Encryption of data in ASP.NET Cookie: Meng will come from: [Meng] will be the best of the world Date: 2003 at 5:28:59 on May 22nd
Cookies have provided convenience for visitors and programmers in Web applications, but from security considerations are problematic, first, the cookie data is transparently transmitted in the HTTP request and the response, that is to say smart people. It is possible to clearly see these data. Second, the cookie data is stored in the cache directory of the browser computer in the cookie file format, which contains information about the web page, password, and other user behavior, then you can open the cookie file as long as you enter your hard drive. Figure 1 is the content of a cookie file: If you have not paid a cookie file in your machine, you can view: Open IE, select the Internet Options in the Tools menu, then click on the pop-up dialog box Set button, click the "View" button in the Settings dialog box, open a window to display all cache data in the hard disk, where there is a lot of cookie files. So advise you not to store sensitive users in cookies, or protect these data by encryption. There is no encrypted feature in the previous ASP version, and now the .NET architecture provides many encryption classes available in System.Security.cryptography namespace.
First, .NET's cryptographic system summary, encryption is the process of transitioning the original character (byte) string into a completely different string, achieving the original characters that cannot be deciphered. This processing process is to use another string (called "key") to take complex, mixed algorithms, "to" into the original string. Sometimes a string called "initial vector", chaos the target string before the key is pushed, and the more obvious content of the target string is prevented. The effect of encryption depends on the size of the key used, the longer the key, the stronger the confidentiality. Typical key lengths have 64 bits, 128 bits, 192, 256 bits, and 512 bits. The only way attacker is to create a program attempts to combine each possible key, but the 64-bit key is also a combination of 72,057,594,037,927,936. There are currently two encryption methods: symmetrical encryption (or private key) and asymmetric encryption (or public key). Data exchange between symmetrical encryption technology (ie, encryption party and solution) must use a confidential private key. In an asymmetric encryption technology, the decryption direction is required to request a public key. After the encryption party creates a public key to create a unique private key with a public key. The encryption party is encrypted with a private key, and the other party is decrypted by the public key. SSL for protecting HTTP transmission security is using asymmetric technology. We take symmetric encryption method for encryption of cookie data. .NET Framework class expanded from basic SymmetricAlgorithm out of four algorithms: · System.Security.Cryptography.DES · System.Security.Cryptography.TripleDES · System.Security.Cryptography.RC2 · System.Security.Cryptography.Rijndael will demonstrate DES And TripleDes algorithm. The key size of DES is limited to 64 bits, but encryption for cookie is effective. Tripledes completed three encryption and has a larger key number, so it is safer. Using that algorithm not only considers encryption strength, but also considering the size of the cookie. Because the encrypted cookie data will become large, the larger the key, the larger the encrypted data is, but the size of the cookie data is limited to 4KB, which is a problem that must be considered. Moreover, the more encrypted data is more complicated, and more server resources will have more server resources, thereby slowing the access speed of the entire site. Second, create a simple encryption application class .NET's encryption and decryption is processed by the Cryptostream category, which is derived from System.io.Stream, and the string is used as a model based on the basis of data. It is used for encryption conversion.
The following is a simple encryption application class code: Imports System.Diagnostics Imports System.Security.Cryptography Imports System.Text Imports System.IO Public Class CryptoUtil '8 bytes randomly selected both for Shared key is also the initial vector Private KEY_64 () As Byte = {42, 16, 93, 156, 78, 4, 218, 32} Private Shared IV_64 () AS BYTE = {55, 103, 246, 79, 36, 99, 167, 3} 'to Tripledes Take 24 bytes or 192-bit keys and initial vector private shared key_192 () as byte = {42, 16, 93, 156, 78, 4, 218, 32, _ 15, 167, 44, 80, 26, 250, 155, 112, _ 2, 94, 11, 204, 119, 35, 184, 197} Private Shared IV_192 () AS BYTE = {55, 103, 246, 79, 36, 99, 167, 3, _ 42 , 5, 62, 83, 184, 7, 209, 13, 10, 121, 222} "Standard DES Encrypted Public Shared Function Encrypt (Byval Value As String) AS STRING IF value <> "" Then Dim cryptoProvider As DESCryptoServiceProvider = _ New DESCryptoServiceProvider () Dim ms As MemoryStream = New MemoryStream () Dim cs As CryptoStream = _ New CryptoStream (ms, cryptoProvider.CreateEncryptor (KEY_64, IV_64), _ CryptoStreamMode.Write) DIM SW as streamwriter = new streamwri Ter (CS) SW.WRITE (VALUE) SW.FLUSH () cs.flushfinalblock () ms.flush () 'is converted to a string Return Convert.TOBASE64STRING (ms.getBuffer (), 0, ms.length) end If End Function 'standard DES decryption Public Shared Function decrypt (ByVal value as string) as string If value <> "" Then Dim cryptoProvider as DESCryptoServiceProvider = _ New DESCryptoServiceProvider ()' from the string into a byte group Dim buffer as byte () = Convert.FromBase64String (value) Dim ms As MemoryStream = New MemoryStream (buffer) Dim cs As CryptoStream = _ New CryptoStream (ms, cryptoProvider.CreateDecryptor (KEY_64, IV_64), _ CryptoStreamMode.Read) Dim sr As StreamReader =
New StreamReader (cs) Return sr.ReadToEnd () End If End Function 'TRIPLE DES encryption Public Shared Function EncryptTripleDES (ByVal value As String) As String If value <> "" Then Dim cryptoProvider As TripleDESCryptoServiceProvider = _ New TripleDESCryptoServiceProvider () Dim ms As MemoryStream = New MemoryStream () Dim cs As CryptoStream = _ New CryptoStream (ms, cryptoProvider.CreateEncryptor (KEY_192, IV_192), _ CryptoStreamMode.Write) Dim sw As StreamWriter = New StreamWriter (cs) sw.Write (value) sw. Flush () cs.FlushFinalBlock () ms.Flush () 'and then converted to a string Return Convert.ToBase64String (ms.GetBuffer (), 0, ms.Length) End If End Function' TRIPLE DES decryption Public Shared Function DecryptTripleDES ( ByVal value as string) as string If value <> "" Then Dim cryptoProvider as TripleDESCryptoServiceProvider = _ New TripleDESCryptoServiceProvider () 'from the string into tuples Dim buffer as byte () = Convert.FromBase64String (value) Dim ms as MemoryStream = New MemoryStream (BUFFER) DIM CS as cryptostream = _ new cryptostream (MS, cryptoProvider.CreateDecryptor (KEY_192, IV_192), _ CryptoStreamMode.Read) Dim sr As StreamReader = New StreamReader (cs) Return sr.ReadToEnd () End If End Function End Class above will be a group of bytes is initialized to the key, and using What is digital constant, if you do this in practical applications, these bytes must be between 0 and 255, which is a range allowed by one byte. Third, create a cookie Application Class under our creation of a simple class to set up and get cookies.
Public class cookieutil 'set cookie ************************************************************ ********* 'SetTripleDESEncryptedCookie (only for key data and Cookie) Public Shared Sub SetTripleDESEncryptedCookie (ByVal key As String, _ ByVal value As String) key = CryptoUtil.EncryptTripleDES (key) value = CryptoUtil.EncryptTripleDES ( value) SetCookie (key, value) End Sub 'SetTripleDESEncryptedCookie (Cookie parameter increases valid data) Public Shared Sub SetTripleDESEncryptedCookie (ByVal key As String, _ ByVal value As String, ByVal expires As Date) key = CryptoUtil.EncryptTripleDES (key) value = CryptoUtil.EncryptTripleDES (value) SetCookie (key, value, expires) End Sub 'SetEncryptedCookie (only for key data and Cookie) Public Shared Sub SetEncryptedCookie (ByVal key As String, _ ByVal value As String) key = CryptoUtil.Encrypt (key) value = CryptoUtil.Encrypt (value) SetCookie (key, value) End Sub 'SetEncryptedCookie (Cookie parameter increases valid data) Public Shared Sub SetEncryptedCookie (ByVal key As String, _ ByVal value As String, ByVal expires As Date Key = Cry ptoUtil.Encrypt (key) value = CryptoUtil.Encrypt (value) SetCookie (key, value, expires) End Sub 'SetCookie (only for key data and Cookie) Public Shared Sub SetCookie (ByVal key As String, ByVal value As String) 'coding portion key = HttpContext.Current.Server.UrlEncode (key) value = HttpContext.Current.Server.UrlEncode (value) Dim cookie As HttpCookie cookie = New HttpCookie (key, value) SetCookie (cookie) End Sub' SetCookie (increase Validity parameters of cookie data) Public Shared Sub setCookie (Byval value as string, _ byval value as string, Byval Expires as date) 'encoding section Key =
HttpContext.Current.Server.UrlEncode (key) value = HttpContext.Current.Server.UrlEncode (value) Dim cookie As HttpCookie cookie = New HttpCookie (key, value) cookie.Expires = expires SetCookie (cookie) End Sub 'SetCookie (only For httpcookie) Public Shared Sub SetCookie (Byval Cookie as httpcookie) httpcontext.current.response.cookies.set (cookie) End Sub 'Get cookie ********************************* ******************************************** Public Shared Function GettripleDesencryptedCookieValue (Byval Key As String) _ as string 'only pair key encryption key = CryptoUtil.EncryptTripleDES (key) 'Get Cookie values Dim value As String value = getCookieValue (key)' Cookie value decrypted value = CryptoUtil.DecryptTripleDES (value) Return value End Function Public Shared Function GetEncryptedCookieValue (ByVal key As String) As String 'only the key encryption key = CryptoUtil.Encrypt (key)' Get Cookie values Dim value As String value = getCookieValue (key) 'Cookie value decrypted value = CryptoUtil.Decrypt (value) Return value End Function Public Shared Function GetCookie (Byval Key As String) AS HTT pCookie 'encoding key key = HttpContext.Current.Server.UrlEncode (key) Return HttpContext.Current.Request.Cookies.Get (key) End Function Public Shared Function GetCookieValue (ByVal key As String) As String Try' encoded in GetCookie Complete 'Get Cookie Value DIM Value As String Value = getCookie (Key) .Value' Decoded Value = HttpContext.current.server.urue catch and ration (value) Return Value catch end "RETURN VALUE CATCH END" The above setting function, Some functions are additional to this parameter for the validity period of the cookie. This parameter is not set, and the cookie will only save only the browser session in memory. To set permanent cookies, you need to set the validity period parameters. Above We encode and decode the key and cookies values, the reason is that the cookies is the same restrictions, characters "=" and ";" are reserved, cannot be used.
