Encrypt string in C# and decrypt it in Delphi

Question

I'm writing a web app in ASP.Net that creates a licence key for a Windows app written in Delphi. For simplicity I'm going to use a email address and date.

I want to encrypt it in C# and email that info to the person then when the Windows app starts up the person enters in the encrypted string.

Every time the Windows app starts it checks that licence by decrypting it and comparing to todays date.

How can I do this to ensure the C# encryption will decrpyt succesffuly in Delphi?

Answer 1

"the world was full of bad security systems designed by people who read Applied Cryptography"

While the trivial answer is 'use the same algorithm and make sure you have the same keys and initial vector', this answer only exposes the true problem you are going to have: How are you going to protect the encryption key? Mail it along with the license? Embed it in the application? The truth is that there is no protocol that can bootstrap itself w/o a root of trust, either a public trusted authority or a shared secret. A shared secret is easy to code, but complete useless in practice (which means AES, 3DES, XDES or any other similar cipher are not the answer), so you need an scheme that starts based on public key cryptography. For such, to encrypt something for the beneficiary of the license, you need the public key of the said beneficiary, which would make provisioning difficult (license site sends public key, you encrypt license, send email etc). It is much better to send the license in clear text, but signed with your private key. Then your application can validate the signature on the license and use it, if not tampered with.

S-MIME is such a scheme. PGP is just as good. Writing your own code in C# and Delphi is possible, but strongly discouraged. See Cryptographic Signatures.

Answer 2

You can use standard RSA or DSA signature algorithms to do what you want. For C#, these are standard algorithms built into the runtime. For Delphi, you have some choices. See Free Encryption library for Delphi.

Once you have chosen an encryption library for Delphi, you can now do the following:

1. The C# server signs the user's e-mail address and date using the chosen signature algorithm with your private key.
2. The Delphi client verifies the license using the same signature algorithm.
3. Once the Delphi client knows the signature is valid, you can then test the e-mail address / date and decide whether or not to allow your program to run.

I have done exactly the kind of signature verification you want/need using the DSA algorithm, LockBox, and C#.

One thing to be aware of is that C# encryption uses big-endian numbers, while LockBox / Windows CryptoAPI uses little-endian numbers. This probably means you need to reverse endian-ness of both the public key variables and the signature itself before sending it to the Delphi client for verification. Check your crypto library documentation.

One last note: others have proposed using symmetric encryption algorithms like AES / 3DES / etc. The problem with this approach is that your "secret" encryption key is shared between server and client. It is possible that someone could recover the key by reverse-engineering your compiled EXE and then create a "key generator" - a worst-case scenario being a fake activation server that passes out "authentic" encrypted licenses. By using assymetric crypto and keeping the private key secret, you won't have this problem. Users would have to crack every new version of your EXE or else pass around signed authentic licenses - much more inconvenient.

Answer 3

AES for Delphi and AES for C#.

Answer 4

Use the same encryption / decryption algorithm in both delphi and c#.

You can either find the code for an encryption algorithm for C# and then convert the code in the decryption algorithm into Delphi. Likely if you pick a popular encryption you'll be able to find both encryption and decryption algorithms already in many different languages.