Recently I had a situation to use encryption in query string in SharePoint2010
SharePoint does not have any default option for this feature.
Basically encrypting query string is a good and recommended practice for all web development. Its only give high security to the application.
In my scenario I have often used query strings to carry information around # of pages in my site. If the query string is readable, then its easy to memories and possible to play around that. That can be used by hackers to do identity theft or other unpleasant things.
Consider the URL example.com/?user=123&account=456 and then imaging what a hacker could do with it. Security or not, sometimes you just don’t want the visitors to see all the query strings for whatever reason.
In those cases it would be nice if we could encrypt the entire query string so it wouldn’t carry any readable information.
In my project I had a situation to pass an application ID as querystring,
Look the above snapshot, where there query string is readable (JobAidID=24). So anybody can easily memories and possible to misuse this. So I need to encrypt the query string for safe and to avoid the misuse.
where i have gone with .net Security.Cryptography for this encryption. I have created a class called EncryptionEngine and designed two methods (1.Encrypt 2.Decrypt)
I used tripleDEScryptographic service provider with ECB (Electronic Code Book).
ECB:
The ECB mode encrypts each block individually. This means that any block of the plain text that are identical and in the same message or even in a different message but encrypted with the same key, will be transformed into identical cipher text blocks. If the plain text to be encrypted contains substantial repetition, it is feasible for the cipher text to be broken one block at a time. Also it is possible for an active adversary to substitute and exchange individual blocks without detection. If a single bit of the cipher text block is mangled, the entire corresponding plain text block will be mangled.
Well, as you can see, the decryption method is just kind of opposite of the encryption. I talked about the Cipher Mode ECB in the encrypt section. Now let's talk about the padding mode PKCS7. Padding comes when a message data block is shorter than full number of bytes needed for a cryptographic operation. Why did we choose PCKS7. This is because PCKS#7 padding string consists of a sequence of bytes, each of which equal the total number of padding bytes added.
Upto this its look like a .Net application encryption, now i am going to refer this in my SharePoint2010 development.
I completed this encryption class and make a dll to make use the encryption for future projects.
In my previous post i have discussed how to refer external dll in sharepoint2010 webpart. Just go through it from
http://sharepointwings.blogspot.in/2012/04/use-external-dll-in-sharepoint2010.html
After adding the external dll(Encryption dll) in my application i refer the Encrypt method from my application as follows
where i have passed two parameters, first one is the querystring value and second one is for define whether wanna use hashing or not
In the other hand of the page i have to handle the decrpt code to make use of the query string values, for this i refer the Decrypt method from my application as follows.
In this i have used string array to get the values out of the query string. you can also use your own methodology for this.
Thats it, we have encrypted query string in SharePoint 2010 webpart. Now the encrypted string looks like
Cool................
It works now.
SharePoint does not have any default option for this feature.
Basically encrypting query string is a good and recommended practice for all web development. Its only give high security to the application.
In my scenario I have often used query strings to carry information around # of pages in my site. If the query string is readable, then its easy to memories and possible to play around that. That can be used by hackers to do identity theft or other unpleasant things.
Consider the URL example.com/?user=123&account=456 and then imaging what a hacker could do with it. Security or not, sometimes you just don’t want the visitors to see all the query strings for whatever reason.
In those cases it would be nice if we could encrypt the entire query string so it wouldn’t carry any readable information.
In my project I had a situation to pass an application ID as querystring,
Look the above snapshot, where there query string is readable (JobAidID=24). So anybody can easily memories and possible to misuse this. So I need to encrypt the query string for safe and to avoid the misuse.
where i have gone with .net Security.Cryptography for this encryption. I have created a class called EncryptionEngine and designed two methods (1.Encrypt 2.Decrypt)
ECB:
The ECB mode encrypts each block individually. This means that any block of the plain text that are identical and in the same message or even in a different message but encrypted with the same key, will be transformed into identical cipher text blocks. If the plain text to be encrypted contains substantial repetition, it is feasible for the cipher text to be broken one block at a time. Also it is possible for an active adversary to substitute and exchange individual blocks without detection. If a single bit of the cipher text block is mangled, the entire corresponding plain text block will be mangled.
Upto this its look like a .Net application encryption, now i am going to refer this in my SharePoint2010 development.
I completed this encryption class and make a dll to make use the encryption for future projects.
In my previous post i have discussed how to refer external dll in sharepoint2010 webpart. Just go through it from
http://sharepointwings.blogspot.in/2012/04/use-external-dll-in-sharepoint2010.html
After adding the external dll(Encryption dll) in my application i refer the Encrypt method from my application as follows
In the other hand of the page i have to handle the decrpt code to make use of the query string values, for this i refer the Decrypt method from my application as follows.
In this i have used string array to get the values out of the query string. you can also use your own methodology for this.
Thats it, we have encrypted query string in SharePoint 2010 webpart. Now the encrypted string looks like
Cool................
It works now.