Best practice for encrypting on the client

Question

I am currently using a web API that allows an "Encryption" option.

I can setup my account to have a "shared key", and using this key i should encrypt all data on the client before submitting to the server.

Details from their website:

Encryption Algorithm: DES

Block Mode: ECB

Padding: PKCS7 or PKCS5 (they are interchangeable)

"Shared key" in this meaning i believe is a symmetric algorithm - same key used to decrypt/encrypt, although i may be wrong on this one.

I would like to know what is the best practice of handling this scenario on the client side?

If my application's logic should be using this key to encrypt data, how is it safe from a hacker ?

Note that my app is written in C#, meaning it can be decompiled practically for free.

Answer 1

In this manner, client will encrypt the data with different key and server will decrypt with different key. This is called asymmetric encryption/decryption.

The .NET Framework provides the RSACryptoServiceProvider and DSACryptoServiceProvider classes for asymmetric encryption. These classes create a public/private key pair when you use the default constructor to create a new instance. Asymmetric keys can be either stored for use in multiple sessions or generated for one session only. While the public key can be made generally available, the private key should be closely guarded.

For example [VB.NET]: 

Dim cspParam as CspParameters = new CspParameters()
cspParam.Flags = CspProviderFlags.UseMachineKeyStore
Dim RSA As System.Security.Cryptography.RSACryptoServiceProvider
           = New System.Security.Cryptography.RSACryptoServiceProvider(cspParam)

The key information from the cspParam object above can be saved via:

Dim publicKey as String = RSA.ToXmlString(False) ' gets the public key
Dim privateKey as String = RSA.ToXmlString(True) ' gets the private key

The above methods enable you to convert the public and / or private keys to Xml Strings.
 And of course, as you would guess, there is a corresponding FromXmlString method to get them back. 
 So to encrypt some data with the Public key. The no-parameter constructor is used as we are loading our keys from XML and 
 do not need to create a new cspParams object:

Dim str as String = "HelloThere"
Dim RSA2 As RSACryptoServiceProvider = New RSACryptoServiceProvider()
' ---Load the private key---
RSA2.FromXmlString(privateKey)
Dim EncryptedStrAsByt() As Byte =RSA2.Encrypt(System.Text.Encoding.Unicode.GetBytes(str),False)
Dim EncryptedStrAsString = System.Text.Encoding.Unicode.GetString(EncryptedStrAsByt)

and as a "proof of concept", to DECRYPT the same data, but now using the Public key:

Dim RSA3 As RSACryptoServiceProvider = New RSACryptoServiceProvider(cspParam)
'---Load the Public key---
RSA3.FromXmlString(publicKey)
Dim DecryptedStrAsByt() As Byte =RSA3.Decrypt(System.Text.Encoding.Unicode.GetBytes(EncryptedStrAsString), False)
Dim DecryptedStrAsString = System.Text.Encoding.Unicode.GetString(DecryptedStrAsByt)

Answer 2

If shared key means public key then you are, most probaly, using one of the algorithms known as asymmetric encryption. This way you are safe to hacker since public key can't be used to decrypt data.

If it's symmetric then all depends on how secure key is. You can store it separately from a program (so user can store it securely on a flash drive). So each user must have it's own key, it's not possible to use one symmetric key for all.

Answer 3

Unless your key is compromised, then the transmission of your data is safe – anyone eavesdropping on your client–server connection would not be able to decrypt your data unless they have your key.

Your main challenge lies in the secure storage of the key locally on both the client and the server. For this end, I would suggest looking into the Windows Data Protection API (DPAPI) exposed through the ProtectedData class in .NET.