Wednesday, February 06, 2013

Secure file exchange with .NET Crypto API

Introduction

I have recently found interest in online storage services like Skydrive, Dropbox or Box, just to mention a few. I've been working on secure protocols and cryptography many times in my engineer life and I decided to find a solution to a simple requirement: exchange documents with other people confidentially using those online storage. 

The requirements

Online storage allow you to store documents online and eventually share them with other users. Some of those storage services encrypt the data on their servers but most free one like Skydrive simply store data without any encryption. Even with services that encrypt the data locally when data are transferred on the internet they are no longer encrypted. So far only FileLocker seems to provide encryption during data transfer.

In order to create a secure exchange when sharing documents you need to have the following features:

  • Data need to be encrypted where they are stored but although while transferring 
  • The owner of the data must be able to select the recipients he wishes to share the data with
  • The recipient should be able to control the integrity of the data 
Those are standard features you expect when securely exchanging data, so I added some other requirements to fit the constraint of an exchange of the data on the internet. 

  • The overhead of the exchange information must be small 
  • The exchange protocol must be robust 
...
...

public void TestFileExchange()
{
    // Load the file to encrypt
    byte[] imgData = File.ReadAllBytes(IMG_FILE_NAME);

    AESEncryptor aesEncryptor = new AESEncryptor(PASSWORD);

    RSACryptoServiceProvider rsaProviderOfRecipient = new RSACryptoServiceProvider();
    RSAOAEPEncryptor rsaDigestEncrypt = new RSAOAEPEncryptor(rsaProviderOfRecipient);

    RSACryptoServiceProvider rsaProviderOfOwner = new RSACryptoServiceProvider();
    RSASHA1Signature rsaDigestSigned = new RSASHA1Signature(rsaProviderOfOwner);

    // Encrypt the file data, the key and sign the original file data
    EncryptedFile encryptFile = new EncryptedFile(imgData,
        new FileDescription(IMG_FILE_NAME, MIME_JPG, APP_SLIDESHOW, ALGO_AES),
        aesEncryptor,
        new Recipient[] { new Recipient(USER_ID_DEST1, rsaDigestEncrypt) },
        new Owner(USER_ID_SRCE, rsaDigestSigned));

    // Build an EncryptedFile instance from the encrypted content with header
    EncryptedFile encryptFileOut = new EncryptedFile(encryptFile.EncryptedContent);

    ExchangeDataHeader encryptedHeader = encryptFileOut.EncryptedHeader;

    // Process the encrypted DigestData to extract the AES key

Read more: Codeproject
QR: Inline image 1

Posted via email from Jasper-Net