Hi,
I am new to the webservice security aspects and I am trying my hand in it.
There is a webservice which is supposed to bring the encrypted data and client needs to decrypt it. Following is the class used by web service to encrypt the data.
The data at the web service side is basically a dataset, which is converted to xml and passed as string to the class to get the encrypted string which is passed to the client
Imports Microsoft.VisualBasic
Imports System
Imports System.Text
Imports System.IO
Imports System.Security.Cryptography
Public Class EnCryptHelper
Private m_oProvider As TripleDESCryptoServiceProvider = Nothing
Public Sub New()
m_oProvider = New TripleDESCryptoServiceProvider
If IsNothing(m_oProvider) = True Then
Exit Sub
End If
m_oProvider.Key = New Byte() {111, 222, 86, 85, 171, 41, 165, 135, 218, 183, 42, 192, 113, 111, 138, 14}
m_oProvider.IV = New Byte() {162, 213, 14, 41, 232, 181, 71, 212}
End Sub
''' <summary>
'''
''' </summary>
''' <param name="sStringToEncrypt"></param>
''' <returns></returns>
''' <remarks></remarks>
Public Function EncryptString(ByVal sStringToEncrypt As String) As String
Dim oWriter As StreamWriter = Nothing
Dim oEncryptedStream As CryptoStream = Nothing
Dim oDataStream As MemoryStream = Nothing
Dim oEncryptedData() As Byte = Nothing
Dim oEncryptor As ICryptoTransform = Nothing
Dim sString As String = String.Empty
Try
If sStringToEncrypt = String.Empty Then
Exit Function
Else
oEncryptor = m_oProvider.CreateEncryptor()
If IsNothing(oEncryptor) = True Then
Exit Function
End If
Try
oDataStream = New MemoryStream
If IsNothing(oDataStream) = True Then
Exit Function
End If
Try
'Create the encrypted stream
oEncryptedStream = New CryptoStream(oDataStream, oEncryptor, CryptoStreamMode.Write)
If IsNothing(oEncryptedStream) = True Then
Exit Function
End If
Try
'Write the string to memory via the encryption algorithm
oWriter = New StreamWriter(oEncryptedStream)
If IsNothing(oWriter) = True Then
Exit Function
End If
'Write the string to the memory stream
oWriter.Write(sStringToEncrypt)
'End the writing
oWriter.Flush()
oEncryptedStream.FlushFinalBlock()
'Position back at start
oDataStream.Position = 0
'Create area for data
ReDim oEncryptedData(CInt(oDataStream.Length))
'Read data from memory
oDataStream.Read(oEncryptedData, 0, CInt(oDataStream.Length))
'Convert to String
sString = Convert.ToBase64String(oEncryptedData, 0, oEncryptedData.Length)
Finally
oWriter.Close()
End Try
Finally
oEncryptedStream.Close()
End Try
Finally
oDataStream.Close()
End Try
End If
Catch ex As Exception
Finally
EncryptString = sString
End Try
End Function
End Class
The web application client get ths encrypted data and decrypts it using the following class.
The client recieves encrypted string, which is decrypted to get the xml string and then dataset is recived from it
Imports Microsoft.VisualBasic
Imports System
Imports System.Text
Imports System.IO
Imports System.Security.Cryptography
Public Class DeCryptHelper
Private m_oProvider As TripleDESCryptoServiceProvider = Nothing
Public Sub New()
m_oProvider = New TripleDESCryptoServiceProvider
If IsNothing(m_oProvider) = True Then
Exit Sub
End If
m_oProvider.Key = New Byte() {111, 222, 86, 85, 171, 41, 165, 135, 218, 183, 42, 192, 113, 111, 138, 14}
m_oProvider.IV = New Byte() {162, 213, 14, 41, 232, 181, 71, 212}
End Sub
''' <summary>
'''
''' </summary>
''' <param name="sStringToDecrypt"></param>
''' <returns></returns>
''' <remarks></remarks>
Public Function DecryptString(ByVal sStringToDecrypt As String) As String
Dim retStr As String = String.Empty
Dim oEncryptedData() As Byte = Nothing
Dim oDataStream As MemoryStream = Nothing
Dim oEncryptedStream As CryptoStream = Nothing
Dim strLen As Integer = -1
Try
If sStringToDecrypt = String.Empty Then
Exit Function
Else
'Get the byte data
oEncryptedData = Convert.FromBase64String(sStringToDecrypt)
Try
oDataStream = New MemoryStream
Try
'Create decryptor and stream
Dim decryptor As ICryptoTransform
decryptor = m_oProvider.CreateDecryptor()
oEncryptedStream = New CryptoStream(oDataStream, decryptor, CryptoStreamMode.Write)
'Write the decrypted data to the memory stream
oEncryptedStream.Write(oEncryptedData, 0, oEncryptedData.Length - 1)
oEncryptedStream.FlushFinalBlock()
'Position back at start
oDataStream.Position = 0
'Determine length of decrypted string
strLen = CInt(oDataStream.Length)
'Create area for data
ReDim oEncryptedData(strLen - 1)
'Read decrypted data to byte()
oDataStream.Read(oEncryptedData, 0, strLen)
'Construct string from byte()
Dim i As Integer
For i = 0 To strLen - 1
retStr += Chr(oEncryptedData(i))
Next
'Return result
Return retStr
Finally
oEncryptedStream.Close()
End Try
Finally
oDataStream.Close()
End Try
End If
Catch ex As Exception
Finally
DecryptString = retStr
End Try
End Function
End Class
I have two questions here:
1. Are these two classes sufficient for encryption and decryption? or anyone has better suggestion for this purpose.
2. As you can see, the webservice side and client side both the classes use the same key (byte string) which is hard coded in their own classes. But say I sell my webservice application to 2 companies. Both the companies will be using the same key. Is there better way to share a key between webservice and its client? Is it possible to keep it in web.config to make it dynamic.
Any tips will really help.
Thanks
Vijay