What decryption should i use between my Android app and ASP.NET Webservice? - 【StackMirror】|c#|android|asp.net|encryption

I am searching a good way to encrypt and decrypt user authentication data between my Android app and my ASP.NET Webservice built in C#.

I want to do a user registration on my Android app and send the authentication to the back-end server that is a ASP.NET Webservice built in C# and then every time the app calls the webservice it should send a hashed string with authentication information so webservice now what user it is.

What is the best practice for this and have i missed something, give me some ideas please!

2012-04-04 08:06
by RickardP

How does TLS not do what you need - sarnold 2012-04-04 08:11

If you just send a hashed or encrypted string, anyone that captures it, can re-send it, and authenticate without knowing the password, etc. (replay). Use HTTPS (HTTP over SSL) and you don't have to worry about encrypting the communication channel.

2012-04-04 09:11
by Nikolay Elenkov

+1 for HTTP over SSL, but unfortunately not everyone can afford/buy ssl certificate for their hobby/personal web-server - waqaslam 2012-04-04 10:02

You could always use a self-signed certificate which is only slightly harder than paying 20$ for a Rapid* cert. Or use PaaS, etc. that offers SSL access OTB - Nikolay Elenkov 2012-04-04 15:08

can you put some links of tutorials with these stuff, thank - waqaslam 2012-04-04 15:46

http://appengine.google.com has built-in HTTPS support. You can easily find tutorials on how to create a self-signed certificates with OpenSSL. Here's how to use those on Android: http://nelenkov.blogspot.jp/2011/12/using-custom-certificate-trust-store-on.html or this one: http://blog.crazybob.org/2010/02/android-trusting-ssl-certificates.htm - Nikolay Elenkov 2012-04-04 16:04