Article Options
Recently Viewed
Creating a simple game using GDI+ in C#
WinForms and WPF Interop - The Best of Both Worlds
Shell MegaPack 8.0 Review
Installer Class and Custom Actions
Working with MS Access Stored Procedures in VB.NET. Part 1
Premium Sponsor
Premium Sponsor

 »  Home  »  Security  »  Encrypting QueryStrings with .NET
 »  Home  »  Web Development  »  Encrypting QueryStrings with .NET
Encrypting QueryStrings with .NET
by Tiberius OsBurn | Published  09/04/2002 | Security Web Development | Rating:
Tiberius OsBurn

Tiberius OsBurn is a Senior Developer/System Analyst for The Gallup Organization (http://www.gallup.com). He recently completed a huge data warehousing project that archived data and documents from 1935 to the present - all coded in C#, SQL Server and ASP.NET.

Tiberius has extensive experience in VB, VB.NET, C#, SQL Server, ASP.NET and various other web technologies. Be sure to visit his site for his latest articles of interest to .NET developers.

http://tiberi.us

 

View all articles by Tiberius OsBurn...
Encrypting QueryStrings with .NET

Once upon a time in the tech world, obscurity was security - this being most true in the early years of the industry, when there were gaping holes in privacy policies and confidential client information was bandied about from site to site without a care as to who actually could read the information.

With the new Cryptography classes in .NET, there's absolutely no excuse for not hiding even the most innocuous user data. If you ever need to 'piggy-back' information from one web page to another, whether it is within a POST or a GET parameter, you're passing clear information that anyone can sniff - and that's a bad thing.

If you're not going to use a session variable for storing end user information, you're most likely going to keep some sort of State by passing the information to a cookie or push it around with GET/POST parameters. If you're passing around any sort of ID or user information like their name, it's better to err on the side of caution and encrypt the information.

GET Vs. POST

A POST parameter keeps the information out of the URL, but it can still be sniffed quite easily as it passes in clear text across your network or the Internet. Using POST will keep the mere curious at bay, as the information is not contained in the URL - but this will not stop someone determined to snag out your data.

A QueryString parameter passes information within the site's URL. Why would you even use a QueryString? Well, maybe you need to let your user bookmark a particular page, or maybe you have to refer directly to a page in a URL via a link - you can't do either if you're using POST. A QueryString puts data in the URL for the entire world to see, so if you don't know if the end user is malicious, I'd think hard about using a QueryString for anything but site-related information.

Be smart and encrypt any and all data you're moving around from page to page, especially if that information could be used maliciously. You may trust your users, but you still need that extra level of security that clear text GET/POST data doesn't provide.

Imagine this scenario - you've been passing the customer's ID in the database around in a QueryString, in a URL that looks like this:

http://yoursite.com?cust_id=29

You know what a user is going to do? Switch that 29 to a 30 or 12 or some other number, and if you're not checking for invalid requests, you'll be dishing up some other customer's data.

Enter Encryption

What I was looking for was a quick way to encrypt and decrypt parts of a QueryString - it had to be on the fly, quick and dirty.

I chose Base64 because it wouldn't throw bizarre characters in my QueryString that I couldn't pass around… Little did I know that I'd hit a snag while passing around my encrypted QueryString - Apparently, the Request.QueryString object interprets the '+' sign as a space! So, with a quick Replace function slapped on my decrypt string, no harm, no foul.

Symmetric Key

The whole trick to this working is that the QueryString is encrypted and decrypted with the same private key. This is the secret key - if anyone gets a hold of your key, they can decrypt the data themselves, so keep it a secret!

We're going to use a hard-to-crack 8 byte key, !#$a54?3, to keep parts of our QueryString secret.

Let's Walk through the C# portion of the code:

Notice our two functions that abstract the dirty work that our Encryption64 class. The first, encryptQueryString, is used to encrypt the value of a QueryString. The second, decryptQueryString, is used to decrypt the value of an encrypted QueryString. 

public string encryptQueryString(string strQueryString) {
    ExtractAndSerialize.Encryption64 oES = 
        new ExtractAndSerialize.Encryption64();
    return oES.Encrypt(strQueryString,"!#$a54?3");
}

public string decryptQueryString(string strQueryString) {
    ExtractAndSerialize.Encryption64 oES = 
        new ExtractAndSerialize.Encryption64();
    return oES.Decrypt(strQueryString,"!#$a54?3");
}

If we wanted to encrypt our QueryString on our first page, we could do something like this:

string strValues = "search term";
string strURL = "http://yoursite.com?search=" 
    + encryptQueryString(strValues);
Response.Redirect(strURL);

Inside our code-behind in our second page, we pass the contents our QueryString to a variable named strScramble. After that, we replace the '+' signs that our wonderful Request.QueryString has replaced with a space. We pass that string into our function, decryptQueryString, and retrieve the decrypted string.

string strScramble =  Request.QueryString["search"];
string strdeCrypt = decryptQueryString(
    strScramble.Replace(" ", "+"));

Now we've decrypted the value of the QueryString, 'search', and we can do whatever we want with it. The end user is going to see a URL that looks like:

http://yoursite.com?search=da00992Lo39+343dw

They'll never be able guess what's going on in your QueryString, and if they try to fool around with it, there's no way to crack the code without knowing the Symmetric key.

VB.NET

Imports System
Imports System.IO
Imports System.Xml
Imports System.Text
Imports System.Security.Cryptography

Public Class Encryption64
    Private key() As Byte = {}
    Private IV() As Byte = {&H12&H34&H56&H78&H90&HAB&HCD&HEF}

    Public Function Decrypt(ByVal stringToDecrypt As String_
        ByVal sEncryptionKey As StringAs String
        Dim inputByteArray(stringToDecrypt.LengthAs Byte
         Try
            key = System.Text.Encoding.UTF8.GetBytes(Left(sEncryptionKey8))
            Dim des As New DESCryptoServiceProvider()
            inputByteArray = Convert.FromBase64String(stringToDecrypt)
            Dim ms As New MemoryStream()
            Dim cs As New CryptoStream(msdes.CreateDecryptor(keyIV), _
                CryptoStreamMode.Write)
            cs.Write(inputByteArray0inputByteArray.Length)
            cs.FlushFinalBlock()
            Dim encoding As System.Text.Encoding = System.Text.Encoding.UTF8
            Return encoding.GetString(ms.ToArray())
        Catch e As Exception
            Return e.Message
        End Try
    End Function

    Public Function Encrypt(ByVal stringToEncrypt As String_
        ByVal SEncryptionKey As StringAs String
        Try
            key = System.Text.Encoding.UTF8.GetBytes(Left(SEncryptionKey8))
            Dim des As New DESCryptoServiceProvider()
            Dim inputByteArray() As Byte = Encoding.UTF8.GetBytes_
                stringToEncrypt)
            Dim ms As New MemoryStream()
            Dim cs As New CryptoStream(msdes.CreateEncryptor(keyIV), _
                CryptoStreamMode.Write)
            cs.Write(inputByteArray0inputByteArray.Length)
            cs.FlushFinalBlock()
            Return Convert.ToBase64String(ms.ToArray())
        Catch e As Exception
            Return e.Message
        End Try
    End Function

End Class
Generated using PrettyCode.Encoder
How would you rate the quality of this article?
1 2 3 4 5
Poor Excellent
Tell us why you rated this way (optional):
Article Rating
The average rating is: No-one else has rated this article yet.

Article rating:3.8780487804878 out of 5
 123 people have rated this page
Article Score59693
Comments    Submit Comment

Comment #1  (Posted by wan on 09/08/2002)


hi..

can you give the full source code in C#??

TQ
 
Comment #2  (Posted by josh manning on 09/09/2002)

I second that. Could you please provide the rest of the C# code?

Thanks.

Josh
 
Comment #3  (Posted by tiberius on 09/09/2002)

I'll work on getting the code converted sometime within the week.
It shouldn't take all that long!

Thanks...

Tiberius
 
Comment #4  (Posted by William on 09/10/2002)

Great article! However, I am unclear where your key (!#$a54?3) came from. Is it generated through another .NET class?
 
Comment #5  (Posted by tiberius on 09/10/2002)

RE: We're going to use a hard-to-crack 8 byte key, !#$a54?3, to keep parts of our QueryString secret.

Actually, I just made the key up. I tried to make it as difficult as a key to crack as I could. You could use an 8 byte key like: abcdefgh or 12345678 but that would be too easy to crack!



 
Comment #6  (Posted by Josh Manning on 09/12/2002)

Sorry to bug you about this but do you know if you'll have a chance to add the c# code this week? Thanks.
 
Comment #7  (Posted by Buck on 09/13/2002)

Can you translate the C# code to VB.NET? I'm having trouble converting it over. Thanks
 
Comment #8  (Posted by Jason on 09/13/2002)

How about everyone that needs to do code conversion go buy the C# to VB.NET code conversion pocket guide published by O'Reilly.

Before that though I would reccomend learning C# if you're going to be doing much .NET Development. I'm not a C# guru by any means but I could translate the VB.NET code in this article in my head on the fly.

Jason
 
Comment #9  (Posted by John Mandia on 09/16/2002)

Hi all,

Just tried converting it for those of you who want it. Not too familiar with VB.Net so there are some errors in it that hopefully someone can post the answers to as I have a load of things to do and don't have any spare time to track these down. Might have time over the weekend. These have been commented.

using System;
using System.IO;
using System.Xml;
using System.Text;
using System.Security.Cryptography;

namespace TotalIngenuity.ManipulateData
{
///
/// This class is used for encrypting and decrypting data such as querystrings.
///

public class DataEncryption
{
public DataEncryption()
{
}

private byte [] key = {};
private byte [] IV = {&H12,&H34,&H56,&H78,&H90,&HAB,&HCD,&HEF}; // This throws an error. Don't know how to
// get these values in c# so if anyone can
// help it will be helping everyone out


public string Decrypt(string stringToDecrypt, string sEncryptionKey)
{
byte [] inputByteArray = new byte[stringToDecrypt.Length];

try
{

key = System.Text.Encoding.UTF8.GetBytes(Left(sEncryptionKey, 8)); // Left is VB.NET Specific Would
// Would Trim achieve the same?
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
inputByteArray = Convert.FromBase64String(stringToDecrypt);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(key, IV), CryptoStreamMode.Write);
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();

System.Text.Encoding encoding; // not too sure if this will work

return encoding.GetString(ms.ToArray());

}
catch(Exception ex)
{
throw ex;
}

}

public string Encrypt(string stringToEncrypt, string SEncryptionKey)
{
try
{
key = System.Text.Encoding.UTF8.GetBytes(Left(SEncryptionKey, 8)); // Left is VB.NET Specific Would
// Trim achieve the same?
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
byte [] inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(key, IV), CryptoStreamMode.Write);

cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();

return Convert.ToBase64String(ms.ToArray());

}
catch(Exception ex)
{
throw ex;
}
}

}

}
 
Comment #10  (Posted by Matias Pelenur on 09/19/2002)

Encryption does not equal security. In the example you gave where you pass around a customer_id (a bad idea to start), encrypting it the way you describe with a symmetric key provides almost no improvement. An eavesdropper can still get the query string and re-send it as it, encrypted, and still gain access to the same customer data (since the server-side just descrypts it and gets the same content). You could argue that they wouldn't know it was the customer id that was being passed around (if you encrypt the whole thing), but then that's security by obscurity, and as you point out that doesn't really work in the long term.

It's always best to use sessions, but that can also be eavesdropped. The only really secure way is to use SSL. Otherwise, you could keep track of the users's IP address in the session object. If someone tries to use that session from a different IP, you deny the request.

My 2 cents,
Matias
 
Comment #11  (Posted by tiberius on 09/19/2002)

You make some great points, Matias. HTTPS is the way to go in the long run... unfortunately, some of us can't afford an https certificate. I agree that session variables are nice, but aren't always the way to go - especially if you're working in a web farm environment...

The fact is that if your site is passing around user information, some security is better than no security. HTTPS (SSL) is totally the way to go when point-to-point secure communication is needed - but in the meantime, making it more difficult for the casual 'hacker' to gain access is key.

You've brought up some excellent points.
 
Comment #12  (Posted by Jason on 09/19/2002)

Web Farms are no longer an excuse for not using Session variables. Specify a session server.
 
Comment #13  (Posted by an unknown user on 09/19/2002)

Matias Pelenur
 
Comment #14  (Posted by Joe Feser on 09/19/2002)

Matias Pelenur : Quote
"It's always best to use sessions, but that can also be eavesdropped. The only really secure way is to use SSL. Otherwise, you could keep track of the users's IP address in the session object. If someone tries to use that session from a different IP, you deny the request. "

You are aware that every request from AOL comes from a different IP address.

AOL is not the only one, the only time the ip address works is for a local intranet app.

Even users from my own house would not work since all the computers go thru a router, so everyone in the house has the same IP.

This solution would never work.

Joe


 
Comment #15  (Posted by pcbear on 09/20/2002)

can you give the full source code in C#??
 
Comment #16  (Posted by augusten on 09/29/2002)

I've been planning to use the great crypto built in to .NET to encrypt my querystrings for a while now, and lo and behold I find your article. Saves me a lot of time, thanks!

Regarding Matias comments: In the real world, SSL and sessions are a poor solution in many cases because they are costly in terms of performance. I am responsible for an app that tens of thousands need to access simultaneously using as little bandwidth and processing power as possible. Querystrings are the only way to go.

Sure, if you are passing highly sensitive data (i.e. credit card numbers) you use SSL (duh). But the the majority of the time, it's name, street address, email address, and the like, data which is semi-public to begin with, but you don't want the public using your website to pull up said data. In these cases it's not the interception of the encrypted querystring that needs to be prevented, but rather the ability to pull up any customer's data by changing a querystring id.

 
Comment #17  (Posted by Turino on 10/02/2002)

I just tried to finallize the C# code from Jhon Mandia, I've tested it and it works...

Thanks to John Mandia...

using System.Text;
using System.Security.Cryptography;


public class Encryption64
{
//private byte[] key = {};
//private byte[] IV = {10, 20, 30, 40, 50, 60, 70, 80}; // it can be any byte value

public static string Decrypt( string stringToDecrypt,
string sEncryptionKey)
{

byte[] key = {};
byte[] IV = {10, 20, 30, 40, 50, 60, 70, 80};
byte[] inputByteArray = new byte[stringToDecrypt.Length];

try
{
key = Encoding.UTF8.GetBytes(sEncryptionKey.Substring(0,8));
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
inputByteArray = Convert.FromBase64String(stringToDecrypt);

MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(key, IV), CryptoStreamMode.Write);
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();

Encoding encoding = Encoding.UTF8 ;
return encoding.GetString(ms.ToArray());
}
catch (System.Exception ex)
{
throw ex;
}
}

public static string Encrypt( string stringToEncrypt,
string sEncryptionKey)
{

byte[] key = {};
byte[] IV = {10, 20, 30, 40, 50, 60, 70, 80};
byte[] inputByteArray; //Convert.ToByte(stringToEncrypt.Length)

try
{
key = Encoding.UTF8.GetBytes(sEncryptionKey.Substring(0,8));
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(key, IV), CryptoStreamMode.Write);
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();

return Convert.ToBase64String(ms.ToArray());
}
catch (System.Exception ex)
{
throw ex;
}
}
}


 
Comment #18  (Posted by John Mandia on 10/19/2002)

Thanks for tidying up my code....with all the things going on I forgot to finish the c# code off. Thanks for finishing it.

John
 
Comment #19  (Posted by John Mandia on 10/31/2002)

Just read through this article again and thought wouldn't it make implementation easier if you added the replace functionality with the Decrypt method? This would mean that people using this class would not need to worry about always using replace throught their site.

just a thought.

What are people's opinions?

John
 
Comment #20  (Posted by Tiberius on 10/31/2002)

John:

Excellent point. Adding the replace in the Decrypt method makes much more sense.

Tiberius
 
Comment #21  (Posted by John Mandia on 10/31/2002)

Hi Tiberius,

Just sent you a mail asking if you would mind me writing a quick article based on this one.

Taken the c# version of the code that I contributed and extended it.

Basically the methods can be overloaded for 1 so that users have the option of either supplying the encryption key or getting it from the Web.config file (as it makes more sense to me....you can change the settings for the entire site from one place) another additional feature is to take into account oddities (Like the fact that the QueryString replaces + with a space) I have added a method to the class an additional parameter to the Decrypt methods so that you can handle the oddities. e.g Decrypt(string stringToDecrypt, int forType)

forType represents what type of code is calling this decryption e.g 0 default 1 Querystring.
forType and stringToDecrypt get sent to a private method that does a switch based on forType. In the case of sending 1 it knows a querystring wants this so it replaces " " with "+" and then sends it back.

This way as more quirks appear you can handle it within your private method and the users of the component don't have to worry about it. And you could also add addition forTypes as they arise (maybe down the road someone says Request.Form does something for example...this could become forType =2).

Now only two things are bugging me, (1) should I make all the methods static and (2) Everything compiles but I am trying to fix an error.

As my intention is to share this code with everyone I was wondering if you would like to have a look and see where I am tripping up.

Thanks,

John
 
Comment #22  (Posted by an unknown user on 11/02/2002)

O.K,

Got the class working now with the features mentioned previously and it's CLS compliant so you can use it from VB.NET or any other .NET language.

I'll be posting the code up soon if anyone is interested.

John
 
Comment #23  (Posted by test on 01/22/2003)

test
 
Comment #24  (Posted by Simon H on 03/20/2003)

Hi John,

Not sure if you still look at this posting any more as it is a little old now! If you are still around did you ever post your new code? Just I would be interested in taking a look.

Cheers

Simon
 
Comment #25  (Posted by Kelly on 06/12/2003)

Hi, I wonder if you've come accross this when using the code. I'm using asp.net
Example:
when passing in the URL "....aspx?MemberRef =" 117 or 114 or 260 or 264 where number is encrypted and then calling
txtMemberRef.Text = Sec.Decrypt(MemberRef, ConfigurationSettings.AppSettings("Key"))
It works perfectly..
But when I try to use member ref 262 or 259 I get
"Invalid length for a Base-64 char array." when trying to decrypt.
Any help greatly appreciated!
Thanks

 
Comment #26  (Posted by urfie on 06/27/2003)

I'm a newbie to encryption, so i kinda need some help understanding
this. I am unclear as to how the flow of information goes. is there
anyway i can get an explanation or a diagram?

for example, if the client wants to send some data to the server, that
client needs to encrypt it before sending it. so i'm guessing the server
needs to send the key to the client so that the client will know how
to encrypt?

am i understanding that correctly? is there a danger that someone will
be able to eavesdrop when the server is sending the key, then, when
the client sends the info back, the eavesdropper can use the key to decrypt?




 
Comment #27  (Posted by Suneel on 06/28/2004)

I believe the VB.Net version of this code is at: http://www.eggheadcafe.com/articles/20020315.asp

There is a comment in the code regarding the definition of IV bytes, and the code shows the VB.Net representation of Hexadecimal numbers (&H prefix). This should be changed to 0x in C#.
 
Comment #28  (Posted by parshu on 07/22/2004)

hi Tiberius ,

gr8 article. Solved my problem within minutes. Thanx.
 
Comment #29  (Posted by Senthil Nathan on 10/01/2004)

I am in C#. How to use the c# code for Encrypting Querystrings. I have tried the two methods but i get the error

"The type or namespace ExtractAndSerialize could not be found
The type or namespace oES could not be found"

here, i have used the namespaces
using System.Text;
using System.Security.Cryptography;
using System.IO;
using System.Xml;
anyone help me out....
 
Comment #30  (Posted by angry on 12/27/2004)

Am I a fool? You write an article and don't offer the source code?????????????????
 
Comment #31  (Posted by Petrovsky on 12/27/2004)

Uh, You are a fool. The SC is in the article.

 
Comment #32  (Posted by an unknown user on 01/04/2005)
Rating
code doesn't work like it should. Plus, he left out the c# code, then says it will be posted later, but is never posted (2 years have gone by)all I wanna know is how to replace the stinkin "Plus" signs.
 
Comment #33  (Posted by an unknown user on 01/06/2005)
Rating
outdated code:"Invalid length for a Base-64 char array." when trying to decrypt.
 
Comment #34  (Posted by BG on 01/06/2005)
Rating
When I try to decrypt a GUID Value it gives me an error "Invalid length for a Base-64 char array."I am trying to encrypt and decrypt the following string"A1C1AEB2-3C75-43D9-9F97-46EE1E0038D9"I am using VB.NET code.Any help will be greatly appreciated
 
Comment #35  (Posted by an unknown user on 01/15/2005)
Rating
using System;
using System.IO;
using System.Xml;
using System.Text;
using System.Security.Cryptography;
public class Encryption64
{
private byte[] key = {};
private byte[] IV = {18, 52, 86, 120, 144, 171, 205, 239};

public string Decrypt(string stringToDecrypt, string sEncryptionKey)
{
byte[stringToDecrypt.Length] inputByteArray;
try {
key = System.Text.Encoding.UTF8.GetBytes(Left(sEncryptionKey, 8));
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
inputByteArray = Convert.FromBase64String(stringToDecrypt);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(key, IV), CryptoStreamMode.Write);
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();
System.Text.Encoding encoding = System.Text.Encoding.UTF8;
return encoding.GetString(ms.ToArray());
} catch (Exception e) {
return e.Message;
}
}

public string Encrypt(string stringToEncrypt, string SEncryptionKey)
{
try {
key = System.Text.Encoding.UTF8.GetBytes(Left(SEncryptionKey, 8));
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
byte[] inputByteArray = Encoding.UTF8.GetBytes(stringToEncrypt);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(key, IV), CryptoStreamMode.Write);
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();
return Convert.ToBase64String(ms.ToArray());
} catch (Exception e) {
return e.Message;
}
}
}
 
Comment #36  (Posted by Dietmar on 01/20/2005)
Rating
Very helpful article and code. What would I need to change to have it output only alphanumerics in the encrypted string? I need to encrypt a few values after another to be used in a URL and only alphanumerics would be much cleaner. Thanks!
 
Comment #37  (Posted by Michiel Erasmus on 02/15/2005)
Rating
Anser to Comment #25;
I have had the same problem but solved it by using the same encryptionkey. Watch out not to include spaces. Ek hoop dat dit vir jou iets waardevols is.

met vriendelike groet,
Michiel Erasmus

 
Comment #38  (Posted by an unknown user on 03/23/2005)
Rating
Doesn't work very well, will not work on some values, so whats the point if values are going to be dynamic.


 
Comment #39  (Posted by Paul Talbot on 05/12/2005)
Rating
For all those who are having trouble converting VB.Net to C#, take a look at Reflector by Lutz Roeder.

http://www.aisto.com/roeder/dotnet/

This will help you figure out the VB.Net > C# > Delphi > IL conversions.

Good article btw, I will be making use of this.
 
Comment #40  (Posted by an unknown user on 06/10/2005)
Rating
Good information, but you've failed to be helpful enough to mention where these class(es) exist in the framework
 
Comment #41  (Posted by an unknown user on 06/10/2005)
Rating
Good information, but you've failed to be helpful enough to mention where these class(es) exist in the framework
 
Comment #42  (Posted by John on 07/15/2005)
Rating
Does not work when Encrypted value has double forward slashes, because .NET Request automatically takes that as Single Slash, and correspondind Decryption fails.
Please let me know if you fix this bug.
Thanks
 
Comment #43  (Posted by an unknown user on 09/08/2005)
Rating
Thankyou very much Tiberius - really solves ASP DOTNET to old ASP session state issue. Now just need to work out how to go the other way using the same kind of thing
 
Comment #44  (Posted by an unknown user on 09/27/2005)
Rating
Comment (Posted by Ankit )

Excellent article Tiberius - Really thanks for solving my problem.
Can you please write the explanation of each line you coded, So that we can actully underdstand the magic of your code.
 
Comment #45  (Posted by an unknown user on 09/27/2005)
Rating
Comment (Posted by Ankit )

Excellent article Tiberius - Really thanks for solving my problem.
Can you please write the explanation of each line you coded, So that we can actully underdstand the magic of your code.
 
Comment #46  (Posted by JH on 10/18/2005)

I'm I the only one who's having a headache here !

what is the final working code .. !?
BOTH THE CLASS & APPLICATION (if possible) ...

I can already see that it is a great piece of code ..

 
Comment #47  (Posted by an unknown user on 12/20/2005)
Rating
About those who got the error code "Invalid length for a Base-64 char array".
It (probarly) appears when you got a "+" sign in your encoded querystring, which parses as a "space"-character.
To workaround this problem just edit this line in the decrypt-method.
inputByteArray = Convert.FromBase64String( stringToDecrypt ); to
inputByteArray = Convert.FromBase64String( stringToDecrypt.Replace( " ", "+" ) );

Happy programming
 
Comment #48  (Posted by subaei on 02/13/2006)
Rating
Thank you Mr.Tiberius OsBurn
& thank you for the person who wrote comment#47 really thank you.
 
Comment #49  (Posted by an unknown user on 02/14/2006)
Rating
great piece of work,really helpful
 
Comment #50  (Posted by an unknown user on 03/09/2006)
Rating
Thanks, the big trick here was replacing the spaces with a +, I was about to abandon my strategy until I read this article.
 
Comment #51  (Posted by an unknown user on 03/28/2006)
Rating
good
 
Comment #52  (Posted by an unknown user on 04/29/2006)
Rating
i have a problem...
i want to encode the id, let's say
1010101023

but the decrypted id will be 10101010...

anyone know the reason why?

thanks
 
Comment #53  (Posted by an unknown user on 04/29/2006)
Rating
i have a problem...
i want to encode the id, let's say
1010101023

but the decrypted id will be 10101010...

anyone know the reason why?

thanks
 
Comment #54  (Posted by an unknown user on 04/29/2006)
Rating
i have a problem...
i want to encode the id, let's say
1010101023

but the decrypted id will be 10101010...

anyone know the reason why?

thanks
 
Comment #55  (Posted by an unknown user on 06/06/2006)
Rating
Really good article
 
Comment #56  (Posted by an unknown user on 06/22/2006)
Rating
Thanx for the Comment #47, I've got the solution....
 
Comment #57  (Posted by an unknown user on 08/31/2006)
Rating
Dear George, thanks for showing us this article.. Thanks, Scott
 
Comment #58  (Posted by an unknown user on 11/14/2006)
Rating
Great!
 
Comment #59  (Posted by S Vega on 12/20/2006)
Rating
I agree, thank's a lot for the comment 47, i was receiving the same error "Invalid character lenght" and with your post solve my problem.

Before reading your post, i' was secure to change this way of encrypt my data, thank's a lot one more time..
 
Comment #60  (Posted by Neeraj Aggarwal on 01/17/2007)
Rating
I am getting error 'Invalid length for a Base-64 char array'
when i am decrypting the encrypted string for '5-1' at Convert.FromBase64String(stringToDecrypt)
CAn u help me out?

 
Comment #61  (Posted by an unknown user on 01/17/2007)
Rating
v useful man
found exactly wht i wanted and how i wanted
 
Comment #62  (Posted by dgen on 02/16/2007)
Rating
yep, that was the reason.. the stupid '+' in the base64 string.. thanks guys
 
Comment #63  (Posted by rasika on 03/15/2007)
Rating
This article is very helpful.However we have some problems when the encrypted string contains "=" ,"/" or "//" because my application in DotNetNuke gives error (url not in correct format) .how to get only alphanumeric characters in the encrypted string?.Any help on this is highly appreciated.
 
Comment #64  (Posted by Homer on 04/20/2007)
Rating
Awsome! How can I check a string to see if it's already encoded. For example if I have a encoded password in a file somewhere and the password changes. I would like to be able to manually change the password and have the code encrypt it again the next time it runs. This means the code would have to perform a check each time it runs. What am I looking for to know that's it encoded?
 
Comment #65  (Posted by an unknown user on 08/13/2007)
Rating
Thank a lot Mr.Tiberius OsBurn
 
Comment #66  (Posted by an unknown user on 08/25/2007)
Rating
-5.Becauze the above authour still not given the class path of ExtractAndSerialize.Really do you know there is a class called ExtractAndSerialize?Is it your own class?
 
Comment #67  (Posted by an unknown user on 09/20/2007)
Rating
I am Radhika from Bangalore.
I have done encryption and decryption on query string which has 5 values passed. In my machine I tested the scenario, it works fine. But samething when I give it for testing, first 4 values got decrypted properly, but the 5th value shows this statement 'Invalid length for a Base-64 char array' . I tried giving comment 47 suggestion but of vain.I am in urge to finish the part by 2 days.
Pls help me out.



Radhika.N,

radhika@sonata-software.com,

Bangalore.



 
Comment #68  (Posted by balaji on 10/02/2007)
Rating
hi ive tried to encrypt my query string but it shows the same error like type or name space extract and serialize is not found are u missing any reference or directive.
ive used the following namespace like system.security.cryptography and system.text
plz help me
thanks in advance
 
Comment #69  (Posted by an unknown user on 10/02/2007)
Rating
A C# version would be excellent
 
Comment #70  (Posted by an unknown user on 11/13/2007)
Rating
Great article, I was worried this was going to be too complicated but you've made it really clean and simple.

Thanks Tiberius.

 
Comment #71  (Posted by an unknown user on 01/17/2008)
Rating
Quick, easy way to do something difficult but necessary.
 
Comment #72  (Posted by an unknown user on 01/17/2008)
Rating
Too cool! I used it in a tech support online logging system I wrote in VB.net, and it works great. Thanks, T.
 
Comment #73  (Posted by an unknown user on 02/13/2008)
Rating
Good one.
 
Comment #74  (Posted by an unknown user on 03/10/2008)
Rating
Worked perfectly! Exactly what i was looking for!
 
Comment #75  (Posted by an unknown user on 03/16/2008)
Rating
Great job, let the jealous idiots say. They have been inspired by you and now they see the light. It is actually sufficient to cypher humanly readable information.
 
Comment #76  (Posted by an unknown user on 03/16/2008)
Rating
Great job, let the jealous idiots say. They have been inspired by you and now they see the light. It is actually sufficient to cypher humanly readable information.
 
Comment #77  (Posted by an unknown user on 05/15/2008)
Rating
information simple & sweet thanks
 
Comment #78  (Posted by an unknown user on 06/06/2008)
Rating
It would be nice if the full code is given where the string is being passed to be encrypted and the string is passed to be decrypted. But good article.
 
Comment #79  (Posted by an unknown user on 06/18/2008)
Rating
I've been trying to get something like this to work for hours. I was about to give it up when I came across this. It is amazing. Copy&Paste to a new class, and I called it from my code. 5* from me
YOU ROCK!!!
 
Comment #80  (Posted by an unknown user on 08/06/2008)
Rating
Im already using this type of encryption in my site, cheers to the author.


Everything you need to know about your PC

enter101.blogspot.com
enter111.blogspot.com
 
Comment #81  (Posted by an unknown user on 10/10/2008)
Rating
still no answer to ExtractAndSerialize undefined issue.
 
Comment #82  (Posted by an unknown user on 10/30/2008)
Rating
I love it when people share great tools. This tool is great, but I'm also having the Extract and serialize problem and would appreciate even more a posted solution. I'm new to .Net...
 
Comment #83  (Posted by an unknown user on 10/31/2008)
Rating
fine
 
Comment #84  (Posted by an unknown user on 11/06/2008)
Rating
Good lins on security.
 
Comment #85  (Posted by an unknown user on 12/01/2008)
Rating
trrolv
 
Comment #86  (Posted by an unknown user on 01/06/2009)
Rating
grt
 
Comment #87  (Posted by on 01/08/2009)
Rating

 
Comment #88  (Posted by an unknown user on 01/20/2009)
Rating
Mix of VB and C# generally will require folks to perform a code conversion to make it useful. Otherwise, this was quite excellent!
 
Comment #89  (Posted by an unknown user on 05/12/2009)
Rating
Awesome article. Btw if there are some expiation on the code then it would be helpful
 
Comment #90  (Posted by an unknown user on 08/04/2009)
Rating
good
 
Comment #91  (Posted by an unknown user on 08/04/2009)
Rating
good
 
Comment #92  (Posted by an unknown user on 08/12/2009)
Rating
Does any one know what is the extent of numbers it can handle?
0-10000000???
or any thing else
Thanks

Siju
 
Comment #93  (Posted by an unknown user on 08/21/2009)
Rating
Thanks a lot :) Wasted 5+ hours to get the correct solution
.sithira.
 
Comment #94  (Posted by an unknown user on 10/26/2009)
Rating
what haping C#
 
Sponsored Links