Tough security question using System.Security.Cryptography.RijndaelManaged.

Hi,

I have to figure out why we have a problem with special characters in encrypted usernames and passwords.
Case:
Username: r&bgeorge
Password: tigger
We allow users to create usernames and passwords with special characters on the website. When we log them in, they have the option to save their login credentials for future logins.
User logs in and checks off the “remember your password” option. Then the user closes his browser and opens a new browser window for the application. The user is not logged in and the username field contains “r” only, which the letter before the special character. That’s where it breaks I assume. The password field is empty.
Code:
This is the class that does the encryption (method:EncodeString()):
Imports System.Security

Imports System.IO
Imports System.Text
Imports Microsoft.VisualBasic
Public Class wwCrypto
'Set up the keys, these are used for both encryption and decryption
Private keyb() As Byte = {1, 253, 5, 50, 52, 91, 193, 133, 193, 121, 221, 164, 57, 128, 91, 91, 19, 39, 111, 197, 125, 98, 89, 48, 97, 154, 83, 187, 222, 167, 171, 74}
Private ivb() As Byte = {10, 61, 235, 120, 122, 120, 80, 248, 13, 182, 196, 212, 176, 46, 23, 85}
Public Function EncodeString(ByVal str As String) As String
Dim outStr As String
' Set up the streams and stuff
Dim ms As New MemoryStream()
Dim rv As New System.Security.Cryptography.RijndaelManaged()
Dim cs As New Cryptography.CryptoStream(ms, rv.CreateEncryptor(keyb, ivb), System.Security.Cryptography.CryptoStreamMode.Write)
Dim p() As Byte = Encoding.ASCII.GetBytes(str.ToCharArray())
Dim encodedBytes() As Byte
Try
cs.Write(p, 0, p.Length) ' write to stream as encrypted data
cs.FlushFinalBlock()
encodedBytes = ms.ToArray ' Convert the stream to something we can use
Catch ex As Exception
Finally
ms.Close()
cs.Close()
End Try
outStr = Convert.ToBase64String(encodedBytes)
Return outStr
End Function
Public Function DecodeString(ByVal str As String) As String
Dim outStr As String
Dim p() As Byte = Convert.FromBase64String(str)
Dim initialText(p.Length) As Byte
Dim rv As New System.Security.Cryptography.RijndaelManaged()
Dim ms As New MemoryStream(p)
Dim cs As New Cryptography.CryptoStream(ms, rv.CreateDecryptor(keyb, ivb), System.Security.Cryptography.CryptoStreamMode.Read)
Try
cs.Read(initialText, 0, initialText.Length)
cs.FlushFinalBlock()
Catch ex As Exception
Finally
ms.Close()
cs.Close()
End Try
Dim sb As New StringBuilder()
Dim i As Integer
Dim b As Byte
For i = 0 To initialText.Length() - 1
b = initialText(i)
If (b = 0) Then ' The encryption pads with NULLs, break so the aren't added to the string!
Exit For
End If
sb.Append(Convert.ToChar(b))
Next
Return sb.ToString()
End Function
End Class
Then we add this to the cookie.
Questions:
1. Is my reasoning correct and is the encryption mechanism preventing auto login for users with special characters?
2. What would be the possible solution? How can I encrypt special characters so they work?
Thanks.
Andrzej
0
awegrzyn
9/22/2003 2:23:33 PM
asp.net.security 27051 articles. 1 followers. Follow

5 Replies
1233 Views

Similar Articles

[PageSpeed] 36
Get it on Google Play
Get it on Apple App Store

I would check the decryption algorithm.  

Is the length of initialText 1? Or is it the correct length?
0
stiletto
9/23/2003 4:10:14 AM
This works fine for me in a console application.  Could it be a problem with the ASP.NET default UTF-8 encoding?
0
likwid
9/23/2003 5:38:21 PM
I don't know since I'm not that great when it comes to security.  What about storing the username and pass in the cookies?  Could that affect the values?
0
awegrzyn
9/24/2003 3:26:07 AM
I've got an encryption algorithm similar to yours and have no problems. However try changing this line..

Dim p() As Byte = Encoding.ASCII.GetBytes(str.ToCharArray())
to
Dim p() As Byte = Encoding.UTF8.GetBytes(str.ToCharArray())
0
JeffNelson
9/24/2003 5:22:00 PM
Also Andrzej in the future do not post your private key bytes.  I can decrypt your passwords with those keys.  You had better change the byte numbers after this posting.
0
JeffNelson
9/24/2003 5:25:25 PM
Reply:

Similar Artilces:

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

Why System.Web.Security and not System.Security?
Hi!I was wondering... why is the Security namespace under the System.Web and not the System namespace? Almost all the features could also be used for Windows application and in fact work fine. If you create a Windows app and add a reference to the System.Web, you can use the Membership providers the same way with a web app, simply be adding some configuration settings in the app.config.So... Why System.Web.Security and not System.Security?Dimitris PapadimitriouSoftware Development Professional...

System.Security.Security exception
Hi, I am trying to write errors into windows event log. I got this exception... can you please let me know a workaround... EventLog.WriteEntry( myAppName, aMsg, EventLogEntryType.Error); It needs ASPNET to be added to the administrators group...or else modify the registry manually... I don't wanna do either of these.... If any one has worked out on this...please help me out...Hey! It compiles! Ship it! Cheers, Venugopal Mallarapu. Visit : My Blog...

When loading gmail must always "reload" once unless using the secure loading site. When using the secure loading site loading takes four times as long. So I don't use the secure loading site, I just
Name: Dwight Metcalfe Email: dwmet1atgmaildotco Product: Firefox Summary: When loading gmail must always "reload" once unless using the secure loading site. When using the secure loading site loading takes four times as long. So I don't use the secure loading site, I just "reload" the other site once automatically just to save time. Hmmmmmmmm. Comments: Only been doing that about a month. Browser Details: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 From URL: http://hendrix.mozilla.org/ Note to reade...

System.Security.SecurityException: System.Security.Permissions.SecurityPermission
On my local host, I'm able to use my site just fine. But on my web hosted server, when I click a link to launch a page I get this below and I have no idea what it is. Only these two pages are kicking back this exception and I didn't enable any particular security settings that I know of on these pages. Can anyone tell me what's wrong? I've burned 4 days searching and I'm burned out. Please help. Server Error in '/' Application. Security Exception Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the req...

Security
This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird 1.5.0.7 & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

System.Security.Cryptography Uses
I hear it's possible to create a random number generator using system.security.cryptography. Does anybody know how to accomplish this? I can post my code to my current random num. generator, open to modifications, if someone thinks they might know how to do this. FWIW, see the quote below... ...from http://geekswithblogs.net/cwilliams/archive/2005/10/16/57141.aspx we have the following quote...   The Crypto stuff works like this: Dim b(10) As Byte System.Security.Cryptography.RandomNumberGenerator.Create.GetNonZeroBytes(b) That gives me an arra...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...