Saturday, April 23, 2011

Encryption between Python and C#

I do a lot of work in restricted environments, where I still need to secure internet traffic. I chose to use the RC4 algorithm because it is simple to implement and relatively fast. It is actually easy enough that a simple programmer like myself could write matching Python and C# implementations!

RC4 is also a stream cipher, which means you don't need to worry about breaking your cleartext into blocks, padding them out... and other related pain.

If you do use RC4, you should be aware that it has some vulnerabilities.

Python:
def RC4(data, key):
x = 0
s = range(256)
for i in range(256):
x = (x + s[i] + ord(key[i % len(key)])) % 256
s[i], s[x] = s[x], s[i]
x = y = 0
out = ""
for c in data:
x = (x + 1) % 256
y = (y + s[x]) % 256
s[x], s[y] = s[y], s[x]
out += chr(ord(c) ^ s[(s[x] + s[y]) % 256])
return out


C#:
using System;


public class RC4
{
static public void Cipher (ref byte[] bytes, string skey)
{
var key = System.Text.ASCIIEncoding.ASCII.GetBytes(skey);
byte[] s = new byte[256];
byte[] k = new byte[256];
byte temp;
int i, j;

for (i = 0; i < 256; i++) {
s[i] = (byte)i;
k[i] = key[i % key.GetLength (0)];
}

j = 0;
for (i = 0; i < 256; i++) {
j = (j + s[i] + k[i]) % 256;
temp = s[i];
s[i] = s[j];
s[j] = temp;
}

i = j = 0;
for (int x = 0; x < bytes.GetLength (0); x++) {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
temp = s[i];
s[i] = s[j];
s[j] = temp;
int t = (s[i] + s[j]) % 256;
bytes[x] ^= s[t];
}
}
}

6 comments:

Larry said...

Simple is good, but if your data is valuable enough to protect, you should protect it. RC4 is considered broken, and the situation worsens without the use of a nonce.

Modern day stream ciphers like Salsa20/12 and ChaCha8 offer true 128-bit protection and avoid the many foibles of RC4. ...and they can be faster than RC4.

If your concern is the amount of code you need to write, remember that you don't need to write it. Consider using/importing already written Python modules. There are several that are free for any use. Here is one.
http://buggywhip.us

Likewise for C#. Google found this C# implementation. I see there others.
http://code.logos.com/blog/2008/06/salsa20_implementation_in_c_1.html

More...
http://en.wikipedia.org/wiki/Salsa20
http://cr.yp.to/streamciphers/attacks.html

Larry

Anonymous said...

Writing your implementation == bad. Always rely on well known, well tested libraries.

Simon Wittber said...

@Anonymous That's a bit of a daft attitude, and a fine way to learn nothing at all. Besides...

"I do a lot of work in restricted environments"

Sometimes you don't have a choice.

BigJason said...

It's worth noting that the C# code can easily be ported to any .net language. It's not C# specific.

privacy said...

Hey Simon,

How are you doing?

I found your post really interesting, I think that a weak encryption is better than no encryption at all.

Thanks and keep up the good work

privacy said...

Hey Simon,

How are you doing?

I found your post really interesting, I think that a weak encryption is better than no encryption at all.

Thanks and keep up the good work

Popular Posts