[ Download Code ] | [ Download Help ]
To reiterate a very important message, it’s highly advised to continue your research on encryption on a broad scale and Triple DES intimately. Your awareness of the methodology and algorithm of the encryption technology you choose essentially determines how secure your data is. With definitions and all the tedious portions of the article out of the way, we'll start covering what each method actually does and why it's done in that fashion.
On a broad scale, the example uses a single provider class that wraps the TripleDES class found in System.Security.Cryptography namespace. The TripleDESCryptoServiceProvider is gracefully given to us by the .NET framework, and it opens us to an easy to use class for Triple DES encryption. With a single glance over in the documentation provided in the version 1.1 SDK, the TripleDESCryptoServiceProvider’s example is not very exciting. However, it does show a good example of how easy it is to implement if you have the right idea.
Class Level Variables
private TripleDESCryptoServiceProvider des;
private byte[] key;
private byte[] iv;
By declaring the TripleDESCryptoServiceProvider on a class level scope, it gives us the freedom to create specialized methods to modularize the process. Most of the process is similar in that only the ICryptoTransform implementation is different from encryption and decryption. This is a luxury of some cryptographic algorithms, and DES is one of them.
The two major objects stored are "key" and "iv". Both are byte arrays of different lengths and both are needed in this class. The "key" for a DES-based algorithm is always in multiples of 64 bits or 8 bytes. For our example, we are maximizing the key’s strength by using 24 byte keys, so we can safely declare the array to store 24 values. The byte array "iv" is also always going to be 64 bits or 8 bytes in length, so it is safe to lock in the length of the array.
Constructor
public TripleDES()
{
des = new TripleDESCryptoServiceProvider();
iv = new byte[8];
key = new byte[24];
}
By design, we avoid instant instantiation of the object. When a new instance of the class is created, we’ll instantiate the objects in the constructor, and unless the object has a static declaration, this is considered by many as better practice.
Properties
public byte[] Key
{
get { return key; }
set { key = value; }
}
public byte[] IV
{
get { return iv; }
set { iv = value; }
}
We’re giving more control of operations on the assembly itself than the application calling the class by using private declarations on the objects, and public properties. You may choose to publicly allow the members to be accessed, but it’s of no real value to the application or the assembly in this scenario.
public string SetKeys
{
set
{
byte[] md5key;
byte[] hashedkey;
md5key = MD5Encryption(value);
hashedkey = MD5SaltedHashEncryption(value);
for (int i=0; i < hashedkey.Length; i++)
{
key[i] = hashedkey[i];
}
int startcount = hashedkey.Length; /* always 128 */
int midcount = md5key.Length / 2; /* always 64 */
for (int i = midcount; i < md5key.Length; i++)
{
key[startcount + (i - midcount)] = md5key[i];
iv[i - midcount] = md5key[i - midcount];
}
md5key = null;
hashedkey = null;
}
}
Most of the properties are very straight forward, but SetKeys is a little different. Given a situation where the application will not have the code to create its own key or iv, the SetKeys property was created to utilize an MD5 algorithm to create a write-only key/iv combination. In this implementation, the value is run through both a simple MD5 and Salted MD5 hashing algorithm to generate a 24 byte arrays.
The way SetKeys creates the key is by using the salted hash output, and appending the first 8 bytes of the regular hashed output. The IV is the remaining 8 bytes of the regular hashed output. This makes the private key a little more difficult to crack if the string version is unknown.
Enumerators
public enum CipherMode
{
CipherBlockChaining = 1,
ElectronicCodebook = 2,
OutputFeedback = 3,
CipherFeedback = 4
}
private System.Security.Cryptography.CipherMode TranslateCipherMode(KraGiE.TripleDES.CipherMode ciphermode)
{
return (System.Security.Cryptography.CipherMode)Convert.ToInt32(ciphermode);
}
Before going into the CipherMode-based properties, it’s best to examine the new enumerator (enum) we created in the class. This enumerator is a mirror to the System.Security.Cryptography.CipherMode in the values. The only difference is the definition used to describe the numeric constants. System.Security.Cryptography.CipherMode uses abbreviations for describing the constants, and the enum in our example will use the full names of the modes. It’s later mapped back to become the correct CipherMode enum value by converting to an integer, and returned as the type System.Security.Cryptography.CipherMode.
The 4 available Cipher Modes for the DES algorithms are:
- Cipher Block Chaining (CBC)
- Electronic Codebook (ECB)
- Output Feedback (OFB)
- Cipher Feedback (CFB)
For more information on Cipher Modes, and what they are specifically, you may view the differences at http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation.
public System.Security.Cryptography.CipherMode GetCipherMode
{
get { return des.Mode; }
}
public KraGiE.TripleDES.CipherMode SetCipherMode
{
set { des.Mode = this.TranslateCipherMode(value); }
}
The two CipherMode-based properties are GetCipherMode and SetCipherMode. The GetCipherMode property will return the current mode from the TripleDESCryptoServiceProvider, and SetCipherMode will convert the class’ enum version to the correction System.Security.Cryptography.CipherMode version, and set the TripleDESCryptoServiceProvider’s Mode property. By setting the Cipher Mode of the encryption, you may jumble up the output even further After researching the differences of modes, you may implement the mode that best fits your applications needs.
So far, everything's pretty straight forward, and we can take a look at the meat of the code. The methods are described in the next page.
