All Blog Posts

Encryption and Decryption tips for Silverlight apps

We recently created a Silverlight application to manage orders submitted on one of our client's e-commerce website. Everything was going well until it was realized that the customer billing information was encrypted in the database.

So I started to research encryption/decryption in Silverlight. This blog post offers one option on how to solve this encryption/decryption challenge with Silverlight applications.

The Issue

After some research I found that the billing information was stored using the Triple DES algorithm. I thought I would take the code from our encryption DLL and replicate in Silverlight. I quickly found that Silverlight did not like the DES. I needed to find another way to resolve this roadblock.

Our Resolution

After more research I found a blog entry on Silverlight Encryption using the AES algorithm, which was documented by Davide Zordan. This article includes great information about the AES algorithm and some sample code. I would suggest reading this entry to learn more about the AES algorithm and to get the code. S

o now I have a string encrypted in DES but can decrypt using AES. Here is what I came up with to resolve this issue.
  1. Silverlight gets order details and encrypted billing information from web service call.
  2. Silverlight invokes Decrypt web method passing in the encrypted value
  3. Web server invokes the decrypt web method - decrypts the DES value, encrypts plain text value using AES, and returns the AES encrypted value
  4. Silverlight receives AES encrypted value and decrypts using AES decryption
  5. Silverlight displays billing information to user.
Note that using this technique the billing information is always encrypted when passing between the server and the client. Of course this would be avoided if the values were encrypted using AES in the first place. Here is how to implement this solution.
  1. Create a web method (called via javascript) called "Decrypt".  This method will do the following:
    1. Decrypt a DES encrypted string
    2. Encrypt using the AES algorithm
    3. Return the encrypted string back to the caller
  2. Silverlight – when reading the DES encrypted string make a call to the Decrypt method
  3. Silverlight – create a ScriptableMember() method to accept the results from the Decrypt method
Here are some code samples:

Decrypt web method (on my ASP.NET page)

[WebMethod] public static string Decrypt(string encrypted) { //Decrypt to a plain text string decryptedValue = Helpers.Decrypt(encrypted); //Encrypt to a format that Silverlight can decrypt return FREncryptionLibrary.FREncryptionProvider.EncryptSilverlight(decryptedValue); }

Silverlight Call to the Decrypt method

Queue<NameValuePairEncryption> lstDecrypt = new Queue<NameValuePairEncryption>(); bool isDecrypting = false; private void DecryptValue(EncryptionOption option, string value) { NameValuePairEncryption pair = new NameValuePairEncryption(); pair.Option = option; pair.Value = value; lstDecrypt.Enqueue(pair); if (!isDecrypting) { isDecrypting = true; HtmlPage.Window.Invoke("Decrypt", value); } }

Silverlight Method to receive the AES encrypted value

[ScriptableMember] public void DecryptResults(string result) { //This value is still decrypted result = EncryptionMethods.DecryptSilverlight(result); if (lstDecrypt.Count > 0) { NameValuePairEncryption pair = lstDecrypt.Dequeue(); switch (pair.Option) { case EncryptionOption.CreditCardNumber: txtCreditCardNumber.Text = result; break; case EncryptionOption.CreditCardExpYear: txtCreditCardExpYear.Text = result; break; case EncryptionOption.CreditCardExpMonth: txtCreditCardExpMonth.Text = result; break; case EncryptionOption.CreditCardPIN: txtCreditCardPIN.Text = result; break; default: break; } isDecrypting = false; if (lstDecrypt.Count > 0) { NameValuePairEncryption pair2 = lstDecrypt.Peek(); isDecrypting = true; HtmlPage.Window.Invoke("Decrypt", pair2.Value); } } }

You will note that I am queueing up decryption requests. I do this because I have multiple values to decrypt in one record and this gives me control to decrypt one value at a time. That's it! The result gives me different options for encrypting/decrypting sensitive information. Hope this can provide some tips and ideas for your project!