Decrypting string with Microsoft Crypto API with C#

Question

So at my workplace, I have a .NET based web application, that has to pick up an encrypted parameter in a querystring.

Those supplying the encrypted string is an external contractor and they prefer (almost demand. cant change contractors though, the higher ups decide that stuff...), to use Microsoft's Crypto API to encrypt the string.

Well, fair enough, AFAIK I can decrypt that with C#, but after endless searching I am still at a loss on how it works.

That means I cant even supply example code, and I am stuck in this bind until I can decrypt this string.

What I have is:

I have the common password they encrypt with and I have to use to decrypt it with.

Encryption settings are: "CALC_AES_128" hash: "CALC_MD5". The string is encrypted, then hashed.

So I want to unhash it, and decrypt it.

I know its a lot to ask but how do I go about it?

Answer 1

Your external contractor doesn't know what he is talking about.

Hashes are used as a trap door function, a way to recognize something without been told what that thing IS. It is a digital fingerprint. The way a CRYPTOGRAPHICALLY SECURE hash is made, means even given the hash and the algorithm it is difficult to create an object that matches the fingerprint.

AES is a non-deterministic cypher. The non-determinisism comes from the Initialization Vector, which is meant to be a random number each time (not hard coded from a die roll, ahem Sony). This means for all intents and purposes, the output of AES is pure random (unless you have the key). Good cyphers are all designed to produce data that is statistically random (thus there is little data to form an attack from).

So by feeding data into a function that creates random data, then putting it into a trap door function, you have produce something that is truly difficult to decode (difficult in this sense is mathematically, you actually need more energy than exist in the universe to compute this).

As for how to send data across in a secure manner (secure as in against prying eyes on an unsecure network) in the query string? There is a well known protocol that .net supports that does this very well. Its called HTTPS.