Use DPAPI technology to encrypt the address bar strings in the browser

Source: Internet
Author: User

Preface:
DPAPI is particularly useful because it can eliminate key management problems caused by password-based applications. Although encryption ensures data security, you must take additional steps to ensure key security. DPAPI uses the password of the user account associated with the calling code of the DPAPI function to derive the encryption key. Therefore, keys are managed by the operating system rather than applications.
DPAPI can be used with computer storage or user storage (a user configuration file that has been loaded is required. DPAPI is used for user storage by default, but you can pass the CRYPTPROTECT_LOCAL_MACHINE flag to the DPAPI function to specify the computer storage.
This user configuration file provides an additional security layer, because it limits which users can access confidential content. Only users who encrypt the data can decrypt the data. However, when ASP. when a Web application uses DPAPI, You need to perform additional development work to use the user configuration file, because you need to take clear steps to load and uninstall the user configuration file (ASP.. NET does not automatically load user configuration files ).
The computer storage method is easier to develop because it does not need to manage user configuration files. However, unless an additional entropy parameter is used, it is not safe because any user on the computer can decrypt the data. (Entropy is a random value designed to make decryption of confidential content more difficult ). The problem with the append entropy parameter is that it must be securely stored by the application, which brings about another key management problem.
Note:
If you use DPAPI with computer storage, the encrypted string applies only to a given computer, so you must generate encrypted data on each computer. Do not copy encrypted data from one computer to another in the presence or cluster.
If you use DPAPI with user storage, you can use a roaming user configuration file to decrypt data on any computer.
DPAPI is available only on systems larger than 2 K, and the win9x series does not need to be considered.
________________________________________
The following uses DPAPI technology to encrypt query strings.
Step 1: Add a reference to the System. Security. dll assembly to the site.
Step 2: Create a class. Here, we encrypt the data by combining DPAPI with the hexadecimal number.
HexEncoding. cs
 
Using System;
Using System. Data;
Using System. Configuration;
Using System. Web;
Using System. Web. Security;
Using System. Web. UI;
Using System. Web. UI. WebControls;
Using System. Web. UI. WebControls. WebParts;
Using System. Web. UI. HtmlControls;
Using System. Text;
Using System. Security. Cryptography;

/// <Summary>
/// Summary of HexEncoding
/// </Summary>
Public class HexEncoding
{
Public HexEncoding ()
{
//
// TODO: add the constructor logic here
//
}
/// <Summary>
/// Convert the hexadecimal byte array into a string
/// </Summary>
/// <Param name = "data"> </param>
/// <Returns> </returns>
Public static string GetString (byte [] data)
{
StringBuilder Results = new StringBuilder ();
Foreach (byte B in data)
{
Results. Append (B. ToString ("X2 "));
}
Return Results. ToString ();
}
/// <Summary>
/// Convert the string to sixteen bytes Array
/// </Summary>
/// <Param name = "data"> </param>
/// <Returns> </returns>
Public static byte [] GetBytes (string data)
{
Byte [] Results = new byte [data. Length/2];
For (int I = 0; I <data. Length; I + = 2)
{
Results [I/2] = Convert. ToByte (data. Substring (I, 2), 16 );
}
Return Results;
}
}
 
EncryptedQueryString. cs
 
Using System;
Using System. Text;
Using System. Data;
Using System. Configuration;
Using System. Web;
Using System. Web. Security;
Using System. Security. Cryptography;
Using System. Web. UI;
Using System. Web. UI. WebControls;
Using System. Web. UI. WebControls. WebParts;
Using System. Web. UI. HtmlControls;

Public class EncryptedQueryString:
System. Collections. Specialized. StringDictionary
{
Public EncryptedQueryString ()
{
// TODO: add the constructor logic here
}
/// <Summary>
///
/// </Summary>
/// <Param name = "encryptedData"> </param>
Public EncryptedQueryString (string encryptedData)
{

Byte [] RawData = HexEncoding. GetBytes (encryptedData );
Byte [] ClearRawData = ProtectedData. Unprotect (
RawData, null, DataProtectionScope. LocalMachine );
String StringData = Encoding. UTF8.GetString (ClearRawData );
Int Index;
String [] SplittedData = StringData. Split (new char [] {'&'});
Foreach (string SingleData in SplittedData)
{
Index = SingleData. IndexOf ('= ');
Base. Add (
HttpUtility. UrlDecode (SingleData. Substring (0, Index )),
HttpUtility. UrlDecode (SingleData. Substring (Index + 1 ))
);
}
}
/// <Summary>
///
/// </Summary>
/// <Returns> </returns>
Public override string ToString ()
{
StringBuilder Content = new StringBuilder ();
Foreach (string key in base. Keys)
{
Content. Append (HttpUtility. UrlEncode (key ));
Content. Append ("= ");
Content. Append (HttpUtility. UrlEncode (base [key]);
Content. Append ("&");
}
Content. Remove (Content. Length-1, 1 );
Byte [] EncryptedData = ProtectedData. Protect (
Encoding. UTF8.GetBytes (Content. ToString ()),
Null, DataProtectionScope. LocalMachine );
Return HexEncoding. GetString (EncryptedData );
}
}
 
Step 3: query strings using class encryption in the program
First, create a Send. aspx sending page. The Code is as follows:
 
<% @ Page Language = "C #" AutoEventWireup = "true" CodeFile = "Send. aspx. cs" Inherits = "Send" %>

<! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head runat = "server">
<Title> sending page </title>
</Head>
<Body>
<Form id = "form1" runat = "server">
<Div>
<Asp: Label ID = "Label1" runat = "server" Text = "MyData:" Width = "85px"> </asp: Label>
<Asp: TextBox ID = "MyData" runat = "server"> </asp: TextBox> <br/>
<Asp: Label ID = "Label2" runat = "server" Text = "MyDataTwo:" Width = "85px"> </asp: Label>
<Asp: TextBox ID = "MyDataTwo" runat = "server"> </asp: TextBox> <br/>
<Asp: Button ID = "SendCommand" runat = "server" OnClick = "MyData_Click" Text = "Send Info"/> </div>
</Form>
</Body>
</Html>
 
Send. aspx. cs
 
Using System;
Using System. Data;
Using System. Configuration;
Using System. Web;
Using System. Web. Security;
Using System. Web. UI;
Using System. Web. UI. WebControls;
Using System. Web. UI. WebControls. WebParts;
Using System. Web. UI. HtmlControls;

Public partial class Send: System. Web. UI. Page
{
Protected void Page_Load (object sender, EventArgs e)
{

}
Protected void MyData_Click (object sender, EventArgs e)
{
String strMyData = this. MyData. Text;
String strMyDataTwo = this. MyDataTwo. Text;
EncryptedQueryString QueryString = new EncryptedQueryString ();
QueryString. Add ("MyData", strMyData );
QueryString. Add ("MyDataTwo", strMyDataTwo );
Response. Redirect ("Receive. aspx? Data = "+ QueryString. ToString ());
}
}
 
Create a receiving Page code Receive. aspx
 
<% @ Page Language = "C #" AutoEventWireup = "true" CodeFile = "Receive. aspx. cs" Inherits = "Receive" %>

<! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head runat = "server">
<Title> receiving page </title>
</Head>
<Body>
<Form id = "form1" runat = "server">
<Div>
<Asp: Literal ID = "litFlag" runat = "server"> </asp: Literal> </div>
</Form>
</Body>
</Html>
 
Receive. aspx. cs
 
Using System;
Using System. Data;
Using System. Configuration;
Using System. Collections;
Using System. Web;
Using System. Web. Security;
Using System. Web. UI;
Using System. Web. UI. WebControls;
Using System. Web. UI. WebControls. WebParts;
Using System. Web. UI. HtmlControls;

Public partial class Receive: System. Web. UI. Page
{
Protected void Page_Load (object sender, EventArgs e)
{
If (! Page. IsPostBack)
{
String strMyData = "";
String strMyDataTwo = "";
EncryptedQueryString QueryString = new EncryptedQueryString (Request. QueryString ["Data"]);
Foreach (String key in QueryString. Keys)
{
StrMyData = QueryString ["MyData"]. ToString ();
StrMyDataTwo = QueryString ["MyDataTwo"]. ToString ();
}
This. litFlag. Text = "MyData:" + strMyData + "---- >>> MyDataTwo:" + strMyDataTwo;
}

}
}
 
 
________________________________________
As shown in the following figure: (check the changes in the address bar of the browser. Because the browser is lazy, it is only tested locally .)


------ >>>>



 

 

From Ai Zhi Chen

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.