REST Service encryption supporting Android/iOS encryption

Home Forums kbmMW REST Service encryption supporting Android/iOS encryption

Viewing 1 reply thread
  • Author
    Posts
    • #53400
      Decoder
      Participant

      Hi Kim!

      We’ve are attempting to interface a mobile app on both Android and iOS with our encryption scheme.

      We’re using a custom http header to hold an encrypted, base64 encoded string.

      I noticed that CFB 8-bit appears to be the encryption method for Rijndael/AES by default. We’re using a salt to further secure the string.

      We are having a difficult time trying to properly encrypt the auth info using non-kbm android/ios native tools and have some questions; I have dug into your encryption source and have been unable to determine the answers to these questions:

      How is the salt being used? We’re currently assuming that the key is generated using PBKDF2 using the salt and password with 10 iterations with key size 256/32.

      What IV (initialization vector) are you using?

      We are using the following method to encrypt and salt:

      var

      str,password: AnsiString;

      CipherAES : TkbmMWCipherAES ;
      BeforeBytes : TkbmMWBytes ;
      AfterBytes : TkbmMWBytes ;
      begin
      try
      CipherAES := TkbmMWCipherAES.Create(nil) ; // Owner

      CipherAES.InitString(Password, // const Key:string
      TkbmMWHashSHA256,
      True) ;

      SetLength(BeforeBytes, Length(Str)) ;
      Move(Str[1], BeforeBytes[0], Length(Str)) ;

      AfterBytes := CipherAES.EncryptBytes(BeforeBytes)

      …or…

      AfterBytes := CipherAES.DecryptBytes(BeforeBytes) ;

      In looking at your code I didn’t see a reference to an Initialization Vector, so I’m not certain how the key/init vector works in your crypt code.

      We’re using the library Crypto-js for client-side encryption.

      Can you please assist? Any help would be greatly appreciated.

      Thanks.

    • #53425
      kimbomadsen
      Keymaster

      Hi,

      When using InitString, an internal default init vector is being used.

      If you want to control it all, do like this (example is using AES validation data):

Viewing 1 reply thread
  • You must be logged in to reply to this topic.