

An object instantiated from Symmetric class can encrypt/decrypt any data held in a CArray<BYTE> object, no matter its size.
Is your sensitive data a small one ( smile ) ?... no problem, the Symmetric class remedies this.
It can encrypt even a zero-length data, and decrypt it back correctly, that is, back to a zero-length data.

Also, a zero-length key can encrypt (the word is inappropriate in this case, because there's no scrambling) and decrypt back correctly, any data.

The Symmetric class can also, encrypt a zero-length data with a zero-length key (now, both arrays are zero-length), and decrypt it back correctly to a zero-length data.
It's apparent that this class doesn't need to throw exception of any type.

An example using this class for encryption is:

   CArray<BYTE> key;
   DefineYourKey(key);
   CArray<BYTE> data;
   ReadYourDataFromAFileForInstance(data);

   Encryption::Symmetric().Encrypt(data, key);
   //now, data is encrypted.

   PutYourEncryptedDataBack(data);

And, for decryption:

  CArray<BYTE> key;
  UseTheSameKeyAsBefore(key);
  CArray<BYTE> data;
  ReadBackYourEncryptedData(data);

  Encryption::Symmetric().Decrypt(data, key);
  //now, data is as the original one.

Sometimes, a client application wants to be warned about inappropriate argument; exceptions are useful in this case, while maintaining programming linearity:

   try
   {
        /*©*/ using namespace Encryption;
        Symmetric().Encrypt(abDATA, abKEY, _andThrowExceptionIfAnyArgumentIsZeroLength);
        // 
        // etc...
        // 
    }
    catch (INT_PTR check)
    {
	CString checkString = /*©*/ Encryption::GetCheckString(check);
        // 
        // etc...
        // 
    }

For better appreciating some visual effects when running the executable zipped above, do it using the command line in the start up menu. Also, if you have another window shown up, it would be better let it cover no more than 50% of screen real estate, and don't forget that the file THE Lady.encrypted.dat must be in the same folder.

Background

Just basic MFC programming knowledge.

Building the Project

The MFC dependent Encryption namespace (containing the Symmetric class) is declared and implemented in the Encryption header file.

This article's project is an MFC one that makes no use of pre-compiled headers, and has got three files besides the one already mentioned: a .cpp for the application, mainframe (and its CRichEditCtrl derived child window), and dialog box classes, and a .h and a .rc for resources.

The character set is not set.

The Code

In the client application, a CRichEditCtrl derived child window is used as repository for the examples' results. A modal dialog box is used solely to collect user input and, as we know that it doesn't block the main window, send messages to the it, which will react accordingly, performing tests and showing them on screen.

The main method in the Symmetric class is Do(const BOOL encrypt, ...), which performs the encryption or decryption, depending on the BOOL parameter, while keeping the correct execution order (when decrypting, the order must be reversed in relation to encrypting).

The Symmetric::TheAvalanche(...) method increases the data length by 8 bytes (exclusively dependent on the data and on the key) to produce an avalanche effect, that makes similar datas having reasonably different encrypted datas.

The user key is not directly used to encrypt (or decrypt) the data. Instead, many keys are built from it, with lengths varying from 1 up to the original key length, and repeating the same process, but now using the original key reversed.

For instance, a key like ABC (hex 41 42 43), will cause the data be encrypted (or decrypted) with the following keys in sequence (but when decrypting, the sequence order is reversed):

41 b1 a5 02 
41 42 64 4e 7e 04 
41 42 43 6b 29 6b 85 81 07 
14 e4 a5 02 
14 24 02 1b 18 04 
14 24 34 0d 09 65 a7 e7 07

Note that the bytes 14, 24 and 34 above are the originals 41, 42 and 43 with the nibbles reversed. The other bytes are calculated based only on the key itself.

Points of Interest

Maybe, the weakest part in an encrypted system is not the encryption algorithm, but, the key a user chooses to encrypt his/her data. For instance, a key like:

Qwerty

qazxsw

bored web developer

will never, ever, protect any data from any hacker, no matter how smart and strong the encryption algorithm is.
Those words are in every hacker's dictionary for attacking a system security.
The first two keys are directly found (any specific sequence) on the keyboard, and the last one is composed of three words directly found in a language dictionary and, worse, they are english words, which is an international language.
Therefore, we should litter them ( please, just the keys, not the person, because it's against human civil rights ).

To choose a key is easy; to choose a strong key is a bit harder; to remember such a key is the hardest thing.
Maybe one would choose strong keys and, later, would choose to pack them all in a file encrypted with an easy key to remember later... .

Point of very much interest

I'm very much interested in meeting that young and pretty beautiful lady again.

If you happen to see her somewhere, just let me know! This is the point.
Right now, after implementing Symmetric class, I feel confident to show her my sensitive data...
...and I'd like very much she'd let me see her sensitive data too!

History

11/november/2008 : just decided start looking for that beautiful lady... .

Postamble

By the way, let me tell you that I've just met,

AGAIN,

that pretty beautiful lady. smile

Yeaaah!

Acknowledgment

I must acknowledge the great oil painting artist Maria Teresa Meneses, whose from one of her works I've borrowed some pixel colors for writing a lady in the CRichEditCtrl derived child window.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

aljodav

Member

Location:

Brazil

Other popular Cryptography & Security articles:

Understanding .NET Code Access Security
A full length article on .NET Code Access Security
Hiding a text file in a bmp file
How to hide a text file in a bmp file
.NET Encryption Simplified
A simple, string-oriented class for symmetric encryption, asymmetric encryption, and hashing.
Using XML Digital Signatures for Application Licensing
Use XML Digital Signatures for a request- and signing-based licensing mechanism for your applications.
Strong Names Explained
.NET Strong Name technology explained