Wednesday, January 5, 2011

Encrypting QueryStrings with .NET


Once upon a time in the tech world, obscurity was security - this being most true in the early years of the industry, when there were gaping holes in privacy policies and confidential client information was bandied about from site to site without a care as to who actually could read the information.
With the new Cryptography classes in .NET, there's absolutely no excuse for not hiding even the most innocuous user data. If you ever need to 'piggy-back' information from one web page to another, whether it is within a POST or a GET parameter, you're passing clear information that anyone can sniff - and that's a bad thing.
If you're not going to use a session variable for storing end user information, you're most likely going to keep some sort of State by passing the information to a cookie or push it around with GET/POST parameters. If you're passing around any sort of ID or user information like their name, it's better to err on the side of caution and encrypt the information.

GET Vs. POST


A POST parameter keeps the information out of the URL, but it can still be sniffed quite easily as it passes in clear text across your network or the Internet. Using POST will keep the mere curious at bay, as the information is not contained in the URL - but this will not stop someone determined to snag out your data.
A QueryString parameter passes information within the site's URL. Why would you even use a QueryString? Well, maybe you need to let your user bookmark a particular page, or maybe you have to refer directly to a page in a URL via a link - you can't do either if you're using POST. A QueryString puts data in the URL for the entire world to see, so if you don't know if the end user is malicious, I'd think hard about using a QueryString for anything but site-related information.
Be smart and encrypt any and all data you're moving around from page to page, especially if that information could be used maliciously. You may trust your users, but you still need that extra level of security that clear text GET/POST data doesn't provide.
Imagine this scenario - you've been passing the customer's ID in the database around in a QueryString, in a URL that looks like this:

http://yoursite.com?cust_id=29
You know what a user is going to do? Switch that 29 to a 30 or 12 or some other number, and if you're not checking for invalid requests, you'll be dishing up some other customer's data.

Enter Encryption
What I was looking for was a quick way to encrypt and decrypt parts of a QueryString - it had to be on the fly, quick and dirty.
I chose Base64 because it wouldn't throw bizarre characters in my QueryString that I couldn't pass around… Little did I know that I'd hit a snag while passing around my encrypted QueryString - Apparently, the Request.QueryString object interprets the '+' sign as a space! So, with a quick Replace function slapped on my decrypt string, no harm, no foul.

Symmetric Key
The whole trick to this working is that the QueryString is encrypted and decrypted with the same private key. This is the secret key - if anyone gets a hold of your key, they can decrypt the data themselves, so keep it a secret!

We're going to use a hard-to-crack 8 byte key, !#$a54?3, to keep parts of our QueryString secret.

Let's Walk through the C# portion of the code:

Notice our two functions that abstract the dirty work that our Encryption64 class. The first, encryptQueryString, is used to encrypt the value of a QueryString. The second, decryptQueryString, is used to decrypt the value of an encrypted QueryString.

public string encryptQueryString(string strQueryString) {

 ExtractAndSerialize.Encryption64 oES =
new ExtractAndSerialize.Encryption64();

 return oES.Encrypt(strQueryString,"!#$a54?3");

 }

 public string decryptQueryString(string strQueryString)

 {

 ExtractAndSerialize.Encryption64 oES =
new ExtractAndSerialize.Encryption64();

 return oES.Decrypt(strQueryString,"!#$a54?3");

 }

 If we wanted to encrypt our QueryString on our first page, we could do something like this:

 string strValues = "search term";

 string strURL = "http://yoursite.com?search="
+ encryptQueryString(strValues);

 Response.Redirect(strURL);

 Inside our code-behind in our second page, we pass the contents our QueryString to a variable named strScramble. After that, we replace the '+' signs that our wonderful Request.QueryString has replaced with a space. We pass that string into our function, decryptQueryString, and retrieve the decrypted string.

 string strScramble = Request.QueryString["search"];

 string strdeCrypt = decryptQueryString(
strScramble.Replace(" ", "+"));

 Now we've decrypted the value of the QueryString, 'search', and we can do whatever we want with it. The end user is going to see a URL that looks like:
http://yoursite.com?search=da00992Lo39+343dw
They'll never be able guess what's going on in your QueryString, and if they try to fool around with it, there's no way to crack the code without knowing the Symmetric key.
VB.NET

 Imports System

 Imports System.IO

 Imports System.Xml

 Imports System.Text

 Imports System.Security.Cryptography

 Public Class Encryption64

 Private key() As Byte = {}

 Private IV() As Byte = {&H12, &H34, &H56, &H78, &H90, &HAB, &HCD, &HEF}



Public Function Decrypt(ByVal stringToDecrypt As String, _
ByVal sEncryptionKey As String)

                                                                                                As String

 Dim inputByteArray(stringToDecrypt.Length) As Byte

 Try

 key = System.Text.Encoding.UTF8.GetBytes(Left(sEncryptionKey, 8))

 Dim des As New DESCryptoServiceProvider()

 inputByteArray = Convert.FromBase64String(stringToDecrypt)


Dim ms As New MemoryStream()


Dim cs As New CryptoStream(ms, des.CreateDecryptor(key, IV), _
CryptoStreamMode.Write)

 cs.Write(inputByteArray, 0, inputByteArray.Length)

 cs.FlushFinalBlock()


Dim encoding As System.Text.Encoding = System.Text.Encoding.UTF8


Return encoding.GetString(ms.ToArray())


Catch e As Exception


Return e.Message


End Try


End Function



Public Function Encrypt(ByVal stringToEncrypt As String, _
ByVal SEncryptionKey As String) As String


Try


key = System.Text.Encoding.UTF8.GetBytes(Left(SEncryptionKey, 8))


Dim des As New DESCryptoServiceProvider)


Dim inputByteArray() As Byte = Encoding.UTF8.GetBytes( _
stringToEncrypt)

 Dim ms As New MemoryStream()


Dim cs As New CryptoStream(ms, des.CreateEncryptor(key, IV), _
CryptoStreamMode.Write)


cs.Write(inputByteArray, 0, inputByteArray.Length)


cs.FlushFinalBlock()


Return Convert.ToBase64String(ms.ToArray())


Catch e As Exception


Return e.Message


End Try


End Function



End Class


No comments :

Post a Comment