Openssl and ASP.NET Webapi

Asked

Viewed 350 times

25

I am developing an internal application, but in a certain module I will need to travel a certain sensitive data.

A priori I thought about using SSL, but due to limitations (non-technical) I won’t be able to do it, so I thought to use Openssl.

I even managed to make it work using the implementation below, but I do not know if it is implemented correctly, so I would like someone to review it.

Model

public class SecurityModel
{
    public string Token { get; set; }
    public string PublicKey { get; set; }
}

public class EncryptedModel
{
    public string Token { get; set; }
    public string Encrypted { get; set; }
}

Controller

[HttpGet]
public async Task<SecurityModel> GeneratePublicKey()
{
    var model = new SecurityModel();
    using (var generator = new RSACryptoServiceProvider(1024))
    {
        try
        {
            var token = Convert.ToBase64String(Guid.NewGuid().ToByteArray());
            var keys = generator.ExportParameters(true);
            var pemString = generator.GetPublicKeyAsPemString();

            MemoryCache.Default.Add(token, keys, new CacheItemPolicy
            {
                AbsoluteExpiration = ObjectCache.InfiniteAbsoluteExpiration,
                SlidingExpiration = TimeSpan.FromMinutes(30),
                Priority = CacheItemPriority.NotRemovable
            });

            model.Token = token;
            model.PublicKey = pemString;
        }
        finally
        {
            generator.PersistKeyInCsp = false;
        }
    }
    return model;
}

[HttpPost]
public async Task<bool> ReadSensitiveData(EncryptedModel model)
{
    using (var generator = new RSACryptoServiceProvider(1024))
    {
        try
        {
            var keys = (RSAParameters)MemoryCache.Default.Get(model.Token);
            generator.ImportParameters(keys);

            var binary = Convert.FromBase64String(model.Encrypted);
            var decrypted = generator.Decrypt(binary, false);
            var sensitive = Encoding.UTF8.GetString(decrypted);

            return sensitive == "Sensitive Data";
        }
        finally
        {
            generator.PersistKeyInCsp = false;
        }
    }
    return false;
}

The extent RSAUtils.GetPublicKeyAsPemString(this RSACryptoServiceProvider csp) basically returns the public key in the format expected in Javascript. Something similar to:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlOJu6TyygqxfWT7eLtGDwajtN
FOb9I5XRb6khyfD1Yt3YiCgQWMNW649887VGJiGr/L5i2osbl8C9+WJTeucF+S76
xFxdU6jE0NQ+Z+zEdhUTooNRaY5nZiu5PgDB0ED/ZKBUSLKL7eibMxZtMlUDHjm4
gwQco1KRMDSmXSMkDwIDAQAB
-----END PUBLIC KEY-----

Now follow my scripts:

Departments

A Javascript library to perform OpenSSL RSA Encryption, Decryption, and Key Generation

Scripts

var encrypt = new JSEncrypt();
var token = "";
var generatePublicKey = function () {
    var httpRequest = new XMLHttpRequest();
    httpRequest.open('GET', '/api/Security/', true);
    httpRequest.responseType = "json";
    httpRequest.addEventListener("readystatechange", function (event) {
        if (httpRequest.readyState == 4) {
            token = httpRequest.response.Token;
            encrypt.setPublicKey(httpRequest.response.PublicKey);
            sendSensitiveData();
        }
    });
    httpRequest.send();
}

var sendSensitiveData = function () {
    var sensitive = "Sensitive Data";
    var encrypted = encrypt.encrypt(sensitive);

    var httpRequest = new XMLHttpRequest();
    httpRequest.open('POST', '/api/Security/', true);
    httpRequest.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
    httpRequest.addEventListener("readystatechange", function (event) {
        if (httpRequest.readyState == 4) {
            console.log(httpRequest);
        }
    });
    httpRequest.send(JSON.stringify({ Token: token, Encrypted: encrypted }));
}

generatePublicKey();
  • Managed to solve the problem?

  • @Denercavalho wasn’t really a problem, the above algorithm is working, my question was whether it was well implemented or if there was a better way to do it.

  • @Tobymosque you still have doubt about the implementation?

  • @durtto, the above implementation is working, but I still think it could improve, if you have something to add, I will be very grateful.

1 answer

2

Man, the solution is not 100% safe, but it already has some protections, the ideal is to convince the use of SSL. (it is possible to obtain certificates valid at very affordable prices).

But about your case, in a Sniffer attack I believe you’re protected, but the attack is more elaborate, not... Do a test, activate Fiddler to decrypt SSL, but without installing the certificate. Type, go to step three of the link below: http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/FirefoxHTTPS

When accessing any https site, modern browsers will open a page warning that there is something wrong with certificate, I believe that on your site this will not occur (if you test us what happened), at first I imagine that the data may be encrypted in Fiddler, but if there was no alert, it means that any program could be in place of Fiddler alternating the data of sending and receiving, making a bridge between the client and the server, and thus obtaining the encrypted data. It is true that it is a more complex attack, but it will be exposed, depending on the criticality of the data, I would not risk.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.