private bool ValidateIncomingVariables(HttpRequest request)
{
bool isGenuine = false;
// Step 1 -Read the follwoing from the hidden values
//1 -Request Encrypted Session Key
//2- Request Encrypted Data
//3- Request IV
//4- Request Encrypted Data`s Hash
var requestEncryptedSessionKeyBytes = Convert.FromBase64String(Request.Form["hdEncryptedSessionKey"]);
var requestEncryptedDataBytes = Convert.FromBase64String(Request.Form["hdEncryptedData"]);
var requestIvBytes = Convert.FromBase64String(Request.Form["hdIv"]);
var requestHashedDataBytes = Convert.FromBase64String(Request.Form["hdHashedData"]);
// Step 2 -Decrypt the request session key using the receiver's private key.
var rsa = new RSAEncryption();
var requestDecryptedSessionKey = rsa.Decrypt(Server.MapPath("~/Keys/privatekey.xml"), requestEncryptedSessionKeyBytes);
// Step 3-Building the string from the incoming request's actual data
var actualData = Utils.BuildString(
Request.Form["ModifiedFirstVariable"],
Request.Form["ModifiedSecondVariable"],
Request.Form["ModifiedThirdVariable"],
Request.Form["ModifiedForthVariable"],
Request.Form["ModifiedFifthVariable"],
Request.Form["ModifiedSixthVariable"],
Request.Form["ModifiedSeventhVariable"],
Request.Form["ModifiedEighthVariable"]);
// Step 4-Encrypt the incoming request's actual data using the decrypted session key and the iv.
AESEncryption aes = new AESEncryption();
var actualEncryptedData = aes.Enrypt(Encoding.UTF8.GetBytes(actualData), requestDecryptedSessionKey, requestIvBytes);
var actualDataHash = HashGenerator.ComputeHmacSha256((actualEncryptedData), requestDecryptedSessionKey);
// Step 5-Compare the actual hash with received hash(from request)
var isActualDataHashMatch = Compare(requestHashedDataBytes, actualDataHash);
// Step 6-Calculate the hash for the encrypted data
var requestEncryptedDataHash = HashGenerator.ComputeHmacSha256((requestEncryptedDataBytes), requestDecryptedSessionKey);
var isRequestEncryptedDataHashMatch = Compare(actualDataHash, requestEncryptedDataHash);
if (isActualDataHashMatch && isRequestEncryptedDataHashMatch)
{
//Step 7 -Decrypt the data using the decrypted session key and the iv. - out of scope
//var decryptedDataBytes = aes.Decrypt(encryptedDataBytes, decryptedSessionKey, ivBytes);
//var plainData =Encoding.Default.GetString(decryptedDataBytes);
isGenuine = true;
}
return(isGenuine);
}
protected void Page_Load(object sender, EventArgs e)
{
Random rRandom;
rRandom = new Random();
// populate the variables
m_szFirstVariable = PopulateVariable(FirstVariableLabel, ModifiedFirstVariable, rRandom);
m_szSecondVariable = PopulateVariable(SecondVariableLabel, ModifiedSecondVariable, rRandom);
m_szThirdVariable = PopulateVariable(ThirdVariableLabel, ModifiedThirdVariable, rRandom);
m_szForthVariable = PopulateVariable(ForthVariableLabel, ModifiedForthVariable, rRandom);
m_szFifthVariable = PopulateVariable(FifthVariableLabel, ModifiedFifthVariable, rRandom);
m_szSixthVariable = PopulateVariable(SixthVariableLabel, ModifiedSixthVariable, rRandom);
m_szSeventhVariable = PopulateVariable(SeventhVariableLabel, ModifiedSeventhVariable, rRandom);
m_szEighthVariable = PopulateVariable(EighthVariableLabel, ModifiedEighthVariable, rRandom);
//-----------------------------------------------------------------------------------------------------------+
//Prep code was used to create the public and the private keys |
//var rsa = new RSAEncryption(); |
//rsa.AssignNewKey(Server.MapPath("~/Keys/publickey.xml"), Server.MapPath("~/Keys/privatekey.xml")); |
//-----------------------------------------------------------------------------------------------------------+
// Step 1 -Create 32 byte session key
var sessionKey = KeyGenerator.GenerateKey();
// Step 2 -Create 16 byte Initialisation Vector
var iv = KeyGenerator.GenerateKey(16);
// Step 3 -Encrypt the data using the session key and the IV.
var data = Utils.BuildString(m_szFirstVariable, m_szSecondVariable, m_szThirdVariable, m_szForthVariable, m_szFifthVariable, m_szSixthVariable, m_szSeventhVariable, m_szEighthVariable);
AESEncryption aes = new AESEncryption();
var encryptedData = aes.Enrypt(Encoding.UTF8.GetBytes(data), sessionKey, iv);
// Step 4 -Hash the encrypted data using the session key
byte[] hashedData = HashGenerator.ComputeHmacSha256(encryptedData, sessionKey);
// Step 5 -Encrypt the session Key using the receiver's public key(created and stored safely before, in real life scenario will two different servers).
RSAEncryption rsa = new RSAEncryption();
var encryptedSessionKey = rsa.Encrypt(Server.MapPath("~/Keys/publickey.xml"), sessionKey);
// Step 6 -Setting the values that will be stored in the hidden values.
hdEncryptedSessionKey.Value = Convert.ToBase64String(encryptedSessionKey);
hdEncryptedData.Value = Convert.ToBase64String(encryptedData);
hdIv.Value = Convert.ToBase64String(iv); // IV Doesn't need to be encrypted.
hdHashedData.Value = Convert.ToBase64String(hashedData);
}
