Encryption using DES-EDE2 and HMAC-SHA1

Posted on 2008-11-08
Medium Priority
Last Modified: 2013-12-17
We have some C++ code that uses the crypto C++ library (www.cryptocpp.com).  That library uses a passphrase to generate an HMAC/SHA1 hash which feeds (somehow) into the DES-EDE2 algorithm as a key.

I need to reimplement this in C# but I don't completely understand the HMAC/SHA1 part and how such a hash is passed into the encryption/decryption functions.  

I know this is quite common, these libraries allow you to perforrm 3DES encryption using a passphrase, I just can't figure out how to tie it all together so i thought i would ask here.  

How do i take the output of the hmacsha1 class and feed it as input (key and IV) to the TripleDESCryptoProvider methods?  

The only values i have are the passphrase and the string to encrypt
Question by:craigsweet
  • 3
  • 2

Expert Comment

ID: 22911634
LVL 13

Expert Comment

ID: 22916847
It should work just the same as it did in your C++ code.

HMAC/SHA1 simply takes the passpharse as a parameter, and generates a hash as the output.

With this output, you then feed it as a key into your encryption function. Which can be anything.

Why don't you post your code and I'll take a look at it.

Accepted Solution

craigsweet earned 0 total points
ID: 22917041
I'm generating the 3DES key like so:

            ASCIIEncoding encoding = new ASCIIEncoding();
            PasswordDeriveBytes pdb = new PasswordDeriveBytes(passPhrase, null);
            TripleDESCryptoServiceProvider t = new TripleDESCryptoServiceProvider();
            t.Key = pdb.CryptDeriveKey("TripleDES", "SHA1", 192, t.IV);

That generates a 24-byte key.  It creates an IV of 8 bytes but i'm not sure it's correct.  I then encrypt the data:

            byte[] plaintext = encoding.GetBytes(input);
            MemoryStream m = new MemoryStream();
            CryptoStream c = new CryptoStream(m, t.CreateEncryptor(), CryptoStreamMode.Write);
            c.Write(plaintext, 0, plaintext.Length);
            byte[] encrypted = m.ToArray();

When i do this my encoded string is is 24-bytes long

I have sample data from the c++ library:
Plaintext:  03D78972DK647980F
Encrypted:  57EBCCF2E5D90CEF555AE8DEA33641FC2CE99B7A53E53770146CB4314EBA7A301390B1CBDBA043A47BA3125F6047AC6A68D2B051F25C7BEF

As you can see my encrypted string is a lot longer than 24-bytes so clearly something is wrong with my approach.  I'm just at a loss on where to even look.

I have also experiemented with the HMACSHA1 class:
            HMACSHA1 hmac = new HMACSHA1(encoding.GetBytes(passPhrase));

But i'm not sure what to do with that output.  That gives me a 16-byte key.  Even if i were to pass this into the TripleDESCryptoServiceProvider class i will not have an IV in this case.

See why i'm so confused? :-)
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 13

Expert Comment

ID: 22918587
It seems like you are no longer using the cryptocpp libraries which you mentioned in the earlier thread. You are now using the Microsoft crypto libraries instead.

So, your results will definitely be inconsistant from our initial C++ code.

Firstly, you'll need to generate the key using HMAC/SHA1 in C#, here's some info


Focus on the C# code sample:
byte[] key = new byte[KEY_SIZE];
byte[] data = new byte[DATA_SIZE];

HMACSHA1 hmac = new HMACSHA1(key);
CryptoStream cs = new CryptoStream(Stream.Null, hmac, CryptoStreamMode.Write);
cs.Write(data, 0, data.Length);

where Key is the Passphrase you will provide it with.

Then you'll use the TripleDESCSP like this:


Hope this help.

Author Comment

ID: 22918769
Yes, my goal is to replace my C++ library (Based on cryptC++) with a .Net assembly.  But since we've been using it for a while i have to be sure i'm using the same algorithm/keys/etc.

What you've given doesn't help me, it just restates the problem i'm trying to solve.  I know how to create an HMACSHA1 object and send in the passphrase.  I also know how to create a TripleDESCryptoServiceProvider object and pass in data to it.  

What i don't get is how to marry the two together.  What output from the HMACSHA1 call goes into the 3DES functions, etc?  Am i to create a hash of the input and pass that in somehow or is HMAC only used to create a key that the 3DES provider uses.

Also, does .Net even support EDE2 (i.e. 3DES using 2 keys)?

I know it's common to use password-based encryption using 3DES and HMAC/SHA1 together (whetgher it's a good idea or not i dont' know) but what i'm looking for is the "together" part.
LVL 13

Expert Comment

ID: 22919065
>>What output from the HMACSHA1 call goes into the 3DES functions, etc?  Am i to create a hash of the >>input and pass that in somehow or is HMAC only used to create a key that the 3DES provider uses.

The idea of using a hashing function to create a strong key given a passphase.

Therefore, the resulting hash from the hashing function is to be used as the key in your encryption algorithm.

In the case of HMACSHA1: cs.Write(data, 0, data.Length);

the data buffer will be used as the key for your 3DES.

I'm not sure if .NET supports EDE2 mode. From their online API, I don't see it available.

Hope that helps.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month16 days, 18 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question