|| xTy Technology || Live Demo || Sample Projects (for ASP, VB and .Net) || Support||

Programming Internet Security with
xTyCrypto

xTyCrypto is a set of easy-to-use, but efficient programming interfaces for the AES (Rijndael) symmetric key encryption algorithm and the RSA public key encryption algorithm. xTyCrypto.dll consists of three COM objects: ServerCrypter, ClientCrypter, and KeyMaker. This article briefly explains how they can be easily integrated into ASP pages, ASP.NET projects, and other types of projects.

Symmetric Key Encryption Operations

For basic encryption/decryption operations, xTyCrypto.ServerCrypter and xTyCrypto.ClientCrypter contain identical methods for this. The following VB code segment shows all. 
        'Create the object
        dim objCrypt as New XTYCRYPTOLib.ServerCrypter 'or XTYCRYPTOLib.ClientCrypter

        'To encrypt
        On Error goto errrr
        objCrypt.SetKey "key name", "my secret key" 'choose a key
        strEncrypted=objCrypt.Encrypt("A long string up to several Mega bytes.")

        'To decrypt
        objCrypt.SetKey "key name", "my secret key" 'set the key
        strDecrypted=objCrypt.Decrypt(strEncrypted)

        exit sub
    errrr:
        MsgBox err.Description
There are three other encryption functions in the COM objects: EncryptEx, HtmlEncrypt, and MutilineEncrypt. EncryptEx encrypts a binary stream (an array of bytes) and outputs a binary stream. HtmlEncrypt and MutilineEncrypt are the same as Encrypt except that HtmlEncrypt outputs HTML-commented string and MutilineEncrypt outputs multiline string. These can be used to nicely format the output data for web pages display.

Client/Server Encryption Preliminaries

Currently, the two best-known encryption algorithms are Symmetric Key Encryption and Public Key Encryption. Symmetric Key Encryption is also called secret key encryption because it uses the same key (called secret key, symmetric key, or session key depending on who you are talking to) for both encryption and decryption. In contrast, Public Key Encryption is called asymmetric key encryption because it uses a pair of keys (public key and private key). The public key is used for encryption. The public key, as its name tells, can be given to everybody. Data encrypted with the public key can only be decrypted by the corresponding private key.

To explain the difference between Symmetric Key Encryption and Public Key Encryption, consider an example where a user wants to encrypt and send his credit card number to a web site for payment. If Symmetric Key Encryption is used, the sender choose a secret key to encrypt the card number and send the encrypted data to the web server. However, there is a problem. The web server will not be able to decrypt the card number unless the secret is sent to the web server as well. But if the secret key is sent and stolen by someone, the encrypted card number will be crypted. In contrast, Public Key Encryption woks differently. The web server makes a pair of keys, a public key and a private key. The priavte key is kept in the web server, but the public key is made availabe. For exmaple, the public key can be included in the page that contains the web form. On the client side, the sender retrieves the public key from the page, encrypt the card number and submit it to the web server. When the server receives the encrypted card number, it uses the private key to decrypt it.

For small amount of data such as credit card number, the Public Key Encryption sounds a good solution. However, Public Key Encryption is very inefficient for handling larger amount of data due to the computational complexity. In comparison, Symmetric Key Encryption (e.g. Rijndael AES) is very efficient. Therefore, an optimized solution would be a mixture of the two methods: the Symmetric Key Encryption is used to encrypt the data, and the Public Key Encryption is used to encrypt the symmetric key for transmission (referred to as Key Exchange . As we said above, the web server makes a pair of keys, a public key and a private key. The priavte key is kept in the web server, and the public key is included in the page that contains the web form. On the client side, the sender retrieves the public key from the page. This time, the send chooses a secret key and uses the secret key to encrypt the card number. At the same time, he encrypt the secret key using the public key he has retrieved. Then he submits both the secret-key-encrypted card number and the public-key-encrypted secret key to the web server. When the web server receives the data, it first decrypts the secret key and uses the secret key to decrypt the card number. This sounds like a complicated process, but it is not in the real world. The next section explains how this can be done easily with xTyCrypto.

Using xTyCrypto in Client/Server Applications

As we mentioned earlier, xTyCrypto.dll consists of three COM objects: ServerCrypter, ClientCrypter, and KeyMaker Now we will discuss step by step how they are used. As an example, we will use the Microsoft Internet Information Server (IIS) as the web server and ASP (VB script) as the programming language. Error handling code has been omitted for simplicity. You should always catch the errors. The Visual Basic demo code listed above contains a complete project that covers all steps below in great detail. The sample code below is also available as a package in the ASP demo code listed above.

Note: In practice, most of the following code are grouped into a seprate module and you don't have to write them again.
  • Step 0. Generation of Key Pair. Because of the computational overhead, we usually don't generate a pair of keys for each visitor. We can generate the key pair offline, save into files and load them as needed. The following simple VB code generates a pair of key of 1024 bits. 
        Dim objKeyMaker As New XTYCRYPTOLib.KeyMaker 'Create the object
    On Error GoTo errr
        objKeyMaker.MakeKeyPair (1024) 'Generate the key pair.
        objKeyMaker.SavePrivateKeyToFile "C:\temp\myprikey.pri" 'save the keys.
        objKeyMaker.SavePublicKeyToFile "C:\temp\mycertificate.plc."
    Exit Sub
errr:
    MsgBox Err.Description
    So let us assume the keys have been generated and saved as above.
  • Step 1. Form Page Suppose you have the following form to collect user names. The code shows how to include a certificate and send it to the client: 
        <!--#include file="mycertificate.plc"-->
       
    FORM action="reply.asp" method="post" name="TheForm"
          User Name: <INPUT name="UserName" size=16><br><br>
                     <INPUT type="SUBMIT"  Value="Submit">
    </FORM>
  • Step 2. Client Side. The Internet Explorer tool xTyHTMLDecrypter handles all the details below and fills the encrypted data into the form. If you want to write your own, however, here is the details. The following VB code segment retrieves the certificate, encrypt a string using the key "color", encrypt the secret key, and send it to the server. Optionally, you can also call the method VerifyCertificate to verify the certificate information.
        dim objClient as New XTYCRYPTOLib.ClientCrypter

    'strPubKey is the key from the form page above.
    objClient.LoadPublicKeyFromString strPubKey
          
    'Encrypt a string
    objClient.SetKey "key name", "color"
    strEncrypted=objClient.Encrypt("John Doe")

    'Encrypt the secret key
    strEncryptedKey=objClient.EncryptKey()
    Now send strEncrypted and strEncryptedKey to the server.

  • Step 3. Server Reply. The following ASP code (reply.asp) decrypts the secret key, decrypts the user name, encrypts the reply message using the same secret key decrypted and sends it back to the client. 
      <%
    dim objServer
          
    'Create the object
    set objServer=Server.CreateObject("xTyCrypto.ServerCrypter") 
    
    'Load the private key 
    objServer.LoadPrivateKeyFromFile Server.MapPath("myprikey.pri"),"hello"
    
    'Decrypt the secret key. 
    if Len(Request.Form("XTYPUBKEY"))>0 then
        objServer.DecryptKey(Request.Form("XTYPUBKEY"))

        'Decrypt the user name
        strUser=objServer.Decrypt(Request.Form("UserName"))

        'Encrypt and send the reply
        Response.Write(objServer.Encrypt("Hello, " & strUser))
    else 'Not encrypted.
        Response.Write(Request.Form("UserName"))
    end if

    set objServer=Nothing
 %>
    Notice that the server is able to decrypt and use the secret key, but it cannot retrieve the secret key string itself.