I am Raghuveer

In my opinion programming means thinking, and it is fun. My vision is to teach programming in more understandable manner to the students from rural background. I support programming for everyone

Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Encrypting and Decrypting Query Strings in asp.net

Introduction

We often pass values between pages in the form of a query string as key-value pairs. Query string is the easiest way and most widely practiced mechanism of transferring small pieces of data between web pages. The end-user may change the value in the query string to play around with the application, and at the same time, it leads to compromising the security and data integrity of the system. So the solution is encrypting the query strings.

Following is the simple way of encryption and decryption mechanism in asp.net

First I created two methods for encryption and decryption

Encrypt the string

        private string Encrypt(string stringToEncrypt)
         {
             byte[] inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
             byte[] rgbIV = { 0x21, 0x43, 0x56, 0x87, 0x10, 0xfd, 0xea, 0x1c };
             byte[] key = { };
             try
             {
                 key = System.Text.Encoding.UTF8.GetBytes("A0D1nX0Q");
                 DESCryptoServiceProvider des = new DESCryptoServiceProvider();
                 MemoryStream ms = new MemoryStream();
                 CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(key, rgbIV), CryptoStreamMode.Write);
                 cs.Write(inputByteArray, 0, inputByteArray.Length);
                 cs.FlushFinalBlock();
                 return Convert.ToBase64String(ms.ToArray());
             }
             catch (Exception e)
             {
                 return e.Message;
             }
         }         

Decrypt the encrypted string





        private string Decrypt(string EncryptedText)
{
byte[] inputByteArray = new byte[EncryptedText.Length + 1];
byte[] rgbIV = { 0x21, 0x43, 0x56, 0x87, 0x10, 0xfd, 0xea, 0x1c };
byte[] key = { };

try
{
key = System.Text.Encoding.UTF8.GetBytes("A0D1nX0Q");
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
inputByteArray = Convert.FromBase64String(EncryptedText);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(key, rgbIV), CryptoStreamMode.Write);
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();
System.Text.Encoding encoding = System.Text.Encoding.UTF8;
return encoding.GetString(ms.ToArray());
}
catch (Exception e)
{
return e.Message;
}
}

It is better practice to encode the encrypted string before adding it to the URL like following, you can pass any number of parameters as you can (ex: OrderId=1&Name=RV )





   var addressLink = "http://abcxyz.com/abc.aspx?" + HttpUtility.UrlEncode(Encrypt(string.Format("OrderId={0}", orderId)));

Encryption is done, now we have to decrypt the encrypted string whenever we need, like following





   string str = "";
str = Request.RawUrl;
   var qs = Decrypt(HttpUtility.UrlDecode(str.Substring(strReq.IndexOf('?') + 1)));

Parse the returned string according to the parameters you have passed in above expression.