Obfuscate ASP.NET Strings

Protect your string data from prying eyes.

asp:HotTip

 

LANGUAGES: C#

TECHNOLOGIES: ViewState | Base64

 

Obfuscate ASP.NET Strings

Protect your string data from prying eyes.

 

By Ken McNamee

 

Have you ever wondered how and why the ASP.NET ViewState looks so garbled? Would you like to do the same to some of your strings? You can accomplish this easily by converting a normal string to Base64. Now, we're not talking about encryption here. This tactic is meant only to keep the casual observer from seeing a string's content. If you need rock-solid protection from shadowy hacker types, you shouldn't even think about using this process; instead, check out the System.Security.Cryptography namespace, which has many classes to help you build a good encryption scheme.

 

The trick to obfuscating your string data is to use the Encoding class to convert the original string to a Byte array and pass that array to the Convert class's ToBase64String method. I use UTF-8 encoding here, but the .NET Framework supports other types of encoding, so you should ensure you are using the right type. Here is the Base64Encode method:

 

string Base64Encode(string normalString, bool urlEncode)

{

  byte[]normalStringBytes =

          System.Text.Encoding.UTF8.GetBytes(normalString);

  string base64String =

          System.Convert.ToBase64String(normalStringBytes);

 

  if (urlEncode == true) {

    base64String =

          System.Web.HttpUtility.UrlEncode(base64String);

  }

  

  return base64String;

}

 

I also have added the option to UrlEncode the string once it is converted to Base64 so you can use it as a QueryString parameter. The Base64Encode method wouldn't be much use, however, if you were unable to reverse the process. Here is the Base64Decode method:

 

string Base64Decode(string base64String, bool urlDecode)

{

  if (urlDecode == true) {

    base64String =

          System.Web.HttpUtility.UrlDecode(base64String);

  }

  

  byte[]normalStringBytes =

          System.Convert.FromBase64String(base64String);

  string normalString =

          System.Text.Encoding.UTF8.GetString(normalStringBytes);

 

  return normalString;

}

 

This type of data obfuscation won't exactly violate the U.S. government's technology exportation restrictions, and it won't prevent the determined hacker from reversing the conversion and seeing your data. But you can use it to keep QueryString values in the URL or prevent hidden form variables from being read easily.

 

Ken McNamee is a senior software engineer with RelayHealth Corp., the premier provider of secure, Web-based doctor-patient communication services. Prior to this, he led a team of developers in re-architecting the Home Shopping Network's e-commerce site, HSN.com, to 100 percent ASP.NET with C#. E-mail him at mailto:[email protected].

 

 

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish