Encrypt Password Field in SQL Server, Registry

Information & Query String

By Syed Adnan Ahmed.

How to encrypt the database password field, registry information and query string.

Introduction

Normally, web developers do not take keen interest to secure the query string and connection
string information which usually reside in the registry and the user passwords which reside in the
user registration database table. When I was creating a web-based application in ASP.NET, I
decided to use these three encryptions to fully secure my application.

.NET provides us the new Cryptography classes to encrypt and decrypt the data whenever used.

I would like to discuss these three issues one by one.

Encrypt Password field in SQL Server

This is the a common practice of developers, not to encrypt the user-login passwords in the
database table fields. If anyone has access to the database tables, he can easily use these
passwords to enter into the site anytime. So to avoid this situation, I used, .NET’s Cryptography
classes.

The business logic which I used is that, when a user is added through my web application, on
form submit event, I first get the user’s information from the form fields, encrypt the employee’s
password and then submit the entire information into the user registration table. The password
information is encrypted in the user registration table. Now, when the user enter into the
application, provides userid and password, I just encrypt the user provided password and match
it with the employee table’s password, so I don’t need to decrypt the database stored password
again and again.

Encrypt Registry Information in SQL Server

Typically, most of the developers including me think that the windows registry is the best place to
store key information like connection strings. But these information in the registry are not
encrypted and if anyone has access to the server he can easily get all the secure information
including the database passwords etc. To avoid this situation also, I use .NET’s Cryptography
classes to save the key information residing in the registry.

Encrypt Query String

Often developers pass information from one page to another by using query string, without
encrypting those sort of information. Let’s take a scenario where (e.g. it is necessary to encrypt
the information contained in the query) I pass the area name (e.g. TownId) from one to another
page and on the basis of that TownId I want to get some information from the database. If the
user change the TownId in the address bar of the browser and refresh the web page, then this
changed TownId will pass and the information related to the users changed TownId will be
viewed. So by doing this, the user is able to get all the towns' information whether he has access
to all the other towns' information or not.

By the .NET’s Cryptography classes, we can send these information first by encrypting and after
receiving, do the reverse process, i.e. to decrypt and use that information.

I have made a class named Utilities and imported the following classes,

Imports System
Imports System.IO
Imports System.Xml
Imports System.Text
Imports System.Security.Cryptography

Two public shared functions named EncryptText and DecryptText with one argument of type
string are made.

From an ASP.NET page, just provide the text that you want to encrypt/decrypt into this function
and it will return you an encrypted/decrypted text depending upon the function you use.

The EncryptText function internally uses the Encrypt function which uses two parameters: one
is the user’s text and other is the encryption which must be on eight digit code. Same as the case
for DecryptText function, it uses Decrypt function.

The source code for the function is given below:

Collapse
' Encrypt the text
Public Shared Function EncryptText(ByVal strText As String) As String
Return Encrypt(strText, “&%#@?,:*")
End Function

'Decrypt the text

Public Shared Function DecryptText(ByVal strText As String) As String
Return Decrypt(strText, "&%#@?,:*")
End Function

'The function used to encrypt the text

Private Shared Function Encrypt(ByVal strText As String, ByVal strEncrKey _
As String) As String
Dim byKey() As Byte = {}
Dim IV() As Byte = {&H12, &H34, &H56, &H78, &H90, &HAB, &HCD, &HEF}

Try
byKey() = System.Text.Encoding.UTF8.GetBytes(Left(strEncrKey, 8))

Dim des As New DESCryptoServiceProvider()

 Dim inputByteArray() As Byte = Encoding.UTF8.GetBytes(strText)
Dim ms As New MemoryStream()
Dim cs As New CryptoStream(ms, des.CreateEncryptor(byKey, IV),_
CryptoStreamMode.Write)
cs.Write(inputByteArray, 0, inputByteArray.Length)
cs.FlushFinalBlock()
Return Convert.ToBase64String(ms.ToArray())

Catch ex As Exception
Return ex.Message
End Try

End Function

'The function used to decrypt the text

Private Shared Function Decrypt(ByVal strText As String, ByVal sDecrKey _
As String) As String
Dim byKey() As Byte = {}
Dim IV() As Byte = {&H12, &H34, &H56, &H78, &H90, &HAB, &HCD, &HEF}
Dim inputByteArray(strText.Length) As Byte

Try
byKey = System.Text.Encoding.UTF8.GetBytes(Left(sDecrKey, 8))
Dim des As New DESCryptoServiceProvider()
inputByteArray = Convert.FromBase64String(strText)
Dim ms As New MemoryStream()
Dim cs As New CryptoStream(ms, des.CreateDecryptor(byKey,_
IV), CryptoStreamMode.Write)

cs.Write(inputByteArray, 0, inputByteArray.Length)
cs.FlushFinalBlock()
Dim encoding As System.Text.Encoding = System.Text.Encoding.UTF8

Return encoding.GetString(ms.ToArray())

Catch ex As Exception
Return ex.Message
End Try

End Function

Conclusion

I have shown here the three main areas where you should use encryption mechanism to secure
your web-application. If you have any query or difficulty to implement it, please feel free to email
me at: adnanahmed235@yahoo.com.