tags:

views:

553

answers:

2
+2  Q: 

How to serialize an object in C# and prevent tampering?

I have a C# class as follows:

public class TestObj
{
    private int intval;
    private string stringval;
    private int[] intarray;
    private string[] stringarray;

    //... public properties not shown here
}

I would like to serialize an instance of this class into a string.

In addition:

I will be appending this string as a QueryString param to a URL. So I would like to take some effort to ensure that the string cannot be tampered with easily.

Also, I would like the serialization method to be efficient so the size of the string is minmal.

Any suggestions of specific .NET Framework classes/methods I should use?

+2  A: 
Alex  2009-08-25 21:24:11
The problem with this is that it doesn't address sharing or updating the secret with the destination. Presumably if he wants to prevent tampering, then the other side needs know how to check for invalid values. Also, if he uses a predictable secret, someone could tamper with the object and recalculate the hash.
Omniwombat  2009-08-25 21:32:14
Don't reinvent the wheel. The CLR provides HMAC signatures out of the box, reviewed by proper cryptographers.
Remus Rusanu  2009-08-25 21:33:45
@Omniwombat: This is surely not a high-security scenario as he's dealing with query string transmission of information. The pure existence of a secret will throw off any 'attacker'. Also, the secret can be chosen to be indefinitely complex which makes the hashing solution scalable to security needs, but in that case I'd rather encrypt the entire string along the line. Either way, for anything tamper-proof he will need access to the destination.
Alex  2009-08-25 21:37:58
@Alex Do be careful with terms like "surely not a high-security scenario" and "will throw off any 'attacker'" We don't know his requirements, and there will never be technology that is guaranteed to thwart _all_ attacks.(Also, I think you mean "arbitrarily" complex.)
Omniwombat  2009-08-25 21:53:36
@Omniwombat: I can leave comments all day criticizing other people's solutions. I have provided him with a solution that works quickly for what I can deduce his requirements are, instead of helping him write the entire thing with OTP supported RSA asynchronous encryption that is bank standard compliant. Key Point: I haven't seen you provide an answer. How about you give us an example of your code magic that will be reusable, highly secure, stable, with low processing overhead, no memory footprint, and maybe it can make coffee too while we're at it.
Alex  2009-08-25 22:01:33
+3  A: 

Sign the stream and add the signature to your query. Use a HMAC signing algorithm, like HMACSHA1. You will need to have a secret between your client and your server to sign and validate the signature.

Remus Rusanu  2009-08-25 21:28:39

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?