Sensitive Data Exposure And Its Securing Techniques

Many Web Applications do not properly protect the sensitive data such as password, credit card number, Email Id and mobile number etc. The attackers may steal or modify such weakly-protected data in many ways.

Scenarios to Avoid Exposure of Sensitive Data

There are mainly  two techniques required to avoid  exposure of sensitive data,

1. Hashing.
2. Encryption

Hashing

Hashing is the process of generating a unique string in an encrypted format for the given input.The best hashing algorithms are designed so that it’s impossible for the hacker to convert the hashed string into the original string.

Popular Algorithms

1. MD5 (Message Digest 5 algorithm)
2. SHA (Secure Hash algorithm)

MD5

MD5 is the most widely known hash function. It produces a 16 byte hash value, usually expressed as a 32 digit hexadecimal number.

The screenshot, given below, explains the procedure of hashing, using MD5.



The code, given below, decrypts the hashed text:



From the above screenshots, we observe

MD5CryptoServiceProvider: is used to compute the Hash and create a valid TripleDES private key.

TripleDESCryptoServiceProvider

It accepts the initialization vector and the private key.

TripleDES, as its name itself show,  increases the encryption strength by applying the DES encryption algorithm to the data three times, before rendering to a result. As shown in the image, given below, the string or number is encrypting and decrypting three times:

By creating an object of TripleDescryptoserviceprovider, we have few properties. We can say mode, padding etc...

We have a few Cipher Modes (Encrypted modes).They are,

• CBC (Cypher Block chaining)
• ECB (Electronic Codebook)
• CFB (Cipher feedback)
• CTS (Cypher text stealing)
• OFB (Output Feedback)

CipherMode.ECB

The Electronic Codebook (ECB) mode is the simplest mode among the available encryption modes.The message is divided into the blocks and each block is encrypted separately.


Advantages of using ECB: ECB supports Encryption parallelizable and Decryption parallelizable.

Disadvantages of using ECB

Identical plaintext blocks are encrypted into the identical cipher text blocks. Thus, it doesn't get out of sight data patterns. To some extent, it doesn't provide the serious message confidentiality.

CipherMode.CBC

In CBC mode, each block of the plaintext depends on the previous cipher text block, before being encrypted. As shown below in the screenshot, each cipher text block relies on all plaintext blocks, processed until that point of time. To make each message unique, in the first block, an initialization vector must be used.

Initialization Vector(IV)

It is an arbitrary number, that can be used along with a secret key for the data encryption.

The use of IV prevents a repetition in the data encryption and it makes it more difficult for the hacker to break a cipher.

Disadvantages of using CBC

CBC does not support parallelizable encryption .

CipherMode.OFB

The Output Feedback (OFB) mode makes a block cipher into a synchronous stream cipher. It generates the keystream blocks, which will be XORed with the plaintext blocks to produce the cipher text.

Stream cipher

It is a mechanism of encrypting the text to produce a cipher text, in which a cryptographic key and algorithm are applied to each and every binary digit in a data stream, one bit at a time.



Disadvantages of using OFB

Each output block cipher operation depends on all the previous blocks and that is why, it cannot be performed in parallel.

OFB does not support Encryption Parallelism and Decryption parallelism.

CipherMode.CFB

The Cipher Feedback (CFB) mode is a close relative of CBC and makes a block cipher into a self-synchronizing stream cipher. This operation is very similar to CBC and CFB decryption is almost identical to CBC encryption, performed in reverse.



Advantages of using CFB

CFB shares two advantages over CBC mode:

1. The block cipher is only used in the encrypting direction.
2. The message does not need to be padded to a multiple of the cipher block size.

CipherMode.CTS

This mode handles any length of the plain text and produces cipher text, whose length equals the plain text length. This mode behaves in the same way as CBC mode behaves.

Padding

The screenshot, given below, explains the different padding modes, available in TDESAlgorithm.


PaddingMode.ANSIX923

In ANSIX923, zeros are filled for the bytes with padded and the last byte defines the padding boundaries or the number of padded bytes.



PaddingMode.ISO10126

Specifies that the padding should be done at the end of the last block with the random bytes and the last byte should specify the padding boundary.



PaddingMode.PKCS7

Padding is in whole bytes. The value of each added byte is the number of bytes, that are added.This padding method (as well as the previous two) is well-defined, if and only if, N is less than 256.



PaddingMode.Zeroes

All the bytes that are required to be padded are padded with zero. The zero padding scheme has not been standardized for the encryption, although it is specified for the hashes and MACs



ICryptoTransform

The ICryptoTransform defines the basic operations of the cryptographic transformations.

TransformFinalBlock

This method transforms the input byte array into an encrypted byte array by applying the private key and the initialization vector.This is finally converted into a Base64String and returns the encrypted string to the calling method.

Here, we finally got both Hashed and Decrypted format, as shown below:



While decrypting the contact number, we are exposing only the last three letters for the contact number under "Masked Contact" field.

Performance and Security Comparison of MD5 and SHA1

Encryption

Encryption is a mechanism, which converts the data into a series of unreadable characters and that are not of a fixed length. The main difference between hashing and encryption is; if you have the right key then the encrypted strings can be converted back into their original decrypted form.

There are two primary types of encryption. They are:

1. Symmetric Key encryption
2. Asymmetric Key encryption

Symmetric key Encryption

In this encryption mechanism, the sender and receiver of a message share a single and a common key, which is used to encrypt and decrypt the message. Symmetric-key cryptography is also called as the secret-key cryptography.

In Symmetric Key Encryption, we have two Algorithms:

1. AES (Advanced Encryption Standard)
2. PGP (Pretty Good Privacy)

AES: Advanced Encryption Standard is also known as Rijndael.



Asymmetric Key encryption

In this Cryptography, the two keys are present; Public key and Private key. Public key is used to encrypt the input string and a Private Key is used to decrypt the input string. Symmetric cryptography is also known as a public key cryptography.


Differences between MD5 and AES

MD5 is a hashing algorithm and it is similar to CRC checksum algorithm. Here, the data is not encrypted. It is hashed and thus, it is difficult to be unrecoverable. It is in fact, fast to compute.

Encryption algorithm is a 2-way system. The data can be encrypted and decrypted with a key, which is valid. They usually involve more loops and shifting then checksum algorithms, which makes it slower.

Choosing between MD5 or AES will depend on your needs and requirements. Keep in mind, that MD5 is not secure anymore and should not be used. Prefer SHA-256 instead.

Encrypt and Decrypt using AES Algorithm

How can you encrypt, store Username and Password in SQL Server Database Table, retrieve, decrypt and display it in ASP.NET Application? The username and password will be first encrypted, using AES symmetric key algorithm and then will be stored in the database. While fetching, it will again be decrypted, using AES algorithm, using the same key which we used for the encryption.

Thus, for this, we have created a new database MyDatabase, which contains one table named "InsertTable" with the following schema:

Create table InsertTable(UserName nvarchar(50),Passwords nvarchar(50)

If you observe the above table creation schema i.e. for storing the password column, I have used NVARCHAR data type and the reason is that for password column, when we apply an encryption, it may contain special characters and hence, it is recommended to use NVARCHAR instead of VARCHAR data type. The .ASPX page contains the username, password textbox controls and a GridView control to display the saved username and password, as shown below:



AES Algorithm Encryption and Decryption user definedmethods

The functions, given below, are for the encryption and the decryption, which will be used for encrypting and decrypting the username and password.



When we click the Submit button, the following click event will be called; which inserts the entered username and Email Id into the "InsertTable" table. The username is inserted directly the table but the Email Id is first encrypted, using the encryption method and then it will be inserted into the table, as shown below:





In the Page Load event of the Webpage, the GridView control is populated with the records from the "InsertTable" table.

In the GridView OnRowDataBound event, password is retrieved from the GridView Cell and using Decrypt method, it will be decrypted , which is highlighted in Yellow color.





Encrypt and Decrypt QueryString Parameter values

The QueryString Parameter values will be first encrypted, using AES Symmetric key algorithm encoded (as the encrypted outcome may contain some special characters) and then will be sent to the next page. On the destination page, the QueryString Parameter values will be first decoded and then decrypted, using the AES Algorithm, using the same key which we used for the encryption.

The following ASPX page consists of a Dropdown List, Textbox and a Button. The value from the Textbox and the Dropdown lists will be encrypted and sent, using QueryString parameters to the next page on the click of a Submit button.



The following ASPX page consists of two Label controls, which will be used to display the QueryString parameter values, received on the page.



Apply Encryption for the QueryString Parameter Values

When the Web page button click event fires, the following event handler will be executed. Here, the values of the DropdownList and the Textbox are first encrypted, using the AESSymmetric Key Algorithm and then encoded, using the "UrlEncode" function of the HttpUtility class. At last, these values are sent as QueryString parameters to the next page, discussed earlier.

QueryString Parameter Values Decryption

In the Page Load event of the page, the values of the previous page's DropdownList and Textbox are first retrieved from the QueryString parameter values and are decoded, using the "UrlDecode" function of the HttpUtility class. After decoding the string value, using AES Symmetric Key Algorithm, decrypt the value and then the decrypted values will be displayed, using the label controls.



The final output looks, as shown below:



Look at the screenshot, given below, where the QueryString values are in the encrypted format and with the decrypted values in the page.