.Net Dojo: Data Encryption

Encryption is a vital part to any web application. It is important that all variables, both in cookies and in the query string are encrypted for protection. By exposing your variables such as http://www.mysite.com/?x=10000 you leave it open for people to experiment with putting in different Id’s. While your code should make sure that anyone requesting content with the specified Id, it is a good practice to encrypt all your values to make sure no one can guess through your website.

Also, if you do not encrypt a cookie, you leave the contents open to anyone who would use an XSS attack to pull the cookie across domains. Leaving the cookie open just leaves hackers another back door into your site. To be fair, if a hacker was able to steal a cookie set on your domain, they would therefore be able to set the same cookie for them self. While encryption can’t stop an attacker from mimicking a user via their cookie, it could hinder them from learning what information you are storing.

In current cryptography, there are currently 3 major algorithms used. The first algorithm is Data Encryption Standard (DES). In .NET, DES uses 64 bit encryption. The next step up is Triple DES which uses 3 separate DES keys to provide 128 bit encryption. The most secure algorithm and the current standard used by the Department of Defense is AES or Rijndael. In .Net, Rijndael provides 256 bit encryption.

Read more »

January 14, 2008 Posted by Broken Bokken | .Net | .Net, .Net Dojo, AES, ASP.NET, C#, Cryptography, CryptoProvider, CryptoStream, CryptoStreamMode, DES, Encryption, Programming, Rijndael, Security, System.Security.Cryptography, Technology, Triple DES | 3 Comments