tags:

views:

323

answers:

2
+5  Q: 

What's the best method of Encryption whilst using ProtoBuf?

I've migrated my database on my mobile device away from VistaDB because it's just too slow. I'm now using ProtoBuf instead to create a series of flat files on a Storage Card, the only issue is there's obviously no encryption.

Which encryption method works best with ProtoBuf? I'm basically serializing a collection of data entities to a file, then deserializing from the File back into my collections. I figure the best place to put the encryption would be in the FileStream on the read/write.

The data will contain NI numbers, names and addresses, so this has to be secure. Any idea anyone?

+2  A: 

I think you're on the right track. You should just be able to do something like:

ICryptoTransform encryptor = ...
Stream encStream = new CryptoStream(outputFileStream, encryptor, CryptoStreamMode.Write);
Serializer.Serialize(encStream, obj);
encStream.FlushFinalBlock()
encStream.Close();

ICryptoTransform decryptor = ...
Stream decStream = new CryptoStream(inputputFileStream, decryptor, CryptoStreamMode.Read);
Serializer.Deserialize<Type>(decStream);
decStream.FlushFinalBlock()
decStream.Close();

For the basics of .NET's encryption framework (including how to get the ICryptoTransform objects, see other questions like What’s the best way to encrypt short strings in .NET?.

Matthew Flaschen  2009-05-19 09:46:33
Obviously, apologies for the dups. It was due to a SO bug.
Matthew Flaschen  2009-05-19 10:15:32
+1  A: 

Another option is to actually encrypt the entire folder where the data is stored by installing a system-wide file system filter. The advantages here are that:

  1. Your app code is agnostic to the encryption and the encryption will be done in native code.
  2. Since the encryption is done in native code, it's going to be faster
  3. Since the encryption is not inside managed code, it's a lot harder to reverse engineer and figure out your keys, salts, etc.

Of course the disadvantage (for those who don't write C anyway) is that you can't write it in C#.

ctacke  2009-05-19 18:15:16
i don't know how much faster native code will really be. It probably depends how much data is in question. I also don't think managed code will make the keys that much more obvious. Either way, the keys should be in memory for a short period of time (potentially visible to a debugger) and never on disk.
Matthew Flaschen  2009-05-20 03:28:54
What is the best way of using the key? I need to know the key so that the data can be encrypted/decrypted on the server and client side. That means both sides need to know the key, also I need the ability to put the card that the data will be stored on into a new PDA on the fly and still be able to view the data. Is it bad practise to store the key in source?
GenericTypeTea  2009-05-20 06:45:14
Yes, storing the key (unencrypted) anywhere on the hard drive (including in source code) means it's basically compromised immediately. This is why DRM schemes always end up broken.
Matthew Flaschen  2009-05-20 07:56:32
DIsassembling managed code with Reflector makes it really easy for a junior "hacker" to find the key. If it's buried in native bytecode, it takes a lot more skill to disassemble and find it.
ctacke  2009-05-20 12:00:29

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords