Compatible encryption between C# and PHP, ColdFusion, Ruby, Python

Question

We're developing a service that will accept a POST request, and some of the POST data will need to be encypted before the POST as it will be stored in hidden fields on a form.

The application is written in C# but we want third party clients to be able to easily integrate with it. We find that most clients use PHP, Classic ASP or VB.Net.

The third parties should only be doing the encryption and we'd do the decryption there is no two-way communication.

What are the most compatible combinations of encryption algorithm, padding mode and other options?

Answer 1

Sounds like RSA is the algorithm for you.

Answer 2

I would use AES for the bulk data encryption and RSA for encrypting the AES Key. If the data is small enough then just encrypt the whole thing with RSA.

Answer 3

I just recently completed an application that connected an encrypted GET variable from Coldfusion to PHP using SHA-256.

Coldfusion code:

<cfset var strHash = Hash(arguments.hashstring,"SHA-256") />

PHP code:

hash('sha256', $strKey);

I assume that C# would be able to handle something that those would, as it's a quite mature language. Here's an example from MSDN website for SHA256 class:

byte[] data = new byte[DATA_SIZE];
byte[] result;
SHA256 shaM = new SHA256Managed();
result = shaM.ComputeHash(data);

Here is the MSDN link: SHA256 Class

Answer 4

Assuming that you have a safe way of sharing a key (whether RSA encryption of it, retrieval over an SSH or HTTPS link, or callling the other developer on a secured phone line), any of the major modern encryptions (like AES, as mentioned by @Ed Haber) would be suitable. I would second his suggestion of AES. There should be libraries for PHP, VB, Ruby, etc.

However, remember that with "no two-way communication" you will have to find an out-of-channel method for securely getting the symmetric key to the encrypting party.

Answer 5

If you mean that it should be impossible for third-parties to decrypt data, then you will want to use an asymmetric encryption algorithm such as RSA. This will the third-party to encrypt data with your public key, and then only you can decrypt the data with your private key, which you do not disclose. There should be implementations of RSA available for all the languages you mentioned.

If you don't care if the third-party can decrypt the data, then AES is the way to go. You will have one key which you share with the third-parties. This key is used both for encryption and decryption.

Answer 6

You could very easily implement your own XOR key-based bit encryption. With a little thought and ingenuity, you can come up with something that's more than suitable for you application.

Here's a PHP example:

function XOREncryption($InputString, $KeyPhrase){

    $KeyPhraseLength = strlen($KeyPhrase);

    for ($i = 0; $i < strlen($InputString); $i++){

        $rPos = $i % $KeyPhraseLength;

        $r = ord($InputString[$i]) ^ ord($KeyPhrase[$rPos]);

        $InputString[$i] = chr($r);
    }

    return $InputString;
}

Answer 7

ColdFusion has the encrypt and decrypt functions capable of handling a range of algorithms and encodings, including the AES recommended above.

Information at: http://www.cfquickdocs.com/cf8/?getDoc=encrypt#Encrypt

Quick example code:

Key = generateSecretKey( 'AES' , 128 )

EncryptedText = encrypt( Text , Key , 'AES' , 'Hex' )

Text = decrypt( EncryptedText , Key, 'AES' , 'Hex' )

Similar functionality is available with this library for PHP:
http://www.chilkatsoft.com/p/php_aes.asp

...and Java, Python, Ruby, and others...
http://www.example-code.com/java/crypt2_aes_matchPhp.asp
http://www.example-code.com/python/aes_stringEncryption.asp

Answer 8

Ed Haber said

I would use AES for the bulk data encryption and RSA for encrypting the AES Key. If the data is small enough then just encrypt the whole thing with RSA.

I think this is a good solution. What I would do is have your application publish an API for getting a public RSA key. When I third party wants to send you something it gets the public key. It then generates a session key to do the actual encryption using a block cipher, (ie AES), and sends the key to you by encrypting with your public key. You decrypt the session key with your private key. The third party then encrypts the data it wants to send you with AES (using a padding scheme that you also publish) and sends it to you. You decrypt it using the session key.

There are some problems with the method above. Since you are not sending any information (other than publishing your public key, you cannot control how the session key is generated. This means that third parties can use very insecure ways to of generating the session key and you will never know. A second problem is everyone who wants to send you data has to pad data for AES in the same way you do. So you will have to make sure every one co-ordinates. The second issue isn't to big, but the first could be a problem especially if you don't trust the third parties all that much to generate really good session keys from a good cryptographically secure random number generator

Answer 9

Why not have your server exposed over HTTPS? That way, any client which can handle HTTPS can consume the service securely.