Hey Guys,
I was to encrypt data on the device and send it by http to our web server then decrypt the data on out .net web app. Is this possible? If yes, which encryption method I should use? and if their are any articles out there?
Thanks
+2
A:
SSL should be the standard solution for HTTP encryption. NSURLConnection supports it out of the box (just load an https:// request), so you would just have to set up your server accordingly.
Ole Begemann
2009-11-03 14:13:23
SSL is a good solution, but we have a Rackspace cloud server and their prices are high just to enable ssl at $20/month. The app is only sending user name and email address. Is theere any other encryption method then standard ssl
harekam_taj
2009-11-03 15:39:07
A:
If SSL is not an option use AES encryption in CBC mode. 128 encryption bit is all you need and you can use anything (0 is acceptable) as the IV.
zaph
2009-11-03 14:18:41
Without knowing the security requirements of the data, how can you determine that a known, static IV is acceptable or the appropriate key length? With a static IV, there is no salt, which opens you up for several types of indirect attack. Generating and transmitting a random IV is trivial, and should not be removed without understanding the impact.
Rob Napier
2009-11-03 14:27:24
+1
A:
As you don't want to use SSL (and I agree there are many good reasons not to do so) you can use the built in CommonCrypto framework to encrypt just the data you need to. Here is a simple NSData category to encrypt arbitrary data:
@implementation NSData (AES256)
- (NSData*) encryptedWithKey: (NSString *) key;
{
// 'key' should be 32 bytes for AES256, will be null-padded otherwise
char keyBuffer[kCCKeySizeAES128+1]; // room for terminator (unused)
bzero( keyBuffer, sizeof(keyBuffer) ); // fill with zeroes (for padding)
[key getCString: keyBuffer maxLength: sizeof(keyBuffer) encoding: NSUTF8StringEncoding];
// encrypts in-place, since this is a mutable data object
size_t numBytesEncrypted = 0;
size_t returnLength = ([self length] + kCCKeySizeAES256) & ~(kCCKeySizeAES256 - 1);
// NSMutableData* returnBuffer = [NSMutableData dataWithLength:returnLength];
char* returnBuffer = malloc(returnLength * sizeof(uint8_t) );
CCCryptorStatus result = CCCrypt(kCCEncrypt, kCCAlgorithmAES128 , kCCOptionPKCS7Padding | kCCOptionECBMode,
keyBuffer, kCCKeySizeAES128, nil,
[self bytes], [self length],
returnBuffer, returnLength,
&numBytesEncrypted);
if(result == kCCSuccess)
return [NSData dataWithBytes:returnBuffer length:numBytesEncrypted];
else
return nil;
}
@end
Note that this also turns on ECB Mode which you may not want. Also remember that the data that comes back from this call is not suitable for use in URLs you will have to base 64 encode it.
Roger Nolan
2009-11-03 16:06:37
Use CBC node, not EBC. DO not use a user supplied password, at a minimum run the password run the a password through an HMAC. Watch out for padding of the data to a multiple of the AES block size.
zaph
2009-11-03 17:15:42
all true. This code could be improved on a lot. For simple API key encrypt it is fine.
Roger Nolan
2009-11-05 13:57:33