encrypting inbox style

Hi all,

we have created a messaging structure for one of our sites. (i.e. a hotmail style inbox, etc)

Now we want to avoid url hacking with the view message page. To avoid this we are looking at encrypting the querystring to avoid the hacking (or another solution if you can recommend a better one).

So the user would login (the site is using auth=form) (here we would ceate an unique encryption key and store in a session??)

the user would then go to their inbox and when they click to view the whole message we will encrypt the data, pass o the view message page and decode to load it.

Can anyone provide some code (or links) for this please?

Also one problem I envisage is with the sesson variables timig out before the auth=forms does? is there any precautions I can take to completely remove this issue?

thanks in advance for the help guys.

MAtt.
flynnyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

r3nderCommented:
here is how to encrypt data and pass it to the memory stream


public static string Decrypt(string password, Stream encrypted) 
{
     byte[] key, iv;
     CreateKeyIV(password, out key, out iv);
     using (CryptoStream dec = new CryptoStream(encrypted,            _algorithm.CreateDecryptor(key, iv), CryptoStreamMode.Read))     
     using (StreamReader reader = new StreamReader(dec))     
     {
         return reader.ReadToEnd();
     }  
}

Open in new window

0
flynnyAuthor Commented:
Hi r3nder many thanks for the method

so does this method encrypt and decrypt?

so rather than encrypting and having a key we could simply encrypt and decrypt using the password for the user stored in the db?

so when the user clicks to view the new message could ou provide and example of example of using the method please?

when we enter the page with the encrytped query string we then simply use the following;

Decrypt(<pass from db>, querystring converted to stream?)

thanks again,

matt.


0
r3nderCommented:
Here is a working example
http://www.codeproject.com/KB/security/DotNetCrypto.aspx
and here
http://www.joshrharrison.com/archive/2009/01/28/c-encryption.aspx
and this is how I do it

using System; 
using System.Data; 
using System.Configuration; 
using System.Text; 
using System.Security.Cryptography; 
 
namespace Encription 
{ 
    class CryptorEngine 
    { 
        public static string Encrypt(string ToEncrypt, bool useHasing) 
        { 
            byte[] keyArray; 
            byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(ToEncrypt); 
            //System.Configuration.AppSettingsReader settingsReader = new     AppSettingsReader(); 
           string Key = "Bhagwati"; 
            if (useHasing) 
            { 
                MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider(); 
                keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(Key)); 
                hashmd5.Clear();   
            } 
            else 
            { 
                keyArray = UTF8Encoding.UTF8.GetBytes(Key); 
            } 
            TripleDESCryptoServiceProvider tDes = new TripleDESCryptoServiceProvider(); 
            tDes.Key = keyArray; 
            tDes.Mode = CipherMode.ECB; 
            tDes.Padding = PaddingMode.PKCS7; 
            ICryptoTransform cTransform = tDes.CreateEncryptor(); 
            byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0,     toEncryptArray.Length); 
            tDes.Clear(); 
            return Convert.ToBase64String(resultArray, 0, resultArray.Length); 
        } 
        public static string Decrypt(string cypherString, bool useHasing) 
        { 
            byte[] keyArray; 
            byte[] toDecryptArray = Convert.FromBase64String(cypherString); 
            //byte[] toEncryptArray = Convert.FromBase64String(cypherString); 
            //System.Configuration.AppSettingsReader settingReader = new     AppSettingsReader(); 
            string key = "Bhagwati"; 
            if (useHasing) 
            { 
                MD5CryptoServiceProvider hashmd = new MD5CryptoServiceProvider(); 
                keyArray = hashmd.ComputeHash(UTF8Encoding.UTF8.GetBytes(key)); 
                hashmd.Clear(); 
            } 
            else 
            { 
                keyArray = UTF8Encoding.UTF8.GetBytes(key); 
            } 
            TripleDESCryptoServiceProvider tDes = new TripleDESCryptoServiceProvider(); 
            tDes.Key = keyArray; 
            tDes.Mode = CipherMode.ECB; 
            tDes.Padding = PaddingMode.PKCS7; 
            ICryptoTransform cTransform = tDes.CreateDecryptor(); 
            try 
            { 
                byte[] resultArray = cTransform.TransformFinalBlock(toDecryptArray, 0,         toDecryptArray.Length); 
 
                tDes.Clear(); 
                return UTF8Encoding.UTF8.GetString(resultArray,0,resultArray.Length); 
            } 
            catch (Exception ex) 
            { 
                throw ex; 
             } 
        } 
    } 
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
C#

From novice to tech pro — start learning today.