Solved

Encrypt Querystring using CAPICOM?

Posted on 2006-07-13
10
2,128 Views
Last Modified: 2012-06-27
In ASP is it recommended to use CAPICOM (CAPICOM.EncryptedData) to encrypt the URL Querystring?  
0
Comment
Question by:thespiceman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 31

Expert Comment

by:alorentz
ID: 17101581
What's the point?  Why do you need to encrypt?
0
 
LVL 20

Expert Comment

by:jitganguly
ID: 17101831
If you really want to encrypt use POST method. These days hackers can break anything with the URL. POST is very secured and it only breaks when they hack the whole website.
0
 

Author Comment

by:thespiceman
ID: 17101853
I recently encrypted the querystring using the Vernam Encryption technique http://www.4guysfromrolla.com/webtech/012000-1.shtml.  This was done to prevent altering parameters in the querystring which was allowing the user to view products that were not yet released to the public. Works great...BUT...my manager wants to replace the Encrypt() and Decrypt() functions with the following ones that we use for encrypting data stored in our cookies.  I need to know if this is as secure as the Encrypt() and Decrypt() functions and methodolgy described in http://www.4guysfromrolla.com/webtech/012000-1.shtml?

function Encrypt(val)
      On Error resume next
      err.Clear
      set message = server.CreateObject("CAPICOM.EncryptedData")
      message.Content = val
      message.SetSecret MSCSSite.DisplayName

      message.Algorithm.Name = 1 'CAPICOM_ENCRYPTION_ALGORITHM_RC4

      'Encrypt the message storing the result in the encryptedmessage string
      Encrypt = message.Encrypt
      
      if err.number <> 0 then
            Encrypt = val
      end if

      ' Release the EncryptedData object.
      Set message = Nothing

end function

function Decrypt(val)
      On Error resume next
      err.Clear
      set message = server.CreateObject("CAPICOM.EncryptedData")

      ' If a message was read in (the length of the input string is
      ' greater than 0), set the password and decrypt the message.
      If Len(val) > 0 Then
            message.SetSecret MSCSSite.DisplayName
          message.Decrypt val
          Decrypt = message.Content         
            if err.number <> 0 then
                  Decrypt = val & "_ERR"
            end if
      Else
            Decrypt = val
      End If

      Set message = Nothing
end function
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 20

Expert Comment

by:jitganguly
ID: 17101932
Well what kind of encryption technology is used in CAPICOM ? Is that better than the one you currenlty use ? Go though their technical review.
But all these 3rd part tools are better than standard encrytion through VBScript. Iuse this simple VBScript stuff, but I am sure these guys use much better than this

Function P2E(myPass)
Dim i

    P2E = ""
    For i = 1 To Len(myPass)
        P2E = P2E & Chr(Asc(Mid(myPass, i, 1)) + i)
    Next

End Function


Function E2P(myPass)
Dim i

    E2P = ""
    For i = 1 To Len(myPass)
        If Asc(Mid(myPass, i, 1)) > 32 Then
           'Response.Write Mid(myPass, i, 1) & " - " & chr(Asc(Mid(myPass, i, 1))-i+1)& "<br>"
           E2P = E2P & Chr(Asc(Mid(myPass, i, 1)) - i)
        End If
   Next
End Function
0
 
LVL 14

Expert Comment

by:CyrexCore2k
ID: 17103380
"If you really want to encrypt use POST method. These days hackers can break anything with the URL. POST is very secured and it only breaks when they hack the whole website."

Um, that's completely incorrect. I'm not trying to be rude or anything but hackers can break anything using the POST method just as easily as a query string.
0
 
LVL 14

Expert Comment

by:CyrexCore2k
ID: 17103506
Using a packet sniffer it would take about the same amount of time. Look the point is that your statement "POST is very secured" is not only wrong but dangerously misleading. Normally I don't say anything when experts make mistakes but I felt that telling someone that POST is somehow secure could lead someone to design a site with deadly security flaws.
0
 
LVL 14

Assisted Solution

by:CyrexCore2k
CyrexCore2k earned 350 total points
ID: 17105390
thespice - Sorry to get of track.

Since I don't know exactly how CAPICOM encrypts strings I can't say for sure. But personally I would trust it. It's not a very complicated encryption task and if it's been working for your cookies it should work fine for your query strings. If you really want to know for sure I would do away with CAPICOM altogether and encrypt is using an RC4 algorithm since 1) it's industry standard  2) you can see the source code and best of all 3) it's free.
0
 
LVL 25

Accepted Solution

by:
kevp75 earned 150 total points
ID: 17105407
0
 
LVL 7

Expert Comment

by:SimonBlake
ID: 17107465
thespice - I've done some work with RC4 and encryption before - one of the holes you might fall foul of is the MS implementation of URL encoding (This issue is also present on Oracle's web server as well) in that null bytes (hex 00) don't get encoded correctly, so when you try to decode at the other end it gives a different result.

My advise to you is to use a custom url encoder ontop of the encryption at both ends regardless of form or query string data otherwise you will be scratching your head for hours!

S.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
age from date of birth 4 63
Html CheckBox obtain Its Value 5 43
Html split(text) Part2 6 41
Table doesn't show the lines! 3 36
I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question