-5

I am working on an ASP.NET MVC 5 web application inside VS 2012 and I am using IIS 8 to deploy the web application.

I have a security token which I am using to call a third party WebAPI. Currently inside my controller class, I define and use the token as follows:

string token = "D12356"; 
string url = currentURL + "resources?AUTHTOKEN=" + token;

Is there is a way to encrypt this value, so if anyone accesses the code inside VS or anyone reverse engineers the .dll files on IIS they won't see the actual token value, but will instead see the encrypted value?

Jeff B
  • 8,572
  • 17
  • 61
  • 140
John John
  • 1
  • 72
  • 238
  • 501
  • Possible duplicate of [How do I prevent managed dll from reverse engineering C#](http://stackoverflow.com/questions/3490887/how-do-i-prevent-managed-dll-from-reverse-engineering-c-sharp) – Liam Oct 26 '15 at 15:03
  • @Liam but even if i prevent re-verse engineering the .dll the token is saved and will be viewed from inside VS .. so want to encrypt it, so it will be secure in all means – John John Oct 26 '15 at 15:05
  • 1
    A token like that shouldn't leave in the code, instead it should be part of the configuration that lives in the process's environment. A relevant quote: "A litmus test for whether an app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials." (from http://12factor.net/config) – Jeff B Oct 26 '15 at 15:06
  • ok i can move it to be inside the web.config , this is how i was doing it previously,,, so which approach i can follow to encyrpt it insdie the web.config ? – John John Oct 26 '15 at 15:07
  • Vs..? Visual Studio? Of course it's visible in Visual studio..? Or else it wouldn't exist?! If you obfuscate the dll then it prevents (makes it harder actually not prevents) reverse engineering. – Liam Oct 26 '15 at 15:07
  • i mean its value not the token itself.. i mean if someone access the code then he should see the encrypted value and not the real value !!1 – John John Oct 26 '15 at 15:08
  • But then how would you write it? You can't encrypt your source code. that makes no sense – Liam Oct 26 '15 at 15:09
  • @Liam so there is not any way to prevent exposing this inside the source code ? – John John Oct 26 '15 at 15:29
  • 2
    What re you trying the achieve here? Do you want to prevent reverse engineering or someone getting hold of your source files? Typically your source code (if sensitive) will be secured inside your network so this isn't an issue. Once compiled the source is turned into dll's so the only way to get the source is to reverse engineer them. If you obfuscate your code you make this reverse engineering much more difficult (though no impossible). If the token is passed in the url then any proxy can see it anyway. This whole question is pretty muddled and confusing. – Liam Oct 26 '15 at 15:37
  • @Liam The token is passed inside the httpHeader and we are using https. so it is being transferred securely. my question is how i can store the secure token value.. now i can store it inside the web.config under a custom section , then i can run aspnet_regiis to encrypt the value,, is this a valid approach?. But if i follow this approach and in the future the token expires and we receive a new token then how i can remove the encrypted token and add the new token value then encrypted again ? second point if i encrypt the web.config section using aspnet_regiis then who can decrypt the value ? – John John Oct 26 '15 at 15:51

2 Answers2

1

Is there is a way to encrypt this value, so if anyone accesses the code inside VS or anyone reverse engineers the .dll files on IIS they won't see the actual token value, but will instead see the encrypted value?

Well, yes, you can embed an encrypted value in the code, but the problem is that whoever decompiles the library will also see how you decrypt it.

Since you're talking about ASP.NET, your web.config is just as vulnerable as your source code, so there's no added security there.

The solution is to either store the value somewhere secure outside of your web app (secured database?), or use some external value as part of your decryption process, like a certificate or other private key value.

D Stanley
  • 149,601
  • 11
  • 178
  • 240
  • If you have the dll isn't it a good assumption that you also have the config files, if you decompile the dll with the config files then you can view how the encryption works, the keys and the encrypted value, everything and you can still access the value? – Liam Oct 26 '15 at 15:12
  • @Liam Yes, which is why you need the value (or some key to decrypt it) outside of the web app (code and config). – D Stanley Oct 26 '15 at 15:20
1

The following class has the encryption and decryption process, through which one can encrypt or decrypt its data with the provision of some values i.e.

Key = string / byte[] to encrypt or decrypt the input

Input = the user required field on which he wants to apply cryptography

Please write this class as follows:

namespace SomeNameSpace
{
public enum CryptType { ENCRYPT, DECRYPT }
public enum CryptTechnique { AES, RC2, RIJ, DES, TDES }
public class Cryptography
{
    public object Crypt(CryptType EncryptOrDecrypt, CryptTechnique CryptographicTechnique, object Input, string Key)
    {
        try
        {
            SymmetricAlgorithm SymAlgo; //This class is parent of all classes in CryptTechnique enums
            switch (CryptographicTechnique)
            {
                case CryptTechnique.AES:
                    SymAlgo = new AesManaged();
                    break;
                case CryptTechnique.RC2:
                    SymAlgo = new RC2CryptoServiceProvider();
                    break;
                case CryptTechnique.RIJ:
                    SymAlgo = new RijndaelManaged();
                    break;
                case CryptTechnique.DES:
                    SymAlgo = new DESCryptoServiceProvider();
                    break;
                case CryptTechnique.TDES:
                    SymAlgo = new TripleDESCryptoServiceProvider();
                    break;
                default:
                    return false;
            }

            SymAlgo.Key = UTF8Encoding.UTF8.GetBytes(Key);
            SymAlgo.Padding = PaddingMode.PKCS7;
            SymAlgo.Mode = CipherMode.ECB;

            ICryptoTransform ICT = null;
            byte[] resultArray;

            if(EncryptOrDecrypt == CryptType.ENCRYPT)
            {
                ICT = SymAlgo.CreateEncryptor();
            }
            else if(EncryptOrDecrypt == CryptType.DECRYPT)
            {
                ICT = SymAlgo.CreateDecryptor();
            }

            if (Input is string)
            {
                byte[] inputArray = UTF8Encoding.UTF8.GetBytes(Input as string);
                resultArray = ICT.TransformFinalBlock(inputArray, 0, inputArray.Length);
                SymAlgo.Clear();
                return Convert.ToBase64String(resultArray, 0, resultArray.Length);
            }
            else if (Input is byte[])
            {
                resultArray = ICT.TransformFinalBlock(Input as byte[], 0, (Input as byte[]).Length);
                SymAlgo.Clear();
                return resultArray;
            }
            return false;
        }catch(Exception ex)
        {
            return ex.Message;
        }
    }
}
}

and in some controller where you want to encrypt or decrypt data, write there as

public ActionResult SomeAction()
    {
                string Key = "1234567890abcdef"; //key must have 16 chars, other wise you may get error "key size in not valid".
                Password = "Secret";
                Cryptography Crypt = new Cryptography();
                EncryptedPassword = (string)Crypt.Crypt(CryptType.ENCRYPT, CryptTechnique.RIJ, Password, Key);
    }

Here you will get the encrypted password in EncryptedPassword variable

WasiF
  • 26,101
  • 16
  • 120
  • 128