MachineKey Encryption Is Not Permanent

Question

MachineKey Encryption Is Not Permanent

I am using a method MachineKey.Protect()to encrypt an identifier passed as a query string in my asp.net MVC application.

Here is the code I use for encryption / decryption:

public static string Encrypt(this string expression)
{
    if (string.IsNullOrEmpty(expression))
        return string.Empty;

    byte[] stream = Encoding.Unicode.GetBytes(expression);
    byte[] encodedValue = MachineKey.Protect(stream);            
    return HttpServerUtility.UrlTokenEncode(encodedValue);            
}

public static string Decrypt(this string expression)
{
    if (string.IsNullOrEmpty(expression))
        return string.Empty;

    byte[] stream = HttpServerUtility.UrlTokenDecode(expression);
    byte[] decodedValue = MachineKey.Unprotect(stream);
    return Encoding.Unicode.GetString(decodedValue);
}

And here is the element MachineKeyin my file web.config:

<system.web>
    .
    .
    .
    <machineKey validationKey="xxx" decryptionKey="xxx" validation="SHA1" decryption="AES" />
</system.web>

The problem is that the encrypted identifier is not persistent. Every time I call a method, I get a new encrypted expression. How to make it permanent?

+4

c # asp.net asp.net-mvc encryption

ataravati Aug 08 '14 at 14:50

source share

2 answers

Machine.Key.Proctect! .

public static class Key
{       
    public static string EncryptWithAPurpose(this string expression, string[] purpose)
    {
        if (string.IsNullOrEmpty(expression))
            return string.Empty;

        byte[] stream = Encoding.Unicode.GetBytes(expression);
        byte[] encodedValue = MachineKey.Protect(stream, purpose);
        return HttpServerUtility.UrlTokenEncode(encodedValue);
    }

    public static string DecryptWithAPurpose(this string expression, string[] purpose)
    {
        if (string.IsNullOrEmpty(expression))
            return string.Empty;

        byte[] stream = HttpServerUtility.UrlTokenDecode(expression);

        byte[] decodedValue = MachineKey.Unprotect(stream,purpose);
        return Encoding.Unicode.GetString(decodedValue);
    }

}

:

→ @Html.ActionLink( " ", "GetKey", {id = Guid.NewGuid()})
ViewModel
.

{

public ActionResult GetKey(Guid id)  
{
            var vm = new vmGetKey();

            vm.Guid = id;

            //create a purpose
            var purpose = new string[] { "Test", "WithAPurpose" };

            //encrypt  key1
            vm.key1 = Key.EncryptWithAPurpose(id.ToString(),  purpose);

            //encrypt Key2
            vm.key2 = Key.EncryptWithAPurpose(id.ToString(), purpose);

            //decrypt key1
            vm.key1_DecryptResult = Key.DecryptWithAPurpose(vm.key1, purpose);

            //decrypt key2
            vm.key2_DecryptResult = Key.DecryptWithAPurpose(vm.key2, purpose);

            return View(vm);
}


public class vmGetKey
{
    public Guid Guid { get; set; }
    public string key1 { get; set; }
    public string key2 { get; set; }
    public string key1_DecryptResult { get; set; }
    public string key2_DecryptResult { get; set; }        
}        




    }

+1

ivw 12 . '14 22:00

sga101 · Accepted Answer · 2014-08-16T20:57:24+0000

Summary:

, . MachineKey.Protect IV , .

Detail

Microsoft , .

: MachineKey

AspNetCryptoServiceProvider

AspNetCryptoServiceProvider.GetCryptoService NetFXCryptoService, :

public byte[] Protect(byte[] clearData) {
        // The entire operation is wrapped in a 'checked' block because any overflows should be treated as failures.
        checked {

            // These SymmetricAlgorithm instances are single-use; we wrap it in a 'using' block.
            using (SymmetricAlgorithm encryptionAlgorithm = _cryptoAlgorithmFactory.GetEncryptionAlgorithm()) {
                // Initialize the algorithm with the specified key and an appropriate IV
                encryptionAlgorithm.Key = _encryptionKey.GetKeyMaterial();

                if (_predictableIV) {
                    // The caller wanted the output to be predictable (e.g. for caching), so we'll create an
                    // appropriate IV directly from the input buffer. The IV length is equal to the block size.
                    encryptionAlgorithm.IV = CryptoUtil.CreatePredictableIV(clearData, encryptionAlgorithm.BlockSize);
                }
                else {
                    // If the caller didn't ask for a predictable IV, just let the algorithm itself choose one.
                    encryptionAlgorithm.GenerateIV();
                }
                byte[] iv = encryptionAlgorithm.IV;

                using (MemoryStream memStream = new MemoryStream()) {
                    memStream.Write(iv, 0, iv.Length);

                    // At this point:
                    // memStream := IV

                    // Write the encrypted payload to the memory stream.
                    using (ICryptoTransform encryptor = encryptionAlgorithm.CreateEncryptor()) {
                        using (CryptoStream cryptoStream = new CryptoStream(memStream, encryptor, CryptoStreamMode.Write)) {
                            cryptoStream.Write(clearData, 0, clearData.Length);
                            cryptoStream.FlushFinalBlock();

                            // At this point:
                            // memStream := IV || Enc(Kenc, IV, clearData)

                            // These KeyedHashAlgorithm instances are single-use; we wrap it in a 'using' block.
                            using (KeyedHashAlgorithm signingAlgorithm = _cryptoAlgorithmFactory.GetValidationAlgorithm()) {
                                // Initialize the algorithm with the specified key
                                signingAlgorithm.Key = _validationKey.GetKeyMaterial();

                                // Compute the signature
                                byte[] signature = signingAlgorithm.ComputeHash(memStream.GetBuffer(), 0, (int)memStream.Length);

                                // At this point:
                                // memStream := IV || Enc(Kenc, IV, clearData)
                                // signature := Sign(Kval, IV || Enc(Kenc, IV, clearData))

                                // Append the signature to the encrypted payload
                                memStream.Write(signature, 0, signature.Length);

                                // At this point:
                                // memStream := IV || Enc(Kenc, IV, clearData) || Sign(Kval, IV || Enc(Kenc, IV, clearData))

                                // Algorithm complete
                                byte[] protectedData = memStream.ToArray();
                                return protectedData;
                            }
                        }
                    }
                }
            }
        }
    }

, _predictableIV - false.

IV, , , .

IV , Unprotect .

MachineKey Encryption Is Not Permanent

More articles: