Michael Wolf

Thursday December 04, 2008

Silverlight and Encryption

While working on a recent project involving Silverlight security, I was excited by the amount of options we now have available to us (http://msdn.microsoft.com/en-us/library/system.security.cryptography(VS.95).aspx). One of the major uses for this is to encrypt data in isolated storage. This is a pretty simple procedure and makes perfect sense for storing sensitive data to the client (the docs provide a nice sample of use http://msdn.microsoft.com/en-us/library/system.security.cryptography.aesmanaged(VS.95).aspx ). While this is the primary use case in Silverlight for encryption, having these framework libraries available opens up some interesting options.

One possible use for this would be to encrypt communication between xaps using the html bridge. A perfect example of this might be a portal type app, where the Silverlight apps exist in islands which may need to share data real time. Imagine an HR application builting using a content management system, which has been updated with small silverlight applications dropped in. By encrypting the data in one xap, you can then pass it through the bridge to then be decrypted by another xap sharing the same encryption code. This adds a level of security by ensuring that the data is not harvested by a malicious application on the client’s machine.



In this example you can click on the transfer button which serializes the complex object and encrypts the data. The data is then sent through the html bridge encrypted, and then passed back to the second xap to then be decrypted and deserialized.

Another possible use for this would be encrypting data from point to point message-level "like" security. With Silverlight 2, we now have the ability to call web services via over, but sadly not ws-security where the entire soap message is encrypted using message-level security. One possible stop gap for this would be to encrypt the data coming from Silverlight, pass it over https, and then decrypted on the server. With the ability to have shared source between the Silverlight client and the WCF Web Service, this encryption code can be the exact same code and, in fact, the exact same file (using a linked file in visual studio).

Silverlight Class Library	Web Application with linked source
Data encrypted from the Silverlight application decrypted on the service tier

I think this shows the real power of Silverlight, not only do you get the power of .net in the browser, but you also get the interoperability of the same CODE on browser / WCF Service / desktop client etc.

(DISCLAIMER: this strategy is provided as a proof of concept, and not a direct assertion of best practices)