Common encryption algorithm between Java and C#

Question:

Problem

I am creating a Web Service in C# to be consumed by an Android (Java) application, among other information I would like to pass the user's credentials to offline login to the application. But these credentials I would like to send encrypted (from C#), and save them in the application, and when logging into the application I want to encrypt the password entered by the user at the entrance, with the same encryption algorithm used in C#, to compare it with the credential saved in the app.

Passwords will not be changed in the application, it is only possible in the legacy system where the Web Service consults. And the entire strategy to keep this data synchronized ( offline application and legacy system) is already implemented.

Doubt

I don't understand encryption algorithms very well, to the point of knowing how they work internally, for example: I don't know if the C# md5 has the same internal functioning as the Java md5, that is, if they always have the same input they will have the same output, regardless of whether it is in Java or C#.

So I would like to know if there is any encryption algorithm, common to both technologies, that I can reliably use in my case?

Answer:

From what I understand are your questions:

  1. Yes, the "encryption mechanisms" are the same, that is: implemented the same algorithm with the same initialization parameters, the result obtained must be the same = identical outputs.

  2. MD5 isn't exactly cryptography, it's a hash : it takes an input of any size and turns it into an output of a fixed size. And it's irreversible: from the output produced you can't (or shouldn't be able to) tell what the input was.

  3. The MD5 output of a Java library should be the same as a C# library, which should be the same as Perl, which should be the same as an .EXE program that calculates an MD5 hash.

And if I understand, you want to have a C# application on a server that checks the user's password, this? And you want your Java application to store the same password on the device (mobile?) and the user to type the password to enter the application, this? For example, if user is logged in, enter password and it is validated on the server, if user is offline, enter password and it is validated in the application ?

If so, then: (which I think is the best approach)

  1. offline: On the first use or installation, the password is typed by the user, your java application hash it (using bcrypt or scrypt or pbkdf2, MD5 is no longer suitable for a while) and stores it on the device. The next time the user logs in offline, the application hash again and compares whether the saved hash is the same as the hash that was just calculated, and authorizes the user or not.

  2. online: all the same as step 1, except it is saved on the server and not on the device. Remember that this is internet access with an "open" password, that is, in plain text , and anyone intercepting the communication could see the password. Use communication encryption mechanisms (Https, etc).

  3. offline – online password sync : along with the password store a value of when the password was last changed. When the app is in online mode, send the password hash and date to the server: if the device's password is the latest, it updates the server's.

  4. Password change: every time the user changes the password online, the application changes the password offline (calculates the hash and saves it offline), and this completes step 3. Every time you change it offline, item 3 will make it be synchronized with the server on first access.

And most of all, learn well how to securely store the password on the device. Even though it is saved in hash form, it could always be possible for an attacker to try to change this hash to a hash he knows (ie he will hash a password he knows so he will know the password). Every operating system (Android, iOS) has mechanisms to restrict this type of access, learn how to use them.

Scroll to Top