0

I'm trying to figure out how to encrypt and decrypt data for MVC3 WebAPI. The situation is: I'm making a feedbacks application which have user registration and user may register projects. Project must be used as as feedback foreign key (I mean feedback must be assigned to specific project). Problem is: how should i encrypt project Id (It will be GUID) and decrypt it on server-side. Should i use MD5 + salt. What should I use as salt? Maybe timestamp, but how should I pass this timestamp? Well, don't know where to start and what to do. Any help would be appreciated. Note: I don't need authorization to access to API methods, I need to pass secret parameter (as a key).

DmitryL
  • 233
  • 1
  • 4
  • 10

3 Answers3

2

May be you need just a HTTPS? Parameters in Body and HTTPS. Why reinvent the wheel?!

Regfor
  • 8,515
  • 1
  • 38
  • 51
  • Can you provide a little more info, or maybe tutorial? I swear I googled for hours, couldn't find any info which fits my problem – DmitryL Oct 20 '12 at 17:54
0

If you don't use authentication to call the Web API methods you could encrypt data using a shared secret password. AES is commonly used symmetric key algorithm to encrypt/decrypt data that you could use. This assumes that the client and the server must share a common secret.

MD5 is a hashing (one-way) algorithm. It is not an encryption algorithm. The whole idea of an MD5 hash is that it cannot be reversed.

Community
  • 1
  • 1
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
0

I have authored a open source project and documented it here: Build a RESTful API. Perhaps this would start you in the right direction.

This solution uses an MD5 hash of your API ID, API secret and the UNIX Time stamp and passed in the HTTP header. As @Darin Dimitrov stated, MD5 is a one way hash but can be reversed with some knowledge about the hash and the brute force technique. There are better options like AES out there but this is simple and a good way to get started. Actually, this authentication method is the same used by Mashery’s Authentication.

Build a RESTful API references and contains a full blown starter kit for creating an API that has Auth, Membership and API Usage Metering along with a supporting .NET EF database.

As for testing the service you can use RESTClient to execute HTTP calls with custom headers instead of using Curl.

hylander0
  • 1,091
  • 11
  • 25