thespiceman
asked on
Encrypt Querystring using CAPICOM?
In ASP is it recommended to use CAPICOM (CAPICOM.EncryptedData) to encrypt the URL Querystring?
What's the point? Why do you need to encrypt?
If you really want to encrypt use POST method. These days hackers can break anything with the URL. POST is very secured and it only breaks when they hack the whole website.
ASKER
I recently encrypted the querystring using the Vernam Encryption technique http://www.4guysfromrolla.com/webtech/012000-1.shtml. This was done to prevent altering parameters in the querystring which was allowing the user to view products that were not yet released to the public. Works great...BUT...my manager wants to replace the Encrypt() and Decrypt() functions with the following ones that we use for encrypting data stored in our cookies. I need to know if this is as secure as the Encrypt() and Decrypt() functions and methodolgy described in http://www.4guysfromrolla.com/webtech/012000-1.shtml?
function Encrypt(val)
On Error resume next
err.Clear
set message = server.CreateObject("CAPIC OM.Encrypt edData")
message.Content = val
message.SetSecret MSCSSite.DisplayName
message.Algorithm.Name = 1 'CAPICOM_ENCRYPTION_ALGORI THM_RC4
'Encrypt the message storing the result in the encryptedmessage string
Encrypt = message.Encrypt
if err.number <> 0 then
Encrypt = val
end if
' Release the EncryptedData object.
Set message = Nothing
end function
function Decrypt(val)
On Error resume next
err.Clear
set message = server.CreateObject("CAPIC OM.Encrypt edData")
' If a message was read in (the length of the input string is
' greater than 0), set the password and decrypt the message.
If Len(val) > 0 Then
message.SetSecret MSCSSite.DisplayName
message.Decrypt val
Decrypt = message.Content
if err.number <> 0 then
Decrypt = val & "_ERR"
end if
Else
Decrypt = val
End If
Set message = Nothing
end function
function Encrypt(val)
On Error resume next
err.Clear
set message = server.CreateObject("CAPIC
message.Content = val
message.SetSecret MSCSSite.DisplayName
message.Algorithm.Name = 1 'CAPICOM_ENCRYPTION_ALGORI
'Encrypt the message storing the result in the encryptedmessage string
Encrypt = message.Encrypt
if err.number <> 0 then
Encrypt = val
end if
' Release the EncryptedData object.
Set message = Nothing
end function
function Decrypt(val)
On Error resume next
err.Clear
set message = server.CreateObject("CAPIC
' If a message was read in (the length of the input string is
' greater than 0), set the password and decrypt the message.
If Len(val) > 0 Then
message.SetSecret MSCSSite.DisplayName
message.Decrypt val
Decrypt = message.Content
if err.number <> 0 then
Decrypt = val & "_ERR"
end if
Else
Decrypt = val
End If
Set message = Nothing
end function
Well what kind of encryption technology is used in CAPICOM ? Is that better than the one you currenlty use ? Go though their technical review.
But all these 3rd part tools are better than standard encrytion through VBScript. Iuse this simple VBScript stuff, but I am sure these guys use much better than this
Function P2E(myPass)
Dim i
P2E = ""
For i = 1 To Len(myPass)
P2E = P2E & Chr(Asc(Mid(myPass, i, 1)) + i)
Next
End Function
Function E2P(myPass)
Dim i
E2P = ""
For i = 1 To Len(myPass)
If Asc(Mid(myPass, i, 1)) > 32 Then
'Response.Write Mid(myPass, i, 1) & " - " & chr(Asc(Mid(myPass, i, 1))-i+1)& "<br>"
E2P = E2P & Chr(Asc(Mid(myPass, i, 1)) - i)
End If
Next
End Function
But all these 3rd part tools are better than standard encrytion through VBScript. Iuse this simple VBScript stuff, but I am sure these guys use much better than this
Function P2E(myPass)
Dim i
P2E = ""
For i = 1 To Len(myPass)
P2E = P2E & Chr(Asc(Mid(myPass, i, 1)) + i)
Next
End Function
Function E2P(myPass)
Dim i
E2P = ""
For i = 1 To Len(myPass)
If Asc(Mid(myPass, i, 1)) > 32 Then
'Response.Write Mid(myPass, i, 1) & " - " & chr(Asc(Mid(myPass, i, 1))-i+1)& "<br>"
E2P = E2P & Chr(Asc(Mid(myPass, i, 1)) - i)
End If
Next
End Function
"If you really want to encrypt use POST method. These days hackers can break anything with the URL. POST is very secured and it only breaks when they hack the whole website."
Um, that's completely incorrect. I'm not trying to be rude or anything but hackers can break anything using the POST method just as easily as a query string.
Um, that's completely incorrect. I'm not trying to be rude or anything but hackers can break anything using the POST method just as easily as a query string.
Using a packet sniffer it would take about the same amount of time. Look the point is that your statement "POST is very secured" is not only wrong but dangerously misleading. Normally I don't say anything when experts make mistakes but I felt that telling someone that POST is somehow secure could lead someone to design a site with deadly security flaws.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
thespice - I've done some work with RC4 and encryption before - one of the holes you might fall foul of is the MS implementation of URL encoding (This issue is also present on Oracle's web server as well) in that null bytes (hex 00) don't get encoded correctly, so when you try to decode at the other end it gives a different result.
My advise to you is to use a custom url encoder ontop of the encryption at both ends regardless of form or query string data otherwise you will be scratching your head for hours!
S.
My advise to you is to use a custom url encoder ontop of the encryption at both ends regardless of form or query string data otherwise you will be scratching your head for hours!
S.