Search code examples
encryptionx509x509certificate2xml-encryption

C#.NET Encrypt XML on one machine and Decrypt on other machine


I need to do a GET/PUT/DELETE/POST message on httpwebrequest.

my request body contains XML.

I need to encrypt the content in body XML and decrypt back on the client/receiver side.

I see there are multiple ways to encrypt the XML. one of it is here http://msdn.microsoft.com/en-us/library/sb7w85t6.aspx

But my concern is, receiver should be able to decrypt it. and receiver shoul dbe on different platform might not be on .NET framework.

Can any one suggest a best approach for this.

What i have tried so far:

// Create a new Rijndael key.

            key = new RijndaelManaged();
            // Load an XML document.
            XmlDocument xmlDoc = new XmlDocument();
            xmlDoc.PreserveWhitespace = true;
            xmlDoc.Load("test.xml");

            // Encrypt the "creditcard" element.
            Encrypt(xmlDoc, "creditcard", key);

            Console.WriteLine("The element was encrypted");

            Console.WriteLine(xmlDoc.InnerXml);

            Decrypt(xmlDoc, key);

            Console.WriteLine("The element was decrypted");

            Console.WriteLine(xmlDoc.InnerXml);

This looks to be doing the job. But I have concerns about the key

 key = new RijndaelManaged();
Decrypt(xmlDoc, key);

What is this Key, will client on different machine and different framework and different technology be able to decrypt this message?

Update

After my research on few encryption methods, I found X509Certificate2 is best encryption option and client can also able to decrypt it, if the same X509 cert is installed on their machine. I could find a script to encrypt

public static void Encrypt(XmlDocument Doc, string ElementToEncrypt, X509Certificate2 Cert)
        {
            // Check the arguments.   
            if (Doc == null)
                throw new ArgumentNullException("Doc");
            if (ElementToEncrypt == null)
                throw new ArgumentNullException("ElementToEncrypt");
            if (Cert == null)
                throw new ArgumentNullException("Cert");

            XmlElement elementToEncrypt = Doc.GetElementsByTagName(ElementToEncrypt)[0] as XmlElement;
            // Throw an XmlException if the element was not found. 
            if (elementToEncrypt == null)
            {
                throw new XmlException("The specified element was not found");

            }

            EncryptedXml eXml = new EncryptedXml();

            // Encrypt the element.
            EncryptedData edElement = eXml.Encrypt(elementToEncrypt, Cert);
            EncryptedXml.ReplaceElement(elementToEncrypt, edElement, false);
        }

If found this code to decrypt

 public static void Decrypt(XmlDocument Doc)
        {
            // Check the arguments.   
            if (Doc == null)
                throw new ArgumentNullException("Doc");

            // Create a new EncryptedXml object.
            EncryptedXml exml = new EncryptedXml(Doc);

            // Decrypt the XML document.
            exml.DecryptDocument();
        }

My question is this decrypt method is not asking for and X509 key. So how is it decrypting, doesn't it need and key to decrypt. Will this decryption works on other machines as well.


Solution

  • There exist several approaches to encryption.

    Symmetric encryption uses the same key to encrypt and decrypt the data. AES encryption algorithm is an example of such encryption.

    Asymmetric (public- and private-key based) encryption uses a pair of keys. In this mode you encrypt the data for someone using his public key. He uses his private key (which you don't have and should not have) to decrypt the data prepared for him. Asymmetric encryption is accomplished using certificate-based PKCS#7 / CMS standard or using OpenPGP.

    Now about XML. You can encrypt it as if it were binary data using one of the above methods. Or you can encrypt it using XMLEnc standard.

    The way to use depends on who decides or demands encryption format and method. If it's you that makes the decision, then the decision should be based on what capabilities (libraries, code) both sides can use AND how the keys are managed (PKI is a bit harder to manage than symmetric key, but in general PKI is more secure).

    Just a note: our SecureBlackbox product supports both symmetric and certificate-based encryption (both binary, XMLEnc and also OpenPGP) on .NET, Java and other platforms.