« Decoding Components and Streams | Main | Enabling FeedFlare on dasBlog »

Symmetric Encryption/Decryption Pipeline Components

Link. April 13, 2006. Comments [8]. Posted in: BizTalk

I just finished with an initial implementation of a custom encryption/decryption pipeline component for BizTalk Server 2006, which supports all the symmetric cryptography algorithms included with the .NET Framework's System.Security.Cryptography package: RC2, Rijndael, DES and 3DES.

Included in the component are both an encoder and decoder pipeline components so that you can both encrypt and decrypt messages from your custom pipelines. The encoder component does its work in a fully streaming fashion, while the decoder component decrypts into an intermediate in-memory buffer for now (see this for the reason).

For both encoder/decoder components, you just have to configure two different properties:

CryptoComp_Pipeline.png

  • Algorithm: Specifies the symmetric crypto algorithm to encrypt/decrypt messages.
  • SsoConfigApp: Specifies the name of a Configuration Application in the Enterprise Single Sign-On ConfigStore that contains the Key and Initialization Vector to use for encryption/decryption. This way keys are stored securely inside the SSODB database.

Initially, I thought about using Jon Flander's excellent utility for storing configuration data in the SSO, but finally decided to code my own to avoid external dependencies (something I usually try to do for pipeline components as it makes deployment easier). Coding my own allowed me to also add a few things that should simplify deployment somewhat.

I provide a sample WinForms application that you can use to create/open/update/delete ConfigApps in the SSO to store keys and IVs securely. The application has the following features:

CryptoComp_Config.png

  1. The ConfigApp in SSO is created as a Config Store application, with two custom fields: CryptoKey and CryptoIV. Both are stored as Base64-encoded strings.
  2. The utility uses WMI to query the names of the BizTalk Administrators Group and the names of the user groups associated to each BizTalk Host. The admin and users groups in the SSO application are set to these values. I take advantage to a feature in SSO 3.0 which allows you to associate multiple groups as users of the SSO Application, so this way you don't need to create a new group just to have all application and isolated hosts access to the configuration data.
  3. Both the Key and IV as entered as a long string of hexadecimal digits. If you don't want to write your own, you can use the Generate buttons to automatically generate a Key/IV pair appropriate for the selected symmetric algorithm, which is done via the GenerateKey() and GenerateIV() methods of the specified SymmetricAlgorithm-derived class.
  4. Some basic validations are done on the key and IV you enter, such as ensuring it has a valid length according to the selected algorithm.

You can download the code for this component here. Included in the solution are both the pipeline component and the Winforms configuration application, as well as a messaging-only sample use of both encoder and decoder components.



Thursday, November 16, 2006 8:34:30 AM (SA Pacific Standard Time, UTC-05:00)
Toms,

I am a newbie to biztalk, I tried your encryption/decryption component with some success today, thanx for putting it for us. But I've few confusions where I got stuck using it.

1. When I make a SSO Configuration Application after running your application, it is made successfully, but when I try to open it, it breaks giving this error:
"The mapping does not exist. For Config Store applications, the config info has not been set".

2. What I did then was, Generated the keys, and then tried to save it, which gave me this error:

"The parameter is incorrect" at store.SetConfigInfo() method.

I worked around this, by hard coding the appName argument in the method to the config application I just made using the same form. It worked!

3. I then provided that applications name, in the send pipeline components SSOConfigAppName and deployed it.

4. It worked and it encrypted the outgoing message.

5. Now how do I decrypt that message to use it any application, would I need to use the same dll, that I used in Biztalk for that? and what about the errors I got mentioned in point 2 and 3, how can I get rid of them?

I'd be very grateful to you, if you take bit of your time out and answer my queries.


Thanks and Regards,
Sajid.
Sajid Hussain
Thursday, November 16, 2006 4:19:11 PM (SA Pacific Standard Time, UTC-05:00)
Number 1 sounds like a permissions issue, maybe. Number 2 is strange, definitely haven't seen those myself. It might be something in the name you're using, perhaps? What name are you giving to your SSO application?

As to number 5, what you'd need is for the other application to decrypt the message using the same algorithm you encrypted it with, and the same set of keys. It is not necessary to actually use the same DLL; as long as you're choosing the right options you can do it using the standard .NET crypto classes (which are what my pipeline components use underneath, anyway).
Tomas Restrepo
Saturday, November 18, 2006 4:48:56 AM (SA Pacific Standard Time, UTC-05:00)
Tomas,

Thanks for the reply,

I am trying the code given at http://support.microsoft.com/kb/307010
to Decrypt the messages encrypted using your components, using the DES algorithm. But it just doesn't work, although both are using the same algo.

1. The key that is generated by your utility is not accepted by this program, it says its size is not valid.

2. When I generate a key using that program, and try to make a SSO app using your utility with that key, your utility says its invalid.

So they dont seem to be using the same type of key. Can you please have a look at that code, and tell me how can I decrypt messages encrypted by your component using it Or give me some code which I can use in an application, to decrypt/encrypt messages encrypted/decrypted by your component.
Sajid Hussain
Sunday, November 19, 2006 8:31:04 PM (SA Pacific Standard Time, UTC-05:00)
The code above and my own code don't represent the keys in the same format. My utility presents keys as a set of bytes presented in hexadecimal format; the utilities presented in the link you mention expect the keys to be simple strings that they then convert to bytes directly using an encoding (i.e. based on the ASCII codes of the characters in the string). Two completely different things. You need to handle them the same.
Tomas Restrepo
Thursday, January 25, 2007 1:13:41 PM (SA Pacific Standard Time, UTC-05:00)
How do you get around the issue of having an ascii key? Can I convert the ascii key that I have? Or can I comment out the hexadecimal check?
Glenn
Thursday, January 25, 2007 4:26:12 PM (SA Pacific Standard Time, UTC-05:00)
Glenn,

If you want to allow the user to enter any text as the password, just modify the config tool to use Encoding.ASCII.GetBytes() on the text or something like that.
Tomas Restrepo
Tuesday, June 12, 2007 10:50:56 PM (SA Pacific Standard Time, UTC-05:00)
i wants to use this encryption with sso so , can u explain me procedure in brief........
nikunj
Wednesday, June 13, 2007 6:35:43 AM (SA Pacific Standard Time, UTC-05:00)
Just use the Winforms utility included in the zip... it can create the SSO application to store the keys, generate and save the keys, and then just specify the name of the SSO application in the pipeline component configuration.
Tomas Restrepo
Comments are closed.

  

Syndicate

About

Tomas Restrepo is a software developer located in Colombia, South America. His interests include .NET, Connected Systems, PowerShell and lately dynamic programming languages. More...

tomasrestrepo @ twitter My Flickr photostream My saved links on delicious My Technorati Profile

email: tomas@winterdom.com
msn: tomasr@passport.com

View my profile on LinkedIn

MVP logo

Ads


Categories

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Statistics

Total Posts: 1041
This Year: 111
This Month: 0
This Week: 0
Comments: 819

Archive

November, 2008 (1)
October, 2008 (10)
September, 2008 (7)
August, 2008 (11)
July, 2008 (10)
June, 2008 (6)
May, 2008 (9)
April, 2008 (9)
March, 2008 (10)
February, 2008 (24)
January, 2008 (8)
December, 2007 (5)
November, 2007 (17)
October, 2007 (18)
September, 2007 (13)
August, 2007 (16)
July, 2007 (24)
June, 2007 (18)
May, 2007 (11)
April, 2007 (13)
March, 2007 (15)
February, 2007 (23)
January, 2007 (12)
December, 2006 (17)
November, 2006 (22)
October, 2006 (51)
September, 2006 (44)
August, 2006 (33)
July, 2006 (21)
June, 2006 (8)
May, 2006 (17)
April, 2006 (17)
March, 2006 (18)
February, 2006 (10)
January, 2006 (15)
December, 2005 (6)
November, 2005 (4)
October, 2005 (9)
September, 2005 (8)
August, 2005 (10)
July, 2005 (13)
June, 2005 (6)
May, 2005 (8)
April, 2005 (7)
March, 2005 (12)
February, 2005 (13)
January, 2005 (9)
December, 2004 (8)
November, 2004 (6)
October, 2004 (13)
September, 2004 (4)
August, 2004 (11)
July, 2004 (2)
June, 2004 (4)
May, 2004 (7)
April, 2004 (7)
March, 2004 (12)
January, 2004 (5)
December, 2003 (2)
November, 2003 (9)
October, 2003 (3)
September, 2003 (6)
August, 2003 (5)
July, 2003 (4)
June, 2003 (19)
May, 2003 (15)
April, 2003 (28)
March, 2003 (19)
February, 2003 (7)
January, 2003 (17)
December, 2002 (18)
November, 2002 (13)
October, 2002 (9)
September, 2002 (6)
August, 2002 (10)
July, 2002 (12)
June, 2002 (27)
May, 2002 (16)
April, 2002 (17)
March, 2002 (6)

Other

Copyright © 2002-2008, Tomas Restrepo.

Powered by: newtelligence dasBlog 2.2.8279.16125

Sign In