Secure JSON request from .Net to Javascript - c#

I'm sending a JSON result back to a javascript (Jquery) on my IIS/MVC4 website.
The json contains a string value of around 60-100 letters.
Currently it is being sent in clear text with no encyption at all.
What would be the simplest method to encrypt just this message between the javascript client and the .net C# backend?
The encryption dosent have to be superb, but just enough that you cant figure/bruteforce out the contents in under 1 hour.
Keep in mind that everyone has the javascript so I cant just use a common key for all clients.
I was thinking something along the line of an RSA encryption where the client generates a keypair and sends its public key back with the request and the server uses this to encrypt the value.. I cant find any examples of this though so I'm very open to suggestions.

Run the entire webpage over SSL (HTTPS). The server and browser will take care of encryption for you.

Related

Sending Http requests from a webbrowser to HttpListener

I've set up an HttpListener running on port 8086 on my custom server application, which works with JSON and XML over sockets. I can't change my server application to any other implementation, I am stuck with it for now.
I'm a bit new to Http, so feel free to correct my naviety below! I've searched, but can't find anything that deals with my exact problem.
When I use Hurl.it to send an HttpRequest to the server, the GetContext function fires no problem and I am able to send an html response back to Hurl.it.
Now, the question is, I want to be able to send out Reset Password email links in the form of "http://myip:PORT/resetpasswordseed=74283235" and have a browser be able to receive, parse and display a dynamically generated html form. (I will also need to add SSL to this a bit later, as I don't want a newly updated password being sent as plain text in a URL.)
Now, when I click the URL link http://myserverip:port/resetpassword with Edge or Firefox the GetContext function does not fire and the web browser times out. Have I missed something or am I trying to do something that is not possible? I don't get an error message or an exception or anything.
Any help would be appreciated.
Cheers
Craig.

Incorrect Key for decrypting web service response

I am working on a WCF client to consume a third party web service over which I have no control. It works with a custom binding and WS Security. No app.config, all through code. I can successfully send requests and receive responses. However, it seems .Net cannot decrypt the service responses, so I have to do it manually. I have implemented a custom encoder and overriden the ReadMessage method. I have access to the raw SOAP response. I have seen code in MSDN as well as a blog where they explain how to decrypt the response. I read the oasis specifications for the response xml schema. The response contains a reference to the x509 certificate that has the private key necessary to decrypt the session key, so then the body can be decrypted. According to the documentation of the service I am trying to consume, and pretty much everywhere I've read, I should use the private key of the certificate I used to sign my request, but I get an Exception saying the key is incorrect. I then tried every possible certificate with a private key in all my certificate stores to see if one of them would successfully decrypt the message but all of them failed. If I understand it right, this means the service expects me to decrypt the message with a private key I don't have. I'm rather new to WCF and web services themselves, so I might be missing something.
Do you know what could be happening? Or maybe I am understanding something wrong. Any help will be greatly appreciated.
Thanks

Encrypted JSON Strings Over SSL for Webservice Security

I have a scenario where users are Uploading Transactions logs to Main Server Via ASMX Webservice. The application is clickonce .Net winforms app
Currently I am doing this To convert to List of Object to Json and Deserialize it on Service. over the SSL.
string data = JsonConvert.SerializeObject(Values_Static.logitems);
My Code is protected by SmartAssembly . And still I am getting some breach that attacker have access to the Network Connections and Can Deserliaze the Data.
Now i am thinking of a Scenario that I Encrypt the Json String with some private string key and then decypt it on the server .
e.g
private string salt = "$e7?8f#l4";
return ByteArrToString(Encrypt(TextValue + salt));
Hardcode the key in app and decode it in server.
will it work ?
Users are uploading the the logs to server every minute and there are possibly 20-30 entries per Upload.
is there any chances of broken Data or still the hacking ?
UPDATE :
According to Discussion Below . I understand that there is some issue with my Code. The code is accepting the invalid certificate . How i Can prevent to Accept only Valid Certificate from my https:// Web service .
ATM , every one can see the code through fiddler with Decryption HTTPS on .
I have a valid Certificate installed on my IIS 7. and its working properly
the issue is with code. and its standard auto generated web reference in Visual Studio.
UPDATE 2 :
The Final Result is , The Post data is not Encrypting , its Plain XML and readable by any software that can sniff , however the GET data is secure . I had serached bit not found some valid Answer.
Are you using SSL? If so, any application-level encryption is redundant. And, the key will have to be embedded in the code, so is readable by any attacker.
Fiddler (or other HTTPS proxies) can decrypt any HTTPS traffic.
You could prevent simple use of Fiddler by requiring a specific server certificate in your client code (rather than trusting any certificate the system itself trusts). However, this is only a weak deterrent because the user could just decompile your code and alter it so that your new certificate check is neutered.
This is called the "Untrusted client" problem, and it's the same thing that makes Digital Rights Management (DRM) software a "best effort" affair rather than an ironclad protection.

Encrypted URL results in Bad Request

Before stating the problem I want to say that I've read all the posts that suggest that what I'm doing is a bad idea and I AGREE WITH YOU 100% but, our customer insists that he wants the id on the URL to be encrypted so we don't have much choice.
The application is ASP .Net MVC 2 and we are using the basic default route of
"{controller}/{action}/{id}" in which the id is encrypted.
The code that returns the encrypted id is as follows:
return HttpUtility.UrlEncode(Encryptor.Encrypt(inputText));
The Encrypt method is using the System.Security.Cryptography.RijndaelManaged class and we get something like:
http://localhost:3396/MyController/MyAction/%253fval%253dWrikkm9UeEmHdsaMJyjgzA%253d%253d
Now when I click on the link I always get a blank page saying:
Server Error in '/' Application.
HTTP Error 400 - Bad Request.
I guess this error is being sent by IIS since the request never reaches the controller.
Any help will be very much appreciated.
Perhaps your customer doesn't want people "guessing" incremental or string IDs in the URL, which is how a lot of insecure web applications get hacked (E.g. Sony) right? It's a slightly-uninformed demand, but well intentioned. I understand your pain.
Would your customer know the difference between a hashed and encrypted ID? Maybe your life could be simpler if you just used salted+hashed IDs, which adds just as much obfuscation (not security!) to the URL, minus the need to URLEncode the encrypted value.
Ideally, you could get this "encrypted ID" requirement punted in favor of a combination of SSL, an authentication system with page level rights-enforcement, and solid audit trail logging. This is standard web application security stuff.

Validation with (C# Application <> PHP Application)

Where currently working on an C# application that requires data to be stored in central location.
The application will authenticate the user via the server, which in turns returns a session via the headers.
Then the C# application would then use the CDN to send and collect data from/to the server.
What I want to accomplish is to be able to verify its the C# application sending or requesting the data and not some script mimicking the headers and data.
What methods are there in validating each side of the request so that the C# Application can validate the Server data and also the other way around.
Thanks.
This scenario is easily solved using public-key cryptography:
A simple solution is to encode a hash of the data (and potentially a timestamp / sequence number) with the public key of the "other side." This can be used to guarantee, upon decryption with the private key upon receipt and a comparison of the hash value (and potentially a timestamp / sequence test), that the (expected) sender actually sent the data.
If you store a private key with the C# application, you can send this with the authentication request.
Store a random string of text with the C# application and the PHP application;
Require the login request to have this string;
In the PHP application, verify that this string matches;
Every authentication request that does not have this string will be rejected.

Categories