Openssl and ASP.NET Webapi

Question

Openssl and ASP.NET Webapi

Asked 8 years, 1 month ago

Viewed 350 times

25

I am developing an internal application, but in a certain module I will need to travel a certain sensitive data.

A priori I thought about using SSL, but due to limitations (non-technical) I won’t be able to do it, so I thought to use Openssl.

I even managed to make it work using the implementation below, but I do not know if it is implemented correctly, so I would like someone to review it.

Model

public class SecurityModel
{
    public string Token { get; set; }
    public string PublicKey { get; set; }
}

public class EncryptedModel
{
    public string Token { get; set; }
    public string Encrypted { get; set; }
}

Controller

[HttpGet]
public async Task<SecurityModel> GeneratePublicKey()
{
    var model = new SecurityModel();
    using (var generator = new RSACryptoServiceProvider(1024))
    {
        try
        {
            var token = Convert.ToBase64String(Guid.NewGuid().ToByteArray());
            var keys = generator.ExportParameters(true);
            var pemString = generator.GetPublicKeyAsPemString();

            MemoryCache.Default.Add(token, keys, new CacheItemPolicy
            {
                AbsoluteExpiration = ObjectCache.InfiniteAbsoluteExpiration,
                SlidingExpiration = TimeSpan.FromMinutes(30),
                Priority = CacheItemPriority.NotRemovable
            });

            model.Token = token;
            model.PublicKey = pemString;
        }
        finally
        {
            generator.PersistKeyInCsp = false;
        }
    }
    return model;
}

[HttpPost]
public async Task<bool> ReadSensitiveData(EncryptedModel model)
{
    using (var generator = new RSACryptoServiceProvider(1024))
    {
        try
        {
            var keys = (RSAParameters)MemoryCache.Default.Get(model.Token);
            generator.ImportParameters(keys);

            var binary = Convert.FromBase64String(model.Encrypted);
            var decrypted = generator.Decrypt(binary, false);
            var sensitive = Encoding.UTF8.GetString(decrypted);

            return sensitive == "Sensitive Data";
        }
        finally
        {
            generator.PersistKeyInCsp = false;
        }
    }
    return false;
}

The extent RSAUtils.GetPublicKeyAsPemString(this RSACryptoServiceProvider csp) basically returns the public key in the format expected in Javascript. Something similar to:

Now follow my scripts:

Departments

A Javascript library to perform OpenSSL RSA Encryption, Decryption, and Key Generation

Scripts

var encrypt = new JSEncrypt();
var token = "";
var generatePublicKey = function () {
    var httpRequest = new XMLHttpRequest();
    httpRequest.open('GET', '/api/Security/', true);
    httpRequest.responseType = "json";
    httpRequest.addEventListener("readystatechange", function (event) {
        if (httpRequest.readyState == 4) {
            token = httpRequest.response.Token;
            encrypt.setPublicKey(httpRequest.response.PublicKey);
            sendSensitiveData();
        }
    });
    httpRequest.send();
}

var sendSensitiveData = function () {
    var sensitive = "Sensitive Data";
    var encrypted = encrypt.encrypt(sensitive);

    var httpRequest = new XMLHttpRequest();
    httpRequest.open('POST', '/api/Security/', true);
    httpRequest.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
    httpRequest.addEventListener("readystatechange", function (event) {
        if (httpRequest.readyState == 4) {
            console.log(httpRequest);
        }
    });
    httpRequest.send(JSON.stringify({ Token: token, Encrypted: encrypted }));
}

generatePublicKey();

Managed to solve the problem?

– gato

2016/08/02 at 15:29
@Denercavalho wasn’t really a problem, the above algorithm is working, my question was whether it was well implemented or if there was a better way to do it.

– Tobias Mesquita

2016/08/02 at 15:39
@Tobymosque you still have doubt about the implementation?

– durtto

2016/09/26 at 11:16
@durtto, the above implementation is working, but I still think it could improve, if you have something to add, I will be very grateful.

– Tobias Mesquita

2016/09/26 at 11:41

1 answer

Browser other questions tagged javascript c# asp.net-web-api openssl code-review

You are not signed in. Login or sign up in order to post.

by TioRAC • **464** points · Answer 1 · 2016-12-21T16:14:43+00:00

Man, the solution is not 100% safe, but it already has some protections, the ideal is to convince the use of SSL. (it is possible to obtain certificates valid at very affordable prices).

But about your case, in a Sniffer attack I believe you’re protected, but the attack is more elaborate, not... Do a test, activate Fiddler to decrypt SSL, but without installing the certificate. Type, go to step three of the link below: http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/FirefoxHTTPS

When accessing any https site, modern browsers will open a page warning that there is something wrong with certificate, I believe that on your site this will not occur (if you test us what happened), at first I imagine that the data may be encrypted in Fiddler, but if there was no alert, it means that any program could be in place of Fiddler alternating the data of sending and receiving, making a bridge between the client and the server, and thus obtaining the encrypted data. It is true that it is a more complex attack, but it will be exposed, depending on the criticality of the data, I would not risk.