Encrypted QueryStrings

Does anyone have any good articles or resources for encrypting the query strings in the address bar?

you need to give us some context about what you are trying to do.

"encrypting the query strings in the address bar"... do you mean obfuscating a URL/URI, or taking a series of URL's from a browser and encrypting them with a real encryption algorithm, or what?

Sorry if i was being unclear.

I already figured out a way to do this, but to answer your question. I was trying to encrypt a string of parameters and values and then send it to the server and redirect the current page based on the parameters. Once on the page, the string would be decrypted and the values would be used in that pages code, but the query string in the address bar would be encrypted.

So for example, on one page i have a textbox asking for someones name, then click a button. Once the button is clicked, the name is encrypted and you are redirected to another page. On that other page, the name will be decrypted and displayed, but the string in the address bar will be encrypted (ex: www.something.com?asoyvnvae7913en)

Again, I already figured out how to do this, but if anyone wants to know how to do it or needs some place where they can find out more about this, let me know

Yars

just remember you can't really trust client-side encryption for anything serious if the client is distributed....

because on anything but a ultra-locked down machine you personally locked down from software and physical attack, someone can always manipulate things.

also, implimenting crypto is always full of problems unless you are a real pro with doing it.

it sounds like you are doing the right thing, though.. you send the encrypted message over the network, the server decrypts on it's end, it sends back the redirect non-encrypted (except for the string/parameters in it) page, the string/parameters are decrypted on the client side and applied to the page with some client-side language (Javascript?).

are you using a pre-shared key or a public-key algorithm?

I'm not sure why you would want to do this except as an exercise, though... it would be easier to have a SSL/TLS protected HTTPS session....

I'm using C# with a public symmetric key algorithm. The System.Security.Cryptography namespace is actually really good, it was just a matter of reading through all the documentation.

This article helped a lot
http://www.dotnetjunkies.com/HowTo/99201486-ACFD-4607-A0CC-99E75836DC72.dcik

ok, so by "public symmetric" you mean it's a mixed protocol/algorithm with public crypto used to exchange keys and symmetric used for later encryption, right?

interesting... I know jack about C#'s libraries, so I can't help there.

ask your self:

"why am i passing stuff in my query strings?"

Unless you absolutely have to, don't. If you are using asp.net(which it appears you are) you should never have to use the query string.

why is it a bad idea to use query strings?

Yes i am using asp.net. What would be a better solution?

Thanks,

Yars

i generally never use the query string, to many problems. i manipulate the view state and use my custom session with db persistance to get around it.

"public symmetric key algorithm"


When we are talking symmetrical or asymmetrical encryption, we are
talking different algorithms. Symmetrical keys use a single 'secret key'
to encrypt and decrypt, whereas an asymmetrical keys are generated in
pairs (public and a private key). So when you say, public symmetric, it
makes absolutely no sense at all.

What I think Rob was saying, and is pretty common, is using
asymmetrical algorithms to transfer 'secret' (symmetrical) keys - used
in IPSec VPNs and also for data/voice encryptors (since asymmetrical
algorithms are usually too slow for real time applications).

that is what I was talking about.. it's what I assumed he meant.

Rob you assume correctly, i dont know why i said "public" i must have been coding at the time or something. But yes, i was using symmetrical keys.