encrypting inbox style

Hi all,

we have created a messaging structure for one of our sites. (i.e. a hotmail style inbox, etc)

Now we want to avoid url hacking with the view message page. To avoid this we are looking at encrypting the querystring to avoid the hacking (or another solution if you can recommend a better one).

So the user would login (the site is using auth=form) (here we would ceate an unique encryption key and store in a session??)

the user would then go to their inbox and when they click to view the whole message we will encrypt the data, pass o the view message page and decode to load it.

Can anyone provide some code (or links) for this please?

Also one problem I envisage is with the sesson variables timig out before the auth=forms does? is there any precautions I can take to completely remove this issue?

thanks in advance for the help guys.

MAtt.
flynnyAsked:
Who is Participating?
 
r3nderCommented:
Here is a working example
http://www.codeproject.com/KB/security/DotNetCrypto.aspx
and here
http://www.joshrharrison.com/archive/2009/01/28/c-encryption.aspx
and this is how I do it

using System; 
using System.Data; 
using System.Configuration; 
using System.Text; 
using System.Security.Cryptography; 
 
namespace Encription 
{ 
    class CryptorEngine 
    { 
        public static string Encrypt(string ToEncrypt, bool useHasing) 
        { 
            byte[] keyArray; 
            byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(ToEncrypt); 
            //System.Configuration.AppSettingsReader settingsReader = new     AppSettingsReader(); 
           string Key = "Bhagwati"; 
            if (useHasing) 
            { 
                MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider(); 
                keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(Key)); 
                hashmd5.Clear();   
            } 
            else 
            { 
                keyArray = UTF8Encoding.UTF8.GetBytes(Key); 
            } 
            TripleDESCryptoServiceProvider tDes = new TripleDESCryptoServiceProvider(); 
            tDes.Key = keyArray; 
            tDes.Mode = CipherMode.ECB; 
            tDes.Padding = PaddingMode.PKCS7; 
            ICryptoTransform cTransform = tDes.CreateEncryptor(); 
            byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0,     toEncryptArray.Length); 
            tDes.Clear(); 
            return Convert.ToBase64String(resultArray, 0, resultArray.Length); 
        } 
        public static string Decrypt(string cypherString, bool useHasing) 
        { 
            byte[] keyArray; 
            byte[] toDecryptArray = Convert.FromBase64String(cypherString); 
            //byte[] toEncryptArray = Convert.FromBase64String(cypherString); 
            //System.Configuration.AppSettingsReader settingReader = new     AppSettingsReader(); 
            string key = "Bhagwati"; 
            if (useHasing) 
            { 
                MD5CryptoServiceProvider hashmd = new MD5CryptoServiceProvider(); 
                keyArray = hashmd.ComputeHash(UTF8Encoding.UTF8.GetBytes(key)); 
                hashmd.Clear(); 
            } 
            else 
            { 
                keyArray = UTF8Encoding.UTF8.GetBytes(key); 
            } 
            TripleDESCryptoServiceProvider tDes = new TripleDESCryptoServiceProvider(); 
            tDes.Key = keyArray; 
            tDes.Mode = CipherMode.ECB; 
            tDes.Padding = PaddingMode.PKCS7; 
            ICryptoTransform cTransform = tDes.CreateDecryptor(); 
            try 
            { 
                byte[] resultArray = cTransform.TransformFinalBlock(toDecryptArray, 0,         toDecryptArray.Length); 
 
                tDes.Clear(); 
                return UTF8Encoding.UTF8.GetString(resultArray,0,resultArray.Length); 
            } 
            catch (Exception ex) 
            { 
                throw ex; 
             } 
        } 
    } 
}

Open in new window

0
 
r3nderCommented:
here is how to encrypt data and pass it to the memory stream


public static string Decrypt(string password, Stream encrypted) 
{
     byte[] key, iv;
     CreateKeyIV(password, out key, out iv);
     using (CryptoStream dec = new CryptoStream(encrypted,            _algorithm.CreateDecryptor(key, iv), CryptoStreamMode.Read))     
     using (StreamReader reader = new StreamReader(dec))     
     {
         return reader.ReadToEnd();
     }  
}

Open in new window

0
 
flynnyAuthor Commented:
Hi r3nder many thanks for the method

so does this method encrypt and decrypt?

so rather than encrypting and having a key we could simply encrypt and decrypt using the password for the user stored in the db?

so when the user clicks to view the new message could ou provide and example of example of using the method please?

when we enter the page with the encrytped query string we then simply use the following;

Decrypt(<pass from db>, querystring converted to stream?)

thanks again,

matt.


0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.