Simple HTTP query parameter encryption

1/10/2020 Jeff

TSL/SSL is effective in protecting HTTP traffic in-route, however there are still times when it's useful to encrypt query parameters. The most well-known reason is to protect HTTP-GET traffic that gets stored in a web log. Web logs store the original URL, along with clear-case query strings.

Recently I came across another use: I have an Android phone app that needed to make some simple calls to one of my websites. I wanted some sense of security, but didn't want to implement full authentication & authorization. I wanted to just make one HTTP-GET call. My answer was to include an encrypted token as one of the parameters, and use the same encryption on this token on both ends (in my Android and, and my web app).

The first step in the process was to create a simple Encryption implementation that could be shared between client and server. Here's the class I created: 

using System;
using System.Security.Cryptography;
using System.Text;

public static class SimpleEncryption
{
    // TODO: Pull the key from an app config
    // Or at a minimum change these numbers:
    private static byte[] key = new byte[8] { 1,2,3,4,5,6,7,8 };
    private static byte[] iv = new byte[8] { 1,2,3,4,5,6,7,8 };

    public static string Encrypt(string text)
    {
        SymmetricAlgorithm algorithm = DES.Create();
        ICryptoTransform transform = algorithm.CreateEncryptor(key, iv);
        byte[] inputbuffer = Encoding.Unicode.GetBytes(text);
        byte[] outputBuffer = transform.TransformFinalBlock(inputbuffer, 0, inputbuffer.Length);
        return Convert.ToBase64String(outputBuffer);
    }

    public static string Decrypt(string text)
    {
        SymmetricAlgorithm algorithm = DES.Create();
        ICryptoTransform transform = algorithm.CreateDecryptor(key, iv);
        byte[] inputbuffer = Convert.FromBase64String(text);
        byte[] outputBuffer = transform.TransformFinalBlock(inputbuffer, 0, inputbuffer.Length);
        return Encoding.Unicode.GetString(outputBuffer);
    }

    /// <summary>
    /// Performs an encryption, followed by UrlEncode so it can be passed as query parameter
    /// </summary>
    public static string EncryptWithUrlEncoding(string text)
    {
        string encrypted = Encrypt(text);
        return System.Net.WebUtility.UrlEncode(encrypted);
    }
}

This implements a very basic symmetric encryption algorithm. Another common one is Rijndael encryption (google it). Depending on your security need, you could place the key in an app.config, or just hard-code a different set of numbers. Even better would be key generated as a combination of the two. The important thing is to use the same key on both ends. The simplest way is to copy this same file (or link it) in all related projects.

Now that you've got this class create, here's a simple example of performing encryption/decryption: 

// On the client:
string token = SimpleEncryption.Encrypt(myData);

// On the server:
string originalData = SimpleEncryption.Decrypt(token);

Be sure to call UrlEncode

So, you're on the client, you've encrypted your data, you pass it as a query parameter...and things break. The problem: This encrypted text inevitably contains characters such as space, '+', '&' and '/'. These will clearly mess up your query string. Thankfully the solution is simple: Call WebUtility.UrlEncode(), which I've done in the convenience function EncryptWithUrlEncoding above (line 32).

Add a dash of "Salt"

Encryption can be enhanced with the use of adding a "salt" to the original text prior to the Encrypt call, and removing it after the Decrypt call. This helps prevent someone figuring out the private key by the use of sending their own values and seeing what it gets encrypted to.

For example, I may have a call that encrypts the user's full name before sending. So for me, "Jeff Bush" gets encrypted to something, and then that gets sent. A hacker then sees the encrypted value, but not the original text.

However, if that hacker is allowed to generate his own calls, he can send a full name like "The Hacker", then see what gets generated. From that, determine how it got generated (since this is a symmetric encryption").

The Solution: Inside this code, simply add a small bit of text to the beginning, such as "AA". Therefore in my example, what actually got encrypted was "AAJeff Bush". Then during the decryption, simple remove the "AA". Then when the hacker tries to encrypt "The Hacker", what he doesn't know is that it actually encrypted "AAThe Hacker". This helps make symmetric encryption safer.

The coding of this is simple: Create a private "salt" variable, then create to version of Encrypt/Decrypt that use it. Add the following to the SimpleEncryption above: 

private static string salt = "AA";  // Your salt here

public static string EncryptWithSalt(string text)
{
    return Encrypt(salt + text);
}

public static string DecryptWithSalt(string text)
{
    return Decrypt(text).Substring(salt.Length);
}


What to encrypt?

Now that you're ready to encrypt something and pass it, what should we encrypt? In my case, the use of encryption wasn't for the sake of hiding data, but confirming it comes from a trusted source. The most basic is something that will be known on both ends. A real simple solution is to use one or more (concatenated) of the other parameters being passed. (Another option would be to encrypt the client's IP address). Think of it like a hash. The server then can either perform the same encryption and compare with the token, or decrypt and check that value. If the tokens match, it comes from a trusted source.

An example: Simple authorization

As mentioned above, I wanted to use this technique to create a GET call with simplified authorization. For this example, let's just assume we're passing a string called someData to , and want to ensure it came from a trusted source without the need for credentials. One way to do this is to create a token, similar to a hash, on data that both sides know about. The easiest is to use someData to create our token. First, the client code: 

public async void SendSomeData(string someData)
{
    string siteUrl = "http://{site and controller path}/";
    HttpClient client = new HttpClient();
    string token = SimpleEncryption.EncryptWithUrlEncoding(someData);
    string fullUrl = $"{siteUrl}?token={token}";
    string responseBody = await client.GetStringAsync(fullUrl);

    // todo: check responseBody
}

Notice that line 5 calls the version that also URL encodes the token.

Now on the server, in one of your controllers:

[HttpGet]
public JsonResult GetSomeData(string someData, string token)
{
    // Do the same encryption on someData as the client did
    string encrypted = SimpleEncryption.Decrypt(token);
    if (token != encrypted)
    {
        return Json("Bad token.", JsonRequestBehavior.AllowGet);
    }

    // Do something

    return Json("Success", JsonRequestBehavior.AllowGet);
}

Since we're using this for authorization, we don't need to decrypt the data, all we need to is to perform the same encryption the client did, and check that they are the same (line 6). If they aren't, stop processing at that point. Otherwise continue on.

And that's all that's needed for some basic security using an encrypted query parameters.

Please register or login to add a comment.

Comments (displaying 1 - 1):
No comments yet! Be the first...

Languages
  • C#/.NET
  • T-SQL
  • HTML/CSS
  • JavaScript/jQuery
Technologies
  • .NET 8
  • ASP.NET/MVC
  • Xamarin/MAUI
  • WPF
Platforms
  • Windows 11
  • SQL Server 20xx
  • Android
  • XBox
  • Arduino
Bad Habits
  • Skiing
  • Rock Climbing
  • White water kayaking
  • Road Biking

Book/Site Reviews

(See all...)