//---------------------------------------------------------------------------------------------------------------------------------------------------------------
/// <summary>
/// Encrypt a string into a string using a password
/// Uses Encrypt(byte[], byte[], byte[])
/// </summary>
protected static StringBuilder Encrypt(StringBuilder clearText, string randomPaddingSalt, string randomAlgSaltStr, int numIterations, SecureString cryptKey)
{
// First we need to turn the input string into a byte array.
// 5-Jul-15 - by adding a random padding of 4 chars at the start, we ensure that a password of "Hello World" will not be
// the same twice when encrypted
byte[] clearBytes = System.Text.Encoding.Unicode.GetBytes(randomPaddingSalt + clearText);
// Turn the password into Key and IV. We are using salt to make it harder to guess our key
// using a dictionary attack - trying to guess a password by enumerating all possible words.
// and generate a password specific salt that we will append to the end of the string ...
byte[] randomAlgSalt = System.Text.Encoding.Unicode.GetBytes(randomAlgSaltStr);
// 5-Jul-15 - use the Rfc2898DeriveBytes instead of the obsolete PasswordDeriveBytes
Rfc2898DeriveBytes db = new Rfc2898DeriveBytes(SecureStringWrapper.Decrypt(cryptKey).ToString(), randomAlgSalt, numIterations);
// Now do the two way encryption of this data ...
byte[] encryptedData = Encrypt(clearBytes, db.GetBytes(32), db.GetBytes(16));
// Now we need to turn the resulting byte array into a string. A common mistake would be to use an Encoding class for that.
// It does not work because not all byte values can be represented by characters.
// We are going to be using Base64 encoding that is designed exactly for what we are trying to do.
StringBuilder base64Str = new StringBuilder(Convert.ToBase64String(encryptedData));
// And when we return the string we will add on our salts and the number of hash iterations to the end of the string ...
base64Str.Append(":");
base64Str.Append(randomPaddingSalt);
base64Str.Append(":");
base64Str.Append(randomAlgSaltStr);
base64Str.Append(":");
base64Str.Append(numIterations);
//base64Str = base64Str + ":" + randomPaddingSalt + ":" + randomAlgSaltStr + ":" + numIterations;
return(base64Str);
}
//-----------------------------------------------------------------------------------------------------------------------------------------------------------
/// <summary>
/// Added 12-10-2015 to support the secure string wrappers ....
/// </summary>
public static SecureString SQL_INJECTION_CHECK_PARAMETER(bool doStrictTest, SecureString paramText, bool ignoreQuotes)
{
return(SecureStringWrapper.Encrypt(
SQL_INJECTION_CHECK_PARAMETER(doStrictTest, SecureStringWrapper.Decrypt(paramText).ToString(), ignoreQuotes)
));
}
//---------------------------------------------------------------------------------------------------------------------------------------------------------------
/// <summary>
/// Decrypt a string into a string using the given cryptographic key
/// Uses Decrypt(byte[], byte[], byte[])
/// </summary>
public static StringBuilder Decrypt(StringBuilder encryptedStr, SecureString cryptKey)
{
StringBuilder decryptedStr = null;
try {
// get the attributes from the encrypted string
// 12-10-2015 - unfortunately, at some point we do have to convert this back to a string - and this is where!
string[] bits = encryptedStr.ToString().Split(new string[] { ":" }, StringSplitOptions.None);
// parse the numberOfIterations
int numIterations = 0;
int.TryParse(bits[3], out numIterations);
// and convert our random alg salt to binary ...
byte[] randomAlgSalt = System.Text.Encoding.Unicode.GetBytes(bits[2]);
// Get the hash of the cryptoKey
Rfc2898DeriveBytes db = new Rfc2898DeriveBytes(SecureStringWrapper.Decrypt(cryptKey).ToString(), randomAlgSalt, numIterations);
// convert the base64 string to binary
byte[] encryptedData = Convert.FromBase64String(bits[0]);
// Now do the two way decryption of this data ...
byte[] decryptedData = Decrypt(encryptedData, db.GetBytes(32), db.GetBytes(16));
// convert the decrypted data to a string
decryptedStr = new StringBuilder(System.Text.Encoding.Unicode.GetString(decryptedData));
// And finally, lets chop our padding of the front .... originally SubString( bits[ 1 ].length )
decryptedStr = decryptedStr.Remove(0, bits[1].Length);
} catch (Exception ex) {
// Lets catch the null encrypted string provided!
StringBuilder temp = new StringBuilder();
if (encryptedStr != null && encryptedStr.Length > 0)
{
temp.Append(encryptedStr);
}
else
{
temp.Append("Null or empty encrypted string provided");
}
Logger.LogError(9, "MGLEncryption - error occurred while decrypting the given string - stacktrace: " + ex.StackTrace
+ " and the encrypted string provided was: " + temp + " and specific exception: " + ex.ToString());
}
return(decryptedStr);
}
//---------------------------------------------------------------------------------------------------------------------------------------------------------
/// <summary>
/// Compares the two secure strings and returns true if they are equivalent textually, both null or both empty
/// if isCaseSensitive == true, we also compare the case sensitivity of the information - but this needs a string comparison
/// so will result in strings popping into memory and is probably a little bit slower ...
/// </summary>
public static bool AreEqual(SecureString ss1, SecureString ss2, bool isCaseSensitive)
{
return(MGLEncryption.AreEqual(SecureStringWrapper.Decrypt(ss1), SecureStringWrapper.Decrypt(ss2), isCaseSensitive));
}
//-------------------------------------------------------------------------------------------------------------------------------------------------------------
/// <summary>
/// Looks up the specific value from the static lists in KeyInfo ...
/// </summary>
public static bool LookupGenericListItemList(SecureString name, out int id, List <KeyValuePair <int, string> > genericIntStringList, bool logErrorOnMissingValues)
{
id = 0;
return(LookupGenericListItemList(SecureStringWrapper.Decrypt(name).ToString(), out id, genericIntStringList, logErrorOnMissingValues));
}
//---------------------------------------------------------------------------------------------------------------------------------------------------------------
//---------------------------------------------------------------------------------------------------------------------------------------------------------------
/// <summary>
/// Encrypts the given string
/// </summary>
public static StringBuilder EncryptPassword(SecureString password)
{
return(EncryptPassword(SecureStringWrapper.Decrypt(password)));
}
