I'm Keyvan Nayyeri, a 25 years old Ph.D. student at
the Computer Science department of
the University of Texas at San Antonio.
I'm also
a Software Architect and Developer and previously held a B.Sc.
degree in Applied Mathematics.
This is my blog where I publish content about various topics specifically Programming Languages and Compilers, Software
Engineering and Programming.
Recent Posts
Archive
- March 2010 (1)
- Feburary 2010 (4)
- December 2009 (2)
- November 2009 (2)
- October 2009 (5)
- September 2009 (5)
- August 2009 (5)
- July 2009 (1)
- June 2009 (3)
- May 2009 (3)
- April 2009 (5)
- March 2009 (6)
- Feburary 2009 (9)
- January 2009 (14)
- December 2008 (17)
- November 2008 (8)
- October 2008 (17)
- September 2008 (20)
- August 2008 (20)
- July 2008 (20)
- June 2008 (22)
- May 2008 (20)
- April 2008 (19)
- March 2008 (22)
- Feburary 2008 (20)
- January 2008 (22)
- December 2007 (27)
- November 2007 (21)
- October 2007 (20)
- September 2007 (20)
- August 2007 (22)
- July 2007 (22)
- June 2007 (22)
- May 2007 (25)
- April 2007 (20)
- March 2007 (20)
- Feburary 2007 (20)
- January 2007 (26)
- December 2006 (24)
- November 2006 (23)
- October 2006 (29)
- September 2006 (26)
- August 2006 (32)
- July 2006 (28)
- June 2006 (24)
- May 2006 (23)
- April 2006 (23)
- March 2006 (24)
- Feburary 2006 (21)
- January 2006 (22)
- December 2005 (27)
- November 2005 (24)
- October 2005 (32)
- September 2005 (30)
- August 2005 (32)
- July 2005 (22)
- June 2005 (6)
How to Encrypt Query String Parameters in ASP.NET
There are some circumstances when you need to encrypt query string parameters in your URLs in order to secure your web applications. There are many reasons and many cases but as one of my recent experiences in Waegis a user activation requires such a system. The reason is to prevent anyone to use other’s plain email address to activate his or her account without receiving the activation mail!
Of course, there are some solutions and I’m not using this solution on Waegis (I replaced the solution with a simpler and secure mathematical algorithm that I inspired myself) but the incoming solution is the most common way to encrypt your query string parameters.
The basic idea of this method is using DES cryptography system to encrypt query string parameters on one side and then decrypting it on the other side. But the key point about this method is that DES algorithm is a symmetric algorithm that requires two keys. How do you want to work around this?
You may want to pass your sector vector or initialization vector as a secondary parameter in query string and keep the other key private but this is an insecure solution because having those two parameters, your key is predictable so your algorithm is breakable!
But what’s the solution? The solution is to define both keys on your side and use them to encrypt your text and only pass the encrypted text to query string then retrieve the text and decrypt it with these keys.
Having this background, the implementation is easy and straightforward and contains nothing but some .NET cryptography code.
The main part of this workflow is building a simple cryptographic class that manages the encryption and decryption of string values with your keys. Below code represents the class that you can port for your application. There are two fields that define and hold sector vector and initialization vector. You need to define them once and add them to your application. The rest of the code should be familiar to you because it’s just a set of regular .NET cryptography operations.
using System;
using System.Data;
using System.Configuration;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Text;
using System.Security.Cryptography;
using System.IO;
namespace QueryStringEncryption
{
public class Cryptography
{
#region Fields
private static byte[] key = { };
private static byte[] IV = { 38, 55, 206, 48, 28, 64, 20, 16 };
private static string stringKey = "!5663a#KN";
#endregion
#region Public Methods
public static string Encrypt(string text)
{
try
{
key = Encoding.UTF8.GetBytes(stringKey.Substring(0, 8));
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
Byte[] byteArray = Encoding.UTF8.GetBytes(text);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream,
des.CreateEncryptor(key, IV), CryptoStreamMode.Write);
cryptoStream.Write(byteArray, 0, byteArray.Length);
cryptoStream.FlushFinalBlock();
return Convert.ToBase64String(memoryStream.ToArray());
}
catch (Exception ex)
{
// Handle Exception Here
}
return string.Empty;
}
public static string Decrypt(string text)
{
try
{
key = Encoding.UTF8.GetBytes(stringKey.Substring(0, 8));
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
Byte[] byteArray = Convert.FromBase64String(text);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream,
des.CreateDecryptor(key, IV), CryptoStreamMode.Write);
cryptoStream.Write(byteArray, 0, byteArray.Length);
cryptoStream.FlushFinalBlock();
return Encoding.UTF8.GetString(memoryStream.ToArray());
}
catch (Exception ex)
{
// Handle Exception Here
}
return string.Empty;
}
#endregion
}
}
Now the rest of this post exemplify how to use this Cryptography class. I implement a UserActivation class that manages the activation process. It generates activation links by getting a username and also activates a user by getting the encrypted username key. The final class is shows below.
using System;
using System.Data;
using System.Configuration;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.IO;
namespace QueryStringEncryption
{
public static class UserActivation
{
#region Public Methods
public static void ActivateUser(string key)
{
string username = Cryptography.Decrypt(key);
// TODO: Activation Login
}
public static string GetActivationLink(string username)
{
string key = Cryptography.Encrypt(username);
StringWriter writer = new StringWriter();
HttpContext.Current.Server.UrlEncode(key, writer);
return string.Format("/default.aspx?key={0}", writer.ToString());
}
#endregion
}
}
Here the important point is to not forget to UrlEncrypt the encrypted key because usually it contains some characters that will be ignored by ASP.NET and can cause exceptions on decryption.
I finally wrap up this example by applying it in a simple page. This page generates an activation link when there is no query string parameter and it also decrypts the key parameter when it is provided. In real world scenarios you can use this decrypted username to activate the user’s account.
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
namespace QueryStringEncryption
{
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (string.IsNullOrEmpty(Request["key"]))
Response.Write(UserActivation.GetActivationLink("keyvannayyeri"));
else
Response.Write(Cryptography.Decrypt(Request["key"]));
}
}
}
Here are two snapshots to show how this example works.
_2.png "How to Encrypt Query String Parameters in ASP.NET")
You can download the source code sample for this post from here.
Reflective Perspective - Chris Alcock » The Morning Brew #146
Jul 29, 2008 2:21 AM
#
Pingback from Reflective Perspective - Chris Alcock » The Morning Brew #146
Always 英文技术文章参照( 十二 ){ UpdateTime:2008-7-30; } My article in the cnblogs
Jul 29, 2008 10:05 PM
#
Trackback
Link Listing - July 31, 2008
Jul 31, 2008 10:28 PM
#
ASP.NET How to Encrypt Query String Parameters in ASP.NET [Via: Keyvan Nayyeri ] Using client templates,...
Link Listing - July 31, 2008
Jul 31, 2008 10:29 PM
#
Link Listing - July 31, 2008
Kris
Oct 14, 2008 7:24 AM
#
This has got to be the dumbest idea ever. You should NEVER EVER need to encrypt a query string because NO CRITICAL information should EVER be passed via GET or POST.
God, it's no wonder websites are so easy to break into nowadays.
Keyvan Nayyeri
Oct 14, 2008 7:31 AM
#
@Kris
And you're the dumbest guy who can leave such stupid comments :-D
Nasir
Oct 15, 2008 4:38 AM
#
Dear I used to download your code... it give me error on Default file
Could not load type 'QueryStringEncryption._Default'.
I also try be renaming it but its not working .... plz if u have some solution u can tell me
Pasar datos entre paginas web en ASP.NET
Oct 21, 2008 7:50 AM
#
Aqui enumero los posibles metodos de pasaje de datos entre paginas ASP.NET ya sea en el cliente o en
Payam
Oct 22, 2008 6:25 AM
#
Hi there,
Nice code Keyvan but when i try to Decrypt my encrypted string I get this message:
"Invalid character in a Base-64 string"
Do you know how is that possible??
Thanks
Payam
Benjamin
Dec 19, 2008 11:22 AM
#
Hi,
This piece of code is quite useful but there is a problem with it.
It produces some encrypted strings which contain + character
This character makes a lot of problem when using querystrings.
For example if you have a querystring like ?id=weqSzS+sq
when you write
string strID = Request.QueryString["id"];
strID will contain 'weqSzS sq' and + character would be omitted.
It took me quite a long time to find the problem.
Anyway thanks for sharing this code:)
kp
Feb 12, 2009 6:46 PM
#
Use Server.URLEncode/Decode before encrypting/decrypting to avoid the base64 errors.
Taher
Feb 14, 2009 12:54 AM
#
Hi everyone. I am facing a problem. Assume that i have a query string like this.
default.aspx?userid=1&username=a&location=b
I wanted to encrypt everything in one... i.e all the three parameters in a single encrypted string. But on the receiving side.. how will i use Request.QueryString to get the query string values. I cant to Request.QueryString("userid") as in d URL userid will not be there.. So wat can i do for this ?
doof
Apr 17, 2009 12:43 AM
#
just encrypt the 3 params as a string
string myqrystring = crypto.encrypt(default.aspx?userid=1&username=a&location=b)
then pass it as www.mysite.com?myqrystring=xxxx
at the other end, decrypt, and iterate through each qry string named pair.
Jenna
Aug 19, 2009 2:46 PM
#
@kris
didn't u read the first parat...?
Joe
Dec 14, 2009 11:05 PM
#
Pradeep
Dec 29, 2009 8:04 AM
#
harjit singh
Jan 22, 2010 4:09 AM
#
Thanks,
Bye.
shailesh
Feb 17, 2010 5:38 AM
#
Hi kevyan
nice solution but your download link is not working please correct it..
Abhishek Sur
Feb 17, 2010 2:40 PM
#
I used Rijndael to encrypt and then turned it to Base64 string and sent through query string.
Al
Mar 04, 2010 4:29 AM
#
Hi, I've been having a quick look at encryption and came across this site ... I've noticed that some of you are having trouble with the "+" symbol ... apparently the Request.QueryString object interprets the "+" symbol as a space. A Replace function on the decrypt string should solve it. (I've not actually used any encryption yet but thought this may help. Source:http://devcity.net/PrintArticle.aspx?ArticleID=47)
Leave a Comment