I am trying to encrypt an email body to be stored at database, and that to avoid unauthorized person from reading it also to avoid SQL injection attack.
1- What do u think about encrypting the email?
2- Why it does not work? I want to learn encrypting a text anyway.
SymmetricAlgorithm symAlgo = SymmetricAlgorithm.Create();
// I will not use the default keys, although I think they are random enough.
symAlgo.GenerateKey();
symAlgo.GenerateIV();
byte[] key = symAlgo.Key;
byte[] iv = symAlgo.Key;
ICryptoTransform crypto = symAlgo.CreateEncryptor();
byte[] block = UtilityMA.StringUtil.ConvertUTF16StringToByteArray(HTMLBody);
byte[] cipherText = new byte[block.Length + 32];
crypto.TransformBlock(block, 0, block.Length, cipherText, 0);
symAlgo.Clear();
crypto.Dispose();
crypto.TransformBlock fires exception
System.ArgumentException was unhandled by user code
Message="Value was invalid."
Source="mscorlib"
StackTrace:
at System.Security.Cryptography.RijndaelManagedTransform.TransformBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[] outputBuffer, Int32 outputOffset)
at Demo.BLL.Contact.History.SendEmail(String HTMLBody, Int32 Record_Id) in C:\Documents and Settings\Administrator\My Documents\Visual Studio 2008\Projects\BLL\BLL\Contact\History.cs:line 35
at _Default.BtnSend_Click(Object sender, EventArgs e) in c:\Documents and Settings\Administrator\My Documents\Visual Studio 2008\Projects\Demos\ContactDemo\Contact.aspx.cs:line 46
at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
InnerException:
Best Answer
1) Encrypting is fine, but where will you store the key? It's only protection if the key is somewhere safer than the data. Yes, it does add a layer of protection against SQL Injection, but you should be eliminating SQL Injection possibilities by using parameterized statements.
2) It may be failing because SymmetricAlgorithm is a abstract base class, and you need to instantiate a concrete class like RijndaelManaged.Create();
Also, you should probably be using TransformFinalBlock() instead of TransformBlock(), and Encoding.UTF8.GetBytes() instead of UtilityMA.StringUtil.ConvertUTF16StringToByteArray().
Here's an article on how to encypt/decrypt: http://www.sharpdeveloper.net/content/archive/2007/06/27/encryption-for-dummies-in-net.aspx