Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Encrypting & Decrypting a String in C# [duplicate]

Tags:

c#

encryption

What is the most modern (best) way of satisfying the following in C#?

string encryptedString = SomeStaticClass.Encrypt(sourceString);  string decryptedString = SomeStaticClass.Decrypt(encryptedString); 

BUT with a minimum of fuss involving salts, keys, mucking about with byte[], etc.

Been Googling and confused at what I'm finding (you can see the list of similar SO Qs to see this is a deceptive question to ask).

like image 557
Richard Avatar asked Apr 16 '12 03:04

Richard


People also ask

What is the purpose of encrypting data?

Encryption uses cybersecurity to defend against brute-force and cyber-attacks, including malware and ransomware. Data encryption works by securing transmitted digital data on the cloud and computer systems. There are two kinds of digital data, transmitted data or in-flight data and stored digital data or data at rest.

What is encryption and example?

Encryption is an important way for individuals and companies to protect sensitive information from hacking. For example, websites that transmit credit card and bank account numbers encrypt this information to prevent identity theft and fraud.

What is the process of encrypting?

Encryption is the process of translating plain text data (plaintext) into something that appears to be random and meaningless (ciphertext). Decryption is the process of converting ciphertext back to plaintext. To encrypt more than a small amount of data, symmetric encryption is used.

What does it mean to encrypt your files?

File encryption helps protect your data by encrypting it. Only someone with the right encryption key (such as a password) can decrypt it. File encryption is not available in Windows 10 Home. Right-click (or press and hold) a file or folder and select Properties.


2 Answers

UPDATE 23/Dec/2015: Since this answer seems to be getting a lot of upvotes, I've updated it to fix silly bugs and to generally improve the code based upon comments and feedback. See the end of the post for a list of specific improvements.

As other people have said, Cryptography is not simple so it's best to avoid "rolling your own" encryption algorithm.

You can, however, "roll your own" wrapper class around something like the built-in RijndaelManaged cryptography class.

Rijndael is the algorithmic name of the current Advanced Encryption Standard, so you're certainly using an algorithm that could be considered "best practice".

The RijndaelManaged class does indeed normally require you to "muck about" with byte arrays, salts, keys, initialization vectors etc. but this is precisely the kind of detail that can be somewhat abstracted away within your "wrapper" class.

The following class is one I wrote a while ago to perform exactly the kind of thing you're after, a simple single method call to allow some string-based plaintext to be encrypted with a string-based password, with the resulting encrypted string also being represented as a string. Of course, there's an equivalent method to decrypt the encrypted string with the same password.

Unlike the first version of this code, which used the exact same salt and IV values every time, this newer version will generate random salt and IV values each time. Since salt and IV must be the same between the encryption and decryption of a given string, the salt and IV is prepended to the cipher text upon encryption and extracted from it again in order to perform the decryption. The result of this is that encrypting the exact same plaintext with the exact same password gives and entirely different ciphertext result each time.

The "strength" of using this comes from using the RijndaelManaged class to perform the encryption for you, along with using the Rfc2898DeriveBytes function of the System.Security.Cryptography namespace which will generate your encryption key using a standard and secure algorithm (specifically, PBKDF2) based upon the string-based password you supply. (Note this is an improvement of the first version's use of the older PBKDF1 algorithm).

Finally, it's important to note that this is still unauthenticated encryption. Encryption alone provides only privacy (i.e. message is unknown to 3rd parties), whilst authenticated encryption aims to provide both privacy and authenticity (i.e. recipient knows message was sent by the sender).

Without knowing your exact requirements, it's difficult to say whether the code here is sufficiently secure for your needs, however, it has been produced to deliver a good balance between relative simplicity of implementation vs "quality". For example, if your "receiver" of an encrypted string is receiving the string directly from a trusted "sender", then authentication may not even be necessary.

If you require something more complex, and which offers authenticated encryption, check out this post for an implementation.

Here's the code:

using System; using System.Text; using System.Security.Cryptography; using System.IO; using System.Linq;  namespace EncryptStringSample {     public static class StringCipher     {         // This constant is used to determine the keysize of the encryption algorithm in bits.         // We divide this by 8 within the code below to get the equivalent number of bytes.         private const int Keysize = 256;          // This constant determines the number of iterations for the password bytes generation function.         private const int DerivationIterations = 1000;          public static string Encrypt(string plainText, string passPhrase)         {             // Salt and IV is randomly generated each time, but is preprended to encrypted cipher text             // so that the same Salt and IV values can be used when decrypting.               var saltStringBytes = Generate256BitsOfRandomEntropy();             var ivStringBytes = Generate256BitsOfRandomEntropy();             var plainTextBytes = Encoding.UTF8.GetBytes(plainText);             using (var password = new Rfc2898DeriveBytes(passPhrase, saltStringBytes, DerivationIterations))             {                 var keyBytes = password.GetBytes(Keysize / 8);                 using (var symmetricKey = new RijndaelManaged())                 {                     symmetricKey.BlockSize = 256;                     symmetricKey.Mode = CipherMode.CBC;                     symmetricKey.Padding = PaddingMode.PKCS7;                     using (var encryptor = symmetricKey.CreateEncryptor(keyBytes, ivStringBytes))                     {                         using (var memoryStream = new MemoryStream())                         {                             using (var cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write))                             {                                 cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);                                 cryptoStream.FlushFinalBlock();                                 // Create the final bytes as a concatenation of the random salt bytes, the random iv bytes and the cipher bytes.                                 var cipherTextBytes = saltStringBytes;                                 cipherTextBytes = cipherTextBytes.Concat(ivStringBytes).ToArray();                                 cipherTextBytes = cipherTextBytes.Concat(memoryStream.ToArray()).ToArray();                                 memoryStream.Close();                                 cryptoStream.Close();                                 return Convert.ToBase64String(cipherTextBytes);                             }                         }                     }                 }             }         }          public static string Decrypt(string cipherText, string passPhrase)         {             // Get the complete stream of bytes that represent:             // [32 bytes of Salt] + [32 bytes of IV] + [n bytes of CipherText]             var cipherTextBytesWithSaltAndIv = Convert.FromBase64String(cipherText);             // Get the saltbytes by extracting the first 32 bytes from the supplied cipherText bytes.             var saltStringBytes = cipherTextBytesWithSaltAndIv.Take(Keysize / 8).ToArray();             // Get the IV bytes by extracting the next 32 bytes from the supplied cipherText bytes.             var ivStringBytes = cipherTextBytesWithSaltAndIv.Skip(Keysize / 8).Take(Keysize / 8).ToArray();             // Get the actual cipher text bytes by removing the first 64 bytes from the cipherText string.             var cipherTextBytes = cipherTextBytesWithSaltAndIv.Skip((Keysize / 8) * 2).Take(cipherTextBytesWithSaltAndIv.Length - ((Keysize / 8) * 2)).ToArray();              using (var password = new Rfc2898DeriveBytes(passPhrase, saltStringBytes, DerivationIterations))             {                 var keyBytes = password.GetBytes(Keysize / 8);                 using (var symmetricKey = new RijndaelManaged())                 {                     symmetricKey.BlockSize = 256;                     symmetricKey.Mode = CipherMode.CBC;                     symmetricKey.Padding = PaddingMode.PKCS7;                     using (var decryptor = symmetricKey.CreateDecryptor(keyBytes, ivStringBytes))                     {                         using (var memoryStream = new MemoryStream(cipherTextBytes))                         {                             using (var cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))                             {                                 var plainTextBytes = new byte[cipherTextBytes.Length];                                 var decryptedByteCount = cryptoStream.Read(plainTextBytes, 0, plainTextBytes.Length);                                 memoryStream.Close();                                 cryptoStream.Close();                                 return Encoding.UTF8.GetString(plainTextBytes, 0, decryptedByteCount);                             }                         }                     }                 }             }         }          private static byte[] Generate256BitsOfRandomEntropy()         {             var randomBytes = new byte[32]; // 32 Bytes will give us 256 bits.             using (var rngCsp = new RNGCryptoServiceProvider())             {                 // Fill the array with cryptographically secure random bytes.                 rngCsp.GetBytes(randomBytes);             }             return randomBytes;         }     } } 

The above class can be used quite simply with code similar to the following:

using System;  namespace EncryptStringSample {     class Program     {         static void Main(string[] args)         {             Console.WriteLine("Please enter a password to use:");             string password = Console.ReadLine();             Console.WriteLine("Please enter a string to encrypt:");             string plaintext = Console.ReadLine();             Console.WriteLine("");              Console.WriteLine("Your encrypted string is:");             string encryptedstring = StringCipher.Encrypt(plaintext, password);             Console.WriteLine(encryptedstring);             Console.WriteLine("");              Console.WriteLine("Your decrypted string is:");             string decryptedstring = StringCipher.Decrypt(encryptedstring, password);             Console.WriteLine(decryptedstring);             Console.WriteLine("");              Console.WriteLine("Press any key to exit...");             Console.ReadLine();         }     } } 

(You can download a simple VS2013 sample solution (which includes a few unit tests) here).

UPDATE 23/Dec/2015: The list of specific improvements to the code are:

  • Fixed a silly bug where encoding was different between encrypting and decrypting. As the mechanism by which salt & IV values are generated has changed, encoding is no longer necessary.
  • Due to the salt/IV change, the previous code comment that incorrectly indicated that UTF8 encoding a 16 character string produces 32 bytes is no longer applicable (as encoding is no longer necessary).
  • Usage of the superseded PBKDF1 algorithm has been replaced with usage of the more modern PBKDF2 algorithm.
  • The password derivation is now properly salted whereas previously it wasn't salted at all (another silly bug squished).
like image 73
CraigTP Avatar answered Sep 21 '22 16:09

CraigTP


using System.IO; using System.Text; using System.Security.Cryptography;  public static class EncryptionHelper {     public static string Encrypt(string clearText)     {         string EncryptionKey = "abc123";         byte[] clearBytes = Encoding.Unicode.GetBytes(clearText);         using (Aes encryptor = Aes.Create())         {             Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });             encryptor.Key = pdb.GetBytes(32);             encryptor.IV = pdb.GetBytes(16);             using (MemoryStream ms = new MemoryStream())             {                 using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write))                 {                     cs.Write(clearBytes, 0, clearBytes.Length);                     cs.Close();                 }                 clearText = Convert.ToBase64String(ms.ToArray());             }         }         return clearText;     }     public static string Decrypt(string cipherText)     {         string EncryptionKey = "abc123";         cipherText = cipherText.Replace(" ", "+");         byte[] cipherBytes = Convert.FromBase64String(cipherText);         using (Aes encryptor = Aes.Create())         {             Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });             encryptor.Key = pdb.GetBytes(32);             encryptor.IV = pdb.GetBytes(16);             using (MemoryStream ms = new MemoryStream())             {                 using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateDecryptor(), CryptoStreamMode.Write))                 {                     cs.Write(cipherBytes, 0, cipherBytes.Length);                     cs.Close();                 }                 cipherText = Encoding.Unicode.GetString(ms.ToArray());             }         }         return cipherText;     } } 
like image 40
A Ghazal Avatar answered Sep 18 '22 16:09

A Ghazal