Encrypt String (RSA x509) Android, iOS

ekkescorner

one of my customers wants to use RSA encryption to verify that the app can get access to server

they want to give me a Public Key and then I have to encrypt the user password and send as base64 to server
this only happens at user login
I don't have to do any other kind of crypt stuff - only the encryption of the password

my customer already has C# code where they tested client-side encryption:

byte[] encryptedBytes = encryptString(password); 
string encryptedPwdB64 = Convert.ToBase64String(encryptedBytes);
string clientRequest = String.Concat(username, ":", encryptedPwdB64); 
….
privte static byte[] encryptString(string textToEncrypt)
        {
            RSACryptoServiceProvider publicKeyProv = (RSACryptoServiceProvider)x509.PublicKey.Key;
            byte[] encryptedBytes = publicKeyProv.Encrypt(Encoding.UTF8.GetBytes(textToEncrypt), true);
            String encryptedText = System.Text.Encoding.UTF8.GetString(encryptedBytes);
            return encryptedBytes;
        }

any ideas what would be the easiest way for me to do the same with Qt 5.7+ - QtQuickControls2 App running on Android and iOS ?

never added 3rd party libs before

thx

VRonin

Since you are probably shipping OpenSSL with your code anyway (or at least I hope you are using SSL to connect over the network) you can use that to do the encryption, see http://hayageek.com/rsa-encryption-decryption-openssl-c/ for an example.

P.S.
Password encryption is a VERY BAD idea! Passwords should be stored as salted hashes (SHA3-512 is an option)

raven-worx

@ekkescorner
RSA encryption is not supported directly by Qt. You need to use OpenSSL for this.

This can be a very cumbersome task to compile OpenSSL for Android and iOS yourself.
For Android see this, for iOS this.

Use OpenSSL v1.0x (not v1.1.x)

ekkescorner

@VRonin customer doesn't use SSL because all is running with AndroidForWorks on BlackBerry Infrastructure where all is encrypted

customer doesn't store the passwords encrypted - only uses this encryption as an extra step to verify app access

raven-worx

@ekkescorner
this isn't a matter of SSL. OpenSSL is a cryptographic library you need to use to encrypt your data.

To add up to @VRonin: for SHA hashes Qt has support via QCryptographicHash class.

ekkescorner

@raven-worx thx. had the fear I have to add OpenSSL ;-)
it's already on my todo list because I'll need this for Android 7 for customers using SSL

So I'll try to add OpenSSL - thx for the links

raven-worx

@ekkescorner said in Encrypt String (RSA x509) Android, iOS:

@raven-worx thx. had the fear I have to add OpenSSL ;-)

So I'll try to add OpenSSL - thx for the links

ó.Ò

VRonin

@ekkescorner said in Encrypt String (RSA x509) Android, iOS:

customer doesn't use SSL

I'm curious now... you encrypt locally, send over unsecure network and decrypt locally on the other side? If so how can you prevent men-in-the-middle?

ekkescorner

@VRonin the network is secure. it's AndroidForWork on BlackBerry Enterprise Server. you could think that it's something like a VPN.

most of my mobile business apps are running on BlackBerry Server and 90% of the customers only use http because all is encxrypted: devices and traffic

in this case where very sensible data can be accessed it's only an extra verification step.

VRonin

@ekkescorner I only now read your username. Sorry for treating you as "not an expert" in network and/or password encryption.

I think you still have 2 options apart from OpenSSL:

• Use Android's built in encryption with QAndroidJniObject: https://www.example-code.com/android/rsa_encryptstrings.asp
• use CryptoC++ https://www.cryptopp.com/wiki/RSA_Cryptography

ekkescorner

@VRonin said in Encrypt String (RSA x509) Android, iOS:

@ekkescorner I only now read your username. Sorry for treating you as "not an expert" in network and/or password encryption.

I think you still have 2 options apart from OpenSSL:

• Use Android's built in encryption with QAndroidJniObject: https://www.example-code.com/android/rsa_encryptstrings.asp
• use CryptoC++ https://www.cryptopp.com/wiki/RSA_Cryptography

thx for this worthful info - will try CryptoC++ - need solution for Android and iOS