11

I have an app that is using query string to pass some values around pages. I found few examples on how to encrypt values in query string, but the problem is that my KEYS tell more about query string then the values which are all integers converted to string.

Is there a way to encrypt the whole query string in ASP.NET including keys and key values?

Something like:

Default.aspx?value1=40&value2=30&value3=20

to

 Default.aspx?56sdf78fgh90sdf4564k34klog5646l

Thanks!

live-love
  • 48,840
  • 22
  • 240
  • 204
formatc
  • 4,261
  • 7
  • 43
  • 81
  • there are at least 10 diferent examples on web – Aristos Feb 02 '12 at 10:20
  • possible duplicate of [how to pass encrypted query string in asp.net](http://stackoverflow.com/questions/603092/how-to-pass-encrypted-query-string-in-asp-net) – Aristos Feb 02 '12 at 10:20
  • @Aristos That particular post is actually asking about encrypting just the *values*, where this one seems to be about encrypting the entire string. – Andrew Barber Feb 02 '12 at 10:29
  • 1
    @AndrewBarber the answers contain the full url. Anyway I think this user is laze, there are 100,000 results about this on google. – Aristos Feb 02 '12 at 10:34
  • Thanks for help guyes anyway, I tried but couldn't find articles about code samples where you can encrypt whole string with custom key. Only half-written articles. – formatc Feb 02 '12 at 11:29
  • The best thing would be to use SSL ;) Don't rely on security by obfuscation. – hellow Aug 06 '18 at 09:38

2 Answers2

23

There is one issue that many of the references above overlook, and that is just prior to returning the encrypted string, URL Encode (see below right before the string is returned). I am using IIS 7.5, and it will automatically "Decode" the string for you, so the decryption "should" be OK. Both the Encrypt and Decrypt code is shown below.

public string EncryptQueryString(string inputText, string key, string salt)
{
    byte[] plainText = Encoding.UTF8.GetBytes(inputText);

    using (RijndaelManaged rijndaelCipher = new RijndaelManaged())
    {
        PasswordDeriveBytes secretKey = new PasswordDeriveBytes(Encoding.ASCII.GetBytes(key), Encoding.ASCII.GetBytes(salt));
        using (ICryptoTransform encryptor = rijndaelCipher.CreateEncryptor(secretKey.GetBytes(32), secretKey.GetBytes(16)))
        {
            using (MemoryStream memoryStream = new MemoryStream())
            {
                using (CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write))
                {
                    cryptoStream.Write(plainText, 0, plainText.Length);
                    cryptoStream.FlushFinalBlock();
                    string base64 = Convert.ToBase64String(memoryStream.ToArray());

                    // Generate a string that won't get screwed up when passed as a query string.
                    string urlEncoded = HttpUtility.UrlEncode(base64);
                    return urlEncoded;
                }
            }
        }
    }
}

public string DecryptQueryString(string inputText, string key, string salt)
        {
            byte[] encryptedData = Convert.FromBase64String(inputText);
            PasswordDeriveBytes secretKey = new PasswordDeriveBytes(Encoding.ASCII.GetBytes(key), Encoding.ASCII.GetBytes(salt));

            using (RijndaelManaged rijndaelCipher = new RijndaelManaged())
            {
                using (ICryptoTransform decryptor = rijndaelCipher.CreateDecryptor(secretKey.GetBytes(32), secretKey.GetBytes(16)))
                {
                    using (MemoryStream memoryStream = new MemoryStream(encryptedData))
                    {
                        using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
                        {
                            byte[] plainText = new byte[encryptedData.Length];
                            cryptoStream.Read(plainText, 0, plainText.Length);
                            string utf8 = Encoding.UTF8.GetString(plainText);
                            return utf8;
                        }
                    }
                }
            }
        }
live-love
  • 48,840
  • 22
  • 240
  • 204
Eric Kauffman
  • 231
  • 3
  • 2
  • I have the input string, I have the salt, what is the "key"? I am trying to use this code since the code I am using fails to decrypt when there is a plus "+" sign in thee encryption – JustJohn Sep 20 '20 at 00:35
9

There are many examples on web.

some of them:

How can I encrypt a querystring in asp.net?

how to pass encrypted query string in asp.net

http://www.codeproject.com/Articles/33350/Encrypting-Query-Strings

http://www.keyvan.ms/how-to-encrypt-query-string-parameters-in-asp-net

http://forums.asp.net/t/989552.aspx/1

Now you say that you do like to encrypt the keys also, actually what you have to do is to encrypt them all url line, and then you just read the RawUrl what after the ? and decrypt it.

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150
  • I tried www.4guysfromrolla.com but the link seems to be dead,the one to the source on that site. Anyway this answer my question fully. This implemetation of query string encrypting is the far most easy to use and does everything I wanted: http://madskristensen.net/post/HttpModule-for-query-string-encryption.aspx – formatc Feb 02 '12 at 11:32
  • @user1010609 The answer to your question is: its just one more script encrypted with UrlEncoded and UrlDecode involved. – Aristos Feb 02 '12 at 12:11
  • @reaz I do not think so, before 4 years, and I give my knowledge what to connect to solve the issue – Aristos Apr 16 '16 at 10:01
  • These are all dangerously wrong, you must *never* reuse the initialization vector, see e.g. http://www.cryptofails.com/post/70059609995/crypto-noobs-1-initialization-vectors – poizan42 Mar 09 '18 at 07:42