Encrypt at client side and decrypt at server
There might be situations where the content from thin client that is accessible via internet, needs to be encrypted (without storing the encryption logic at the client) and subsequently be decrypted on the server side code that doesn't run on SSL. Here is one thought how to do that with help of JavaScript and XMLHTTP ActiveX object (replacement available for Mozilla family browsers as well).
First we'll write a JavaScript function that makes a synchronous POST call to a web page(Reform.aspx) that contains the encryption logic and returns the encrypted value to client and this web page should run on SSL. This function thus provides encryption for parameters on need basis without putting the whole location/webpage on SSL that will include the overhead of encryption for all form data including the hefty ViewState (if not being stored in Session using Page. SavePageStateToPersistenceMedium.
//########JavaScript for calling ASPX page and encrypting ###########
function
changeParam(str)
{
str = "dataToReform="+escape(str);
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
} else if(window.ActiveXObject) {
request = new ActiveXObject("Microsoft.XMLHTTP");
}
if(request)
{
request.open("POST", "Reform.aspx",false);
request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
request.setRequestHeader("Content-length",str.length);
request.send(str);
return request.responseText;
}
}
Above function call be called by passing a string to be encrypted. Now let's have a look at the server page that contains the logic to encrypt and decrypt. It can by any custom encryption logic depending upon developer's choice.
//######## C# class that defines encrypting/decrypting ###########
using
System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using System.Collections.Specialized;
using System.Xml;
using System.IO;
using System.Text;
using System.Security.Cryptography;
using System.Text.RegularExpressions;
namespace YourNamespace
{
public class Reform : Page
{
public override void Page_Load(object sender, System.EventArgs e)
{
Response.Write(Encrypt(Request["dataToReform"]));
Response.End();
}
public static string Encrypt(string source)
{
byte[] initializer = Encoding.ASCII.GetBytes("@1B2c3D4e5F6g7H8");
byte[] stringiation = Encoding.ASCII.GetBytes("5uM1+4m4~"); //flavor for the encryption
int size = 192;
byte[] bytStr = Encoding.UTF8.GetBytes(source);
PasswordDeriveBytes pwdItem = new PasswordDeriveBytes("p455W0~d*(*)",stringiation,"SHA1",5); //password code for encrypting in SHA1 or anything else
byte[] bytKeys = pwdItem.GetBytes(size/8);
RijndaelManaged rmEncryption = new RijndaelManaged();
rmEncryption.Mode = CipherMode.CBC; //cipher block chaining
ICryptoTransform encryptor = rmEncryption.CreateEncryptor(bytKeys,initializer);
MemoryStream stream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(stream,encryptor,CryptoStreamMode.Write);
cryptoStream.Write(bytStr, 0, bytStr.Length);
cryptoStream.FlushFinalBlock();
byte[] bytSource = stream.ToArray();
stream.Close();
cryptoStream.Close();
string ciphered = Convert.ToBase64String(bytSource);
return ciphered;
}
public static string Decrypt(string ciphered)
{
byte[] initializer = Encoding.ASCII.GetBytes("@1B2c3D4e5F6g7H8");
byte[] stringiation = Encoding.ASCII.GetBytes("5uM1+4m4~");
byte[] bytStr = null;
int size = 192;
try
{
bytStr = Convert.FromBase64String(ciphered.Replace(" ","+"));
}
catch(Exception ex){System.Diagnostics.Debug.WriteLine(ex.Message);}
PasswordDeriveBytes pwdItem =
new PasswordDeriveBytes("p455W0~d*(*)",stringiation,"SHA1",5);
byte[] bytKeys = pwdItem.GetBytes(size/8);
RijndaelManaged rmEncryption = new RijndaelManaged();
rmEncryption.Mode = CipherMode.CBC; //cipher block chaining
ICryptoTransform decryptor = rmEncryption.CreateDecryptor(bytKeys,initializer);
MemoryStream stream = new MemoryStream(bytStr);
CryptoStream cryptoStream = new CryptoStream(stream,decryptor,CryptoStreamMode.Read);
byte[] plainTextBytes = new byte[bytStr.Length];
int decryptedByteCount = cryptoStream.Read(plainTextBytes, 0, plainTextBytes.Length);
stream.Close();
cryptoStream.Close();
string plainText = Encoding.UTF8.GetString(plainTextBytes,0,decryptedByteCount);
return plainText;
}
}
}
Now at the server side where the parameter encrypted by calling changeParam(str) was sent, can be decrypted by making a static call to Reform.Decrypt(string)
Comments
Anonymous
May 29, 2009
PingBack from http://paidsurveyshub.info/story.php?title=sumit-amar-encrypt-at-client-side-and-decrypt-at-serverAnonymous
January 12, 2011
When you say this page should run over https arent you missing the whole point? You would ecrypt using Javascript and decrypt using C# when you do not have SSL and are trying to encrypt traffic over HTTP. The whole idea of calling a server side code to encrypt data defeats the purpose. Whats the point of this code? Sorry but its not at all clear. Maybe you can explain that in the post itself?