1

I am trying to encrypt an email body to be stored at database, and that to avoid unauthorized person from reading it also to avoid SQL injection attack.

1- What do u think about encrypting the email?
2- Why it does not work? I want to learn encrypting a text anyway.

    SymmetricAlgorithm symAlgo = SymmetricAlgorithm.Create();
    // I will not use the default keys, although I think they are random enough.
    symAlgo.GenerateKey();
    symAlgo.GenerateIV();

    byte[] key = symAlgo.Key;
    byte[] iv = symAlgo.Key;


    ICryptoTransform crypto = symAlgo.CreateEncryptor();
    byte[] block = UtilityMA.StringUtil.ConvertUTF16StringToByteArray(HTMLBody);
    byte[] cipherText = new byte[block.Length + 32];

    crypto.TransformBlock(block, 0, block.Length, cipherText, 0);


    symAlgo.Clear();
    crypto.Dispose();

crypto.TransformBlock fires exception
System.ArgumentException was unhandled by user code Message="Value was invalid." Source="mscorlib"

StackTrace: at System.Security.Cryptography.RijndaelManagedTransform.TransformBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[] outputBuffer, Int32 outputOffset) at Demo.BLL.Contact.History.SendEmail(String HTMLBody, Int32 Record_Id) in C:\Documents and Settings\Administrator\My Documents\Visual Studio 2008\Projects\BLL\BLL\Contact\History.cs:line 35 at _Default.BtnSend_Click(Object sender, EventArgs e) in c:\Documents and Settings\Administrator\My Documents\Visual Studio 2008\Projects\Demos\ContactDemo\Contact.aspx.cs:line 46 at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) InnerException:

Costa
  • 3,897
  • 13
  • 48
  • 81

2 Answers2

2

1) Encrypting is fine, but where will you store the key? It's only protection if the key is somewhere safer than the data. Yes, it does add a layer of protection against SQL Injection, but you should be eliminating SQL Injection possibilities by using parameterized statements.

2) It may be failing because SymmetricAlgorithm is a abstract base class, and you need to instantiate a concrete class like RijndaelManaged.Create();

Also, you should probably be using TransformFinalBlock() instead of TransformBlock(), and Encoding.UTF8.GetBytes() instead of UtilityMA.StringUtil.ConvertUTF16StringToByteArray().

Here's an article on how to encypt/decrypt: http://www.sharpdeveloper.net/content/archive/2007/06/27/encryption-for-dummies-in-net.aspx

Lilith River
  • 16,204
  • 2
  • 44
  • 76
0

Try this instead.

SymmetricAlgorithm symAlgo = SymmetricAlgorithm.Create();
// I will not use the default keys, although I think they are random enough.
symAlgo.GenerateKey();
symAlgo.GenerateIV();

byte[] key = symAlgo.Key;
byte[] iv = symAlgo.Key;

byte[] cipherText;

using(ICryptoTransform crypto = symAlgo.CreateEncryptor())
{
  byte[] block = UtilityMA.StringUtil.ConvertUTF16StringToByteArray(HTMLBody);
  cipherText = crypto.TransformFinalBlock(block, 0, block.Length)
}

symAlgo.Clear();
Kevin Montrose
  • 22,191
  • 9
  • 88
  • 137