2

I want to encrypt some text in URL with a simple java-script algorithm and then decrypt it at code behind of an ASP.NET page using C#.

ROT13 is a good choice but unfortunately I cannot use it due to some confidential details. Anything like that would help but I don't know the famous ones. Security is not a matter at all, just twisting the string in some way and retrieve it later.

Xaqron
  • 29,931
  • 42
  • 140
  • 205
  • double `ROT13`? sorry, couldn't resist. Encryption with Javascipt is futile, you cant sufficiently hide the encryption algorythm, making it worthless. – Jamiec May 10 '11 at 12:11
  • I don't want encryption. I just want to bypass some `IDS/IPS`. – Xaqron May 10 '11 at 12:14
  • @Xaqron - are you saying that you'd like our help in breaking into someone's system? – tvanfosson May 10 '11 at 12:17
  • Is your point that you just need some automated process to not be able triggered by something coming over the wire? How about ROT1 then? @Jamiec - not true, encryption security should have no dependence on knowledge of the algorithm. That's just security through obscurity. One-way encryption (hashing) is great for use in things like simple authentication, e.g.. If you need to decrypt then you're talking RSA or the like, but a javascript implementation would be no less secure than any other. But kind of pointless since SSL does the same thing. – Jamie Treworgy May 10 '11 at 12:21
  • I know about all of that you mentioned. Security is not the point here. I need obscurity. It's a kind of miss understanding to device since it is word sensitive and sometimes drop client requests. – Xaqron May 10 '11 at 12:25
  • Just use a variant of ROT13 if it detects rot13, then, or roll your own simple algorthim, e.g. rot(x) where you add one to (x) for each successive character, starting over after 25. – Jamie Treworgy May 10 '11 at 12:26

4 Answers4

3

Who are you trying to hide it from? The end-user or someone listening on the wire? Given that anyone can use a browser-based debugger and inspect variables at run time, it doesn't really make much sense to rely on encryption to hide the information from the end-user (unless you encrypt it before you send it to the client and don't decrypt it until it's been sent back). If you're trying to hide the information on the wire, using SSL is definitely the way to go.

tvanfosson
  • 524,688
  • 99
  • 697
  • 795
  • I transfer some variables in URL which are sometimes filtered by `IDS/IPS` systems on my clients side. If I just twist the query string at client side and then send it to the page (and decrypt there) my application would work without problem. Unfortunately it detects `ROT13`. – Xaqron May 10 '11 at 12:19
  • 1
    @Xaqron - So use ROT4, or ROT22. Or does it detect all Caesar shift cyphers? – Jamiec May 10 '11 at 12:27
  • @Xaqron - have you tried Base64 encoding? http://www.webtoolkit.info/javascript-base64.html – tvanfosson May 10 '11 at 12:27
  • Yes, all famous ones are tried already. I can implement a substitution algorithm myself but code maintenance will become a nightmare. – Xaqron May 10 '11 at 12:34
  • Are you positive that it's being triggered by what you think it is? I can only imagine what would be involved in scanning every ROT+base64+anything else commonly used variant of every bit of text coming over the wire. This doesn't seem that likely, the processing involved would be enormous, and it would be so easily defeated by creating your own variant (e.g rotx++ like I said in my previous suggestion). – Jamie Treworgy May 10 '11 at 12:45
1

Javascript and C# both support a number of different "real" encryption algorithms.

check out Javascript DES and 3DES
Question: Triple DES decryption in classic ASP?
example: http://jsbin.com/oguye3
source: http://cheeso.members.winisp.net/srcview.aspx?dir=DES

DES has known weaknesses, but that library also supports 3DES, which is stronger.

Also check out Javascript and AES
Getting SlowAES and RijndaelManaged class in .NET to play together

Here's a working demo of AES in the browser:
http://jsbin.com/itiye5/3

Community
  • 1
  • 1
Cheeso
  • 189,189
  • 101
  • 473
  • 713
1

If you are looking for RSA (assymentric encryption) the you can use jsbn http://www-cs-students.stanford.edu/~tjw/jsbn/ javascript library for client side and the standard .Net RSACryptoServiceProvider for server side.

They do cooperate perfectly between each other.

I hope this helps!

George Mavritsakis
  • 6,829
  • 2
  • 35
  • 42
0

Caesar cipher is a quite simple method for encrypting a text. Or you could simply encode the text in BASE64, which also makes it hard to read for humans. BASE64 naturally offers no security at all, but you can use standard libraries for encoding and decoding.

joe776
  • 1,106
  • 14
  • 23