Encryption using DES-EDE2 and HMAC-SHA1

We have some C++ code that uses the crypto C++ library (www.cryptocpp.com).  That library uses a passphrase to generate an HMAC/SHA1 hash which feeds (somehow) into the DES-EDE2 algorithm as a key.

I need to reimplement this in C# but I don't completely understand the HMAC/SHA1 part and how such a hash is passed into the encryption/decryption functions.  

I know this is quite common, these libraries allow you to perforrm 3DES encryption using a passphrase, I just can't figure out how to tie it all together so i thought i would ask here.  

How do i take the output of the hmacsha1 class and feed it as input (key and IV) to the TripleDESCryptoProvider methods?  

The only values i have are the passphrase and the string to encrypt
craigsweetAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kelvin_KingCommented:
It should work just the same as it did in your C++ code.

HMAC/SHA1 simply takes the passpharse as a parameter, and generates a hash as the output.

With this output, you then feed it as a key into your encryption function. Which can be anything.

Why don't you post your code and I'll take a look at it.
0
craigsweetAuthor Commented:
I'm generating the 3DES key like so:

            ASCIIEncoding encoding = new ASCIIEncoding();
            PasswordDeriveBytes pdb = new PasswordDeriveBytes(passPhrase, null);
            TripleDESCryptoServiceProvider t = new TripleDESCryptoServiceProvider();
            t.Key = pdb.CryptDeriveKey("TripleDES", "SHA1", 192, t.IV);

That generates a 24-byte key.  It creates an IV of 8 bytes but i'm not sure it's correct.  I then encrypt the data:

            byte[] plaintext = encoding.GetBytes(input);
            MemoryStream m = new MemoryStream();
            CryptoStream c = new CryptoStream(m, t.CreateEncryptor(), CryptoStreamMode.Write);
            c.Write(plaintext, 0, plaintext.Length);
            c.Close();
            byte[] encrypted = m.ToArray();

When i do this my encoded string is is 24-bytes long

I have sample data from the c++ library:
Plaintext:  03D78972DK647980F
Encrypted:  57EBCCF2E5D90CEF555AE8DEA33641FC2CE99B7A53E53770146CB4314EBA7A301390B1CBDBA043A47BA3125F6047AC6A68D2B051F25C7BEF

As you can see my encrypted string is a lot longer than 24-bytes so clearly something is wrong with my approach.  I'm just at a loss on where to even look.


I have also experiemented with the HMACSHA1 class:
            HMACSHA1 hmac = new HMACSHA1(encoding.GetBytes(passPhrase));

But i'm not sure what to do with that output.  That gives me a 16-byte key.  Even if i were to pass this into the TripleDESCryptoServiceProvider class i will not have an IV in this case.

See why i'm so confused? :-)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Kelvin_KingCommented:
It seems like you are no longer using the cryptocpp libraries which you mentioned in the earlier thread. You are now using the Microsoft crypto libraries instead.

So, your results will definitely be inconsistant from our initial C++ code.

Firstly, you'll need to generate the key using HMAC/SHA1 in C#, here's some info

http://msdn.microsoft.com/en-us/library/system.security.cryptography.hmacsha1(VS.71).aspx

Focus on the C# code sample:
byte[] key = new byte[KEY_SIZE];
byte[] data = new byte[DATA_SIZE];

HMACSHA1 hmac = new HMACSHA1(key);
CryptoStream cs = new CryptoStream(Stream.Null, hmac, CryptoStreamMode.Write);
cs.Write(data, 0, data.Length);
cs.Close();

where Key is the Passphrase you will provide it with.

Then you'll use the TripleDESCSP like this:

http://msdn.microsoft.com/en-us/library/system.security.cryptography.tripledescryptoserviceprovider.aspx

Hope this help.
0
craigsweetAuthor Commented:
Yes, my goal is to replace my C++ library (Based on cryptC++) with a .Net assembly.  But since we've been using it for a while i have to be sure i'm using the same algorithm/keys/etc.

What you've given doesn't help me, it just restates the problem i'm trying to solve.  I know how to create an HMACSHA1 object and send in the passphrase.  I also know how to create a TripleDESCryptoServiceProvider object and pass in data to it.  

What i don't get is how to marry the two together.  What output from the HMACSHA1 call goes into the 3DES functions, etc?  Am i to create a hash of the input and pass that in somehow or is HMAC only used to create a key that the 3DES provider uses.

Also, does .Net even support EDE2 (i.e. 3DES using 2 keys)?

I know it's common to use password-based encryption using 3DES and HMAC/SHA1 together (whetgher it's a good idea or not i dont' know) but what i'm looking for is the "together" part.
0
Kelvin_KingCommented:
>>What output from the HMACSHA1 call goes into the 3DES functions, etc?  Am i to create a hash of the >>input and pass that in somehow or is HMAC only used to create a key that the 3DES provider uses.

The idea of using a hashing function to create a strong key given a passphase.

Therefore, the resulting hash from the hashing function is to be used as the key in your encryption algorithm.

In the case of HMACSHA1: cs.Write(data, 0, data.Length);

the data buffer will be used as the key for your 3DES.

I'm not sure if .NET supports EDE2 mode. From their online API, I don't see it available.

Hope that helps.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.