REST Service encryption supporting Android/iOS encryption

Home Forums kbmMW REST Service encryption supporting Android/iOS encryption

This topic contains 1 reply, has 2 voices, and was last updated by  kimbomadsen 6 months, 2 weeks ago.

  • Author
    Posts
  • #53400

    Decoder
    Participant

    Hi Kim!

    We’ve are attempting to interface a mobile app on both Android and iOS with our encryption scheme.

    We’re using a custom http header to hold an encrypted, base64 encoded string.

    I noticed that CFB 8-bit appears to be the encryption method for Rijndael/AES by default. We’re using a salt to further secure the string.

    We are having a difficult time trying to properly encrypt the auth info using non-kbm android/ios native tools and have some questions; I have dug into your encryption source and have been unable to determine the answers to these questions:

    How is the salt being used? We’re currently assuming that the key is generated using PBKDF2 using the salt and password with 10 iterations with key size 256/32.

    What IV (initialization vector) are you using?

    We are using the following method to encrypt and salt:

    var

    str,password: AnsiString;

    CipherAES : TkbmMWCipherAES ;
    BeforeBytes : TkbmMWBytes ;
    AfterBytes : TkbmMWBytes ;
    begin
    try
    CipherAES := TkbmMWCipherAES.Create(nil) ; // Owner

    CipherAES.InitString(Password, // const Key:string
    TkbmMWHashSHA256,
    True) ;

    SetLength(BeforeBytes, Length(Str)) ;
    Move(Str[1], BeforeBytes[0], Length(Str)) ;

    AfterBytes := CipherAES.EncryptBytes(BeforeBytes)

    …or…

    AfterBytes := CipherAES.DecryptBytes(BeforeBytes) ;

    In looking at your code I didn’t see a reference to an Initialization Vector, so I’m not certain how the key/init vector works in your crypt code.

    We’re using the library Crypto-js for client-side encryption.

    Can you please assist? Any help would be greatly appreciated.

    Thanks.

  • #53425

    kimbomadsen
    Keymaster

    Hi,

    When using InitString, an internal default init vector is being used.

    If you want to control it all, do like this (example is using AES validation data):

You must be logged in to reply to this topic.