I am almost done with my Facebook beta, but the encryption issue is killing me right now! I looked at using the Rijndael algorithm in C# in the web player and using OpenSSL to decrypt it on an RoR server, but after reading web posts on it, it sounded very complicated and wasn’t guaranteed that both sides implemented the algorithm in the same way. (For example, OpenSSL prepends the salt value to the beginning of the message.)
For the RoRers out there, what are you using to encrypt POST messages to the RoR server? Any implementations that are known to work? Javascript would be best for my client, but I can utilize C# as well. Any pointers to HOWTOs or code snippets would be greatly appreciated.
The short answer – use XOR, a one-time pad, and possibly hex digit encoding if you want readable strings.
There are lots of variations on this and the rabbit hole goes very deep. How far you take it depends on (1) the value of the data you are passing, (2) how long the data retains its value, and (3) how motivated and skilled are the attackers.
A simple run-down is to generate a secret key (a series of bits), XOR that key with your data, and then XOR it with the key again to get the data back. Key exchange between client and server is problematic unless you use a one-time pad. Using XOR and one-time pad encryption is technically the most expedient and reliable approach, but you need to consider the size of the pad you will be using, and how you will store the pad in the client.