tags:

views:

221

answers:

4
+2  Q: 

Encryption Algorithm for Web Applications

I have been using Symmetric (Rijndael) Key Algorithm (http://www.obviex.com/samples/Encryption.aspx) for a while to encrypt an ID. Then I URL encode the encrypted version of the ID and pass it in the query string. When I retrieve the ID from the query string, I URL decode it first and I decrypt it.

A problem came up recently. If the encrypted ID has both "spaces" and "+" (eg "abc ef+g), URL-encoding it changes all "spaces" to "+". This is a problem when I URL-decode the ID since I don't know which "+" was a "+" and which "+" was a "space".

If there an option that I can pick the output character set to be only the alphabet (ie the encrypted ID only uses A-Z)? Or if there any other 2 way encryption algorithm that has th option for me to pick the output character set?

Or I guess my last option would be to manually replace "+" in the encrypted ID with something like "_SPACE_"

Thanks

A: 

Well, to answer your question at a basic level: Yes, encode the encrypted result in base64.

But I must admit, I'm pretty concerned about your approach in general.

Noon Silk  2009-08-19 13:49:42
What can I do to pass an encrypted ID in the querystring?
David  2009-08-19 13:52:20
Well your method is fine enough, but I just wonder why you are using an approach like this, as opposed to say just a general login system to determine who can do that.
Noon Silk  2009-08-19 13:54:20
This ID is not a user ID. It's a PK of a table in my database. For security reason, I don't want the user to know the exact ID.
David  2009-08-19 14:07:24
The general solution for that, then, would be to store a GUID against the row as well, and use that as the public identifier. Encryption is just wasting the time of your server.
Noon Silk  2009-08-19 14:10:18
A: 

you should take a look at how I decided to manage my way of hiding id (in my case guid, but can be any encrypted string)

link

Fredou  2009-08-19 13:53:09
A: 

You need to URL encode your encrypted ID when passed as query parameters.

I prefer an URL-safe version of Base64 for anything used in query parameters or cookies.

ZZ Coder  2009-08-19 14:01:31
I use HttpUtility.UrlEncode() to urlencode my encrypted ID. If my encrypted ID is "abc e+", the URLencoded ID is "abc+e+". How do I URLdecode "abc+e+" later on?
David  2009-08-19 14:18:04
Your UrlEncode() is wrong. It should output "abc+e%2b". + should always be encoded. Besides, you shouldn't use space in the ID. It should be Base64-encoded string.
ZZ Coder  2009-08-19 14:33:05
Yes, you are correct. It turned out that the problem was that I was getting the querystring with HttpUtility.ParseQueryString(), which already urldecodes the querstring. I also called HttpUtility.URLDecode(). So I ended up urldecoding twice.
David  2009-08-19 14:54:38
A: 

Can you manually encode the URL so the spaces are changed to %20 instead of +?

Dave Webb  2009-08-19 14:05:01
Thanks. I think I will also replace + with %2B manually.
David  2009-08-19 14:24:00

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?