Sunday, February 23, 2014

[infosecinstitute] Securing URL Sensitive Data: Asp.Net Website Security

This paper especially demonstrating, how to encrypt sensitive data resided in website URL which usually travels across diverse network. Website usually can be compromised or subtle information can be disclosed by exploiting this inherent vulnerability. This article is elaborating such mechanism over ASP.NET website in step by step form by employing couple of C# algorithm. This rare artifact is dedicated to streamline the newbies or professional developer undertaking who usually strive to implement such mechanics.

Introduction
Securing URL is the process of concealing or encrypting a parameterized Query String based URL such aswww.xyz.com/login.aspx?uid=ajay&pawd=09876 by applying complex C#.NET cryptography. The movement a URL is requested from the server, internally we determine the required parameters, then encrypt Query String values where sensitive information is typically, located and redirect them to another source for further processing and then decrypt the encrypted Query-String values there, if it is required. In this whole process, the URL always shows some bizarre values in the Query String and intact from the malicious hacker eyes because it is very hard for him to figure out what exactly is travelling across the network via query string. The idea of Query String encryption protects a web page from MITM or session hijacking attacks at some extent. This mechanism is somewhat similar to URL rewriting where a verbose URL is flashing in the address in spite of actual web page address where Query String parameters are still located. The hacker never ever anticipates about the requested URL would have contained any Query String values.
Prerequisites
This demonstration requires a web programming skill especially in Asp.NET along with C #and having installed the following software and tools.
  • VS Studio IDE
  • ASCII converter
  • IIS Web Server (optional)
  • Browser
Susceptible URL
The following Asp.Net page which simply authenticating users on behalf of correct user id and password, is created to demonstrate the real concept behind disclosing “sensitive data via URL” incident. This page stipulates both facility to log-in; plan text or secure sign-in.
When the user enters his credentials and go head by simple plan text mechanism (without checking Secure Sign-in), its login information’s user name and password travelled through Query String to redirected page and literally displaying in the URL address bar as below;
Though optionally, we are showing user credentials information on the redirected Welcome.aspx page but here is a catch in the address bar also. There might be a possibility that a malicious hacker would have intercepting the traffic and he can easily advantageous with user information as such data are travelling or located in query string in clear text. Hence, this is the crucial vulnerability that we are going to pinpoint in this paper.
Securing Sensitive Data
This section describes the process of encrypting the data resided in query string. The Login form interface design in such a way, if user enables the Secure Sign-in check box, the encryption algorithm would be activated behind the scene and it is hard to anticipate the ciphered data that is travel across the webpages in query string.
As the user move ahead by enabling the Secure Sign-in option, the following piece of code is activated and encrypted the sensitive portion of URL. Here, the Encryt() method takes user name and password from the login form and implement ciphering. Later, user will be redirected to the welcome page via query string mechanism as;
1
2
3
4
5
string usr = HttpUtility.UrlEncode(Encrypt(txtUser.Text.Trim()));
string pwd = HttpUtility.UrlEncode(Encrypt(txtPwd.Text.Trim()));
 
Response.Redirect(string.Format("~/welcome.aspx?usrname={0}&password={1}",
                                 usr, pwd));
Developers usually, protect the query string by invoking UrlEncode method, which typically convert the plain text into base64 format. But such encoding is not suffice and still vulnerable. Hence, we applied double protection here in form of invoking custom algorithm and UrlEncode method.
Query String Encryption
Here in this code segment, the real encryption of query string parameters will be happen in the Encrypt() method implementation which is called while the user click on Sign-In button. Here, the Query String values will be first encrypted using AES Symmetric key algorithm encoded and then will be sent to welcome page where the Query String values will be first deciphered and then decrypted using AES Algorithm again using the Symmetric key that was used for encryption earlier on the Login page.
As we know the hashing algorithm can be implemented either by Symmetric key or Asymmetric key. In Asymmetric key cryptography, two keys are employed for encryption and decryption but in this tutorial we are relying on Symmetric key where a single key is suffice for both ciphering and deciphering the sensitive data.
Generating Secure Key (Symmetric)
The symmetric key could be anything, just depends on developer discretion. Symmetric key algorithms are very effective for processing extensive amounts of data and less intensive than asymmetric encryption algorithms computationally. Hence, we hardcoded the Symmetric key as “ajaykumar007″ which perform both functions as following;
1
string password = "ajaykumar007";
It is recommended that the symmetric key must be strong with full of Alfa-numeric keys so that it is hard to assume. Because a simple combination of word is always consider to be a weak key and susceptible for dictionary attacks. Though, there are plenty of methods for generating secure key as such the following code generating symmetric key programmatically as.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
static String CreateKey(int numBytes)
    {
        RNGCryptoServiceProvider rnd = new RNGCryptoServiceProvider();
        byte[] b = new byte[numBytes];
 
        rnd.GetBytes(b);
        return BytesToHexString(b);
    }
 
static String BytesToHexString(byte[] bytes)
    {
        StringBuilder hexString = new StringBuilder(64);
 
        for (int counter = 0; counter < bytes.Length; counter++)
        {
            hexString.Append(String.Format("{0:X2}", bytes[counter]));
        }
        return hexString.ToString();
    }
We can also use that aforesaid code for generating asymmetric key programmatically but we move ahead with “ajaykumar007″.
Generating Salt
Salt typically, is random data that is used as a supplementary input to a one-way function that hashes a passphrase or sensitive data. Salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. The key purpose of salts is to protect against pre-computed rainbow table and dictionary attacks.
It is not mandatory to keep salt value to be secret. An attacker never ever assumes in advance what the salt will be, so they can’t rainbow table or pre-compute lookup table because a salt value is generated at random and each timehashes value would be different. Generally, we created salt random values by employing the subsequent code as;
1
2
3
4
5
6
7
8
9
10
private static string CreateSalt(int size)
    {
        //Generate a cryptic random number.
        RNGCryptoServiceProvider rnd = new RNGCryptoServiceProvider();
        byte[] b = new byte[size];
        rnd.GetBytes(b);
 
        // Return a Base64 string representation of the random number.
        return Convert.ToBase64String(b);
    }
Although, the aforesaid code could be best fit-in while generating raw salt value but it is bit complicated. Hence, we can generate random salt values by ASCII Convertor too. The salt value could be anything as we explained earlier. So, just put any value in the plain-text box for example “keyencrypt” and convert it into hexadecimal format. Simple, we have generated the salt value which will be merged with secret to encrypt the plain text as following;
As we can observe from the aforesaid figure, the salt value is in hex form, now prefix the 0X to each hex byte and place them into a sequence and finally assign this value to an Array of Byte data type which would referenced in theRfc2898DeriveBytes later with the secret key. Just remember one thing; the salt value must be same during both encryption and decryption.
1
2
byte[] salt = new byte[]
           { 0x6B, 0x65, 0x79, 0x65, 0x6E, 0x63, 0x72, 0x79, 0x70, 0x74 };
Hashing Algorithm
We shall encrypt the Query String parameters by employing AES (Advanced Encryption Standard) algorithm, which is a variant of Rijandael algorithm and of course, provide virtuous security and performance. AES reduce the amount of parameters you have to configure, and allows you to work at a very high level of abstraction. The AES algorithm is a symmetric-key block cipher that can use keys of 128, 192, and 256 bits, and encrypts and decrypts data in blocks of 128 bits. The following image depicting the entire life cycle of encrypting the Query string as well as decrypting at the receiving site as following;
Ok now, we have all ingredients for hashing like, query string, secret key and salt value. In the Encrypt() method, the key derivation method Rfc2898DeriveBytes in AES implementation, repeatedly hash the password along with a salt along with padding and block size configuration.
1
2
3
4
5
6
7
8
9
10
11
12
13
string password = "ajaykumar007";
..
using (Aes encryptor = Aes.Create())
{
    byte[] salt = new byte[]
           { 0x6B, 0x65, 0x79, 0x65, 0x6E, 0x63, 0x72, 0x79, 0x70, 0x74 };
 
    Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, salt);
    ..
    encryptor.Key = pdb.GetBytes(32);
    encryptor.IV = pdb.GetBytes(16);
    ..
}
Testing
Everything has been place in the Encrypt() method so far. Now, run the project and enter some login information over page along with enable the Secure Sign-in check box. As decided, the user would be redirected to Welcome.aspx page but notice the query string parameter value. They are encrypted and totally full-proof from hacking. For our convenience, we are also displaying the query string value (login data) over the welcome.aspx as following;
Query String Decryption
As you have seen in the previous figure, the query string are also displaying over the page in encrypted form and that form also providing the facility to decrypt these ciphered values. This section showcasing such mechanism by Decrypt() method which would be called while user click over Decrypt button. Here, we need two things; the key that is used to encrypt the query string parameters and the salt. Both of these must not be tempered otherwise, decryption won’t be happen.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
private string Decrypt(string cipherText)
    {
     string password = "ajaykumar007";
     byte[] cipherBytes = Convert.FromBase64String(cipherText);
     using (Aes encryptor = Aes.Create())
     {
 
       byte[] salt = new byte[]
           { 0x6B, 0x65, 0x79, 0x65, 0x6E, 0x63, 0x72, 0x79, 0x70, 0x74 };
 
       Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, salt);
       encryptor.Key = pdb.GetBytes(32);
       encryptor.IV = pdb.GetBytes(16);
 
       using (MemoryStream ms = new MemoryStream())
         {
               ..
         }
     }
    ..
}
This time click over the Decrypt button and web page would display the deciphered value that is entered over the login form and passed through query string as following;

Disclaimer

This paper is demonstrating the generation of a persistent a symmetric key using the AES algorithm in order to encrypt and decrypt a sensitive URL data. These code samples are provided for practical purpose only and incomplete. You may need to modify the code to make it more efficient in a real-life application.
Final word
In this article, we have pinpointed the crucial vulnerability in query string parameter where the data is travelled across the network in clear text and susceptible to MITM attack. We have showcased the encryption and decryption of sensitive URL data using symmetric key encryption through the use of AES algorithm.

No comments:

Post a Comment