Serialize an Object to a byte[], then encrypting the byte[]

Question

I came across a case where I need to encrypt an object in order to send it for delivery over a .NET Remoting connection. I have already implemented string encryption in our code, so I used a similar design for encrypting the object:

public static byte[] Encrypt(object obj)
    {
        byte[] bytes = ToByteArray(toEncrypt); // code below
        using (SymmetricAlgorithm algo = SymmetricAlgorithm.Create())
        {
           using (System.IO.MemoryStream ms = new System.IO.MemoryStream())
           {
              byte[] key = Encoding.ASCII.GetBytes(KEY);
              byte[] iv = Encoding.ASCII.GetBytes(IV);
              using (CryptoStream cs = new CryptoStream(ms, algo.CreateEncryptor(key, iv), CryptoStreamMode.Write))
              {
                 cs.Write(bytes, 0, bytes.Length);
                 cs.Close();
                 return ms.ToArray();
              }
           }
        }
    }

private static byte[] ToByteArray(object obj)
      {
         byte[] bytes = null;
         if (obj != null)
         {
            using (System.IO.MemoryStream ms = new System.IO.MemoryStream())
            {
               BinaryFormatter bf = new BinaryFormatter();
               bf.Serialize(ms, obj);
               bytes = ms.ToArray();
            }
         }
         return bytes;
      }

Is there anything I need to watch out for by serializing and encrypting the object in this way?

Answer 1

What exactly is the aim here? If you are only interested in the security of the data over-the-wire, then since you are using .NET remoting which supports transparent encryption, why not use that, rather than go to the trouble of implementing it yourself?

If you do insist on performing your own encryption, then it's worth noting that you appear to be using a constant IV, which is incorrect. The IV should be a random byte array, and different for each encrypted message. This is generally prepended to the encrypted message before transmission for use in the decryption process.

As a further note, since your key and IV are both converted from strings using Encoding.ASCII.GetBytes, which is intend for 7 bit ASCII input, you are reducing the effective key space significantly.

Answer 2

The only thing I can think of, is that generally after encrypting the data you should write over the plain-text array with NULLs. This is so that the plain-text isn't recoverable in memory, and if it is written out to disk in a page file or swap, it won't be recoverable by a malicious program/user. If the sensitivity of the data is not a concern though, this may not be necessary, but it is a good habit to get into.

EDIT:

That being said however, never roll your own if you don't have to (which you rarely ever do). Chances are very good you'll screw it up and make it vulnerable to attack unless you really know what you're doing. If you don't understand or don't like the built-in APIs, the gents over at Bouncy Castle have done outstanding work at creating libraries for you to use, and in many different languages.