Restrict Characters used in Encryption

Question

I have a very simple encryption class using tripleDES to encrypt the query string for a particular page on my site. I do this to prevent people page scraping sequentially based on our database IDs.

Anyhow, I've used this encryption method

However, it includes 3d% and some other special characters that shouldn't be in a query string and are rejected by Url Scan for security purposes. There is a = in the actual encrypted string that is generated. I don't want to change URL scan, but I was wondering if there is a way to limit the encryption characters for the tripleDES crypto provider or something. I know next to nothing about encyrption and I'm really just obfuscating the query string, so I'm open to other options regarding my encryption of the query string.

http://stackoverflow.com/questions/165808/simple-2-way-encryption-for-c-sharp — classicjonesynz, Sep 19 '12 at 13:41
Instead of encrypting the querystring you should prevent people from viewing pages they are not authorized to see. — ZippyV, Sep 19 '12 at 14:06

score 11 · Accepted Answer · edited Oct 07 '21 at 05:49

11

The methods you have linked use Base64 encoding to convert the encrypted byte array - which could have all kinds of "non-printable" bytes in it - into a form that will only contain A-Z, a-z, 0-9, +, / and =.

However, these last 3 are not suitable for URLs.

You could do a simple String.Replace on the Base64 string, replacing these characters with URL-safe characters, e.g. + => -, / => _ and = => .. You can even drop the = off the end completely, as they are only padding characters. (Making the first two substitutions and dropping the = is suggested by RFC3548.)

Then simply reverse this replacement when you want to decrypt your string. If you dropped the = completely, add = until the length of the string is a multiple of 4.

edited Oct 07 '21 at 05:49

Community

1
1

answered Sep 19 '12 at 13:38

Rawling

49,248
7
89
127

Thanks man. I actually ended up converting it to a hex string, so that did that trick too. Same idea, so have an answer! Thanks again. – user576838 Sep 20 '12 at 18:37
what does converting to a hex string gave you? – Toolkit Jun 17 '22 at 11:56

score 3 · Answer 2 · answered Sep 19 '12 at 13:38

3

You shouldn't mess with crypto if you don't know what you're doing (and even if you do). Instead, use the crypto as is, and UrlEncode the result.

answered Sep 19 '12 at 13:38

zimdanen

5,508
7
44
89

This isn't "messing with crypto" any more than URL-encoding the output is. – Rawling Sep 19 '12 at 14:34
3

Limiting encryption characters? I disagree. Your solution below isn't, but trying to tell the encryption what are valid characters is messing with the keyspace. Changing the encoding is different, but that wasn't specifically the OP's question. Trying to steer OP away from trying to modify the crypto itself. – zimdanen Sep 19 '12 at 15:39
2

Oh yeah, I remember now. I thought of that comment, then realised he _was_ trying to change the encryption so decided not to comment, then... forgot and commented anyway? My bad :) – Rawling Sep 19 '12 at 15:47

Restrict Characters used in Encryption

2 Answers2