tags:

views:

1714

answers:

2
+3  Q: 

Silverlight: encrypting username and password for web service

Encryption is not my forté.

I'm writing an application in Silverlight 3 which communicates with a web service to authenticate users. The web service won't necessarily be hosted under SSL. I'm trying to find a way to reversibly encrypt the user name and password before passing them which doesn't rely on the key and salt being hard-coded into the Silverlight assembly. It doesn't support RSA (or any asymmetric algorithm), so I can't use a public key from the server.

Are there any patterns for doing this sort of thing?

+5  A: 

RSA would really be the best way to go here, but indeed there's no implementation in either the Silverlight 2 or 3 libraries. It's something that really should have been added in my opinion, though it's very unlikely to happen until Silverlight 4 now. Unfortunately, a custom RSA implementation is likely to be truly painful, so it's not quite feasible I'd expect.

Here is my proposed solution... It's certainly not as simple as simply sending the public key from the server, but it should do the job securely still.

  1. Use the Diffie-Hellman key exchange algorithm to agree on a key to be used for later encrypted. This was designed to work over an insecure channel, so there are no problems here. See here for a C# implementation.
  2. Use some sort symmetric encryption with the key established by the Diffie-Hellman exchange to send the username/password over the connection. The server can then decrypt using the same key, which while known to both the client and server, are nonetheless unknown to any third party. The strength of your symmetric encryption algorithm should not in fact matter in this case. (Someone correct me if I'm wrong.) A simple XOR cipher should do the job in fact. It seems you could also use the AES standard, which is included in the System.Security.Cryptography namespace of the Silverlight BCL.

Hope that helps. Let me know if you're not clear on any of the points.

Noldorin  2009-05-18 15:44:18
That looks ideal. I'll give it a go this evening.
Coder 42  2009-05-19 18:41:07
Ok, good luck! Just to add that if that implementation of Diffie-Hellman I linked to doesn't work well, you can try the implementation I wrote as part of my Windows SSH Server project: https://code.launchpad.net/windows-ssh-server
Noldorin  2009-05-19 19:06:41
+2  A: 

Here is a library with open source for RSA encryption in Silverlight http://www.riawebsoft.ru/Silverlight/Rsa/Test.aspx

 2009-08-19 09:31:29

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords