Obfuscate ASP.NET Strings

asp:HotTip

LANGUAGES: C#

TECHNOLOGIES: ViewState | Base64

Obfuscate ASP.NET Strings

Protect your string data from prying eyes.

By Ken McNamee

Have you ever wondered how and why the ASP.NET ViewStatelooks so garbled? Would you like to do the same to some of your strings? Youcan accomplish this easily by converting a normal string to Base64. Now, we'renot talking about encryption here. This tactic is meant only to keep the casualobserver from seeing a string's content. If you need rock-solid protection fromshadowy hacker types, you shouldn't even think about using this process;instead, check out the System.Security.Cryptography namespace, which has manyclasses to help you build a good encryption scheme.

The trick to obfuscating your string data is to use theEncoding class to convert the original string to a Byte array and pass thatarray to the Convert class's ToBase64String method. I use UTF-8 encoding here,but the .NET Framework supports other types of encoding, so you should ensureyou are using the right type. Here is the Base64Encode method:

string Base64Encode(string normalString, bool urlEncode)

{

  byte[]normalStringBytes=

          System.Text.Encoding.UTF8.GetBytes(normalString);

  string base64String =

          System.Convert.ToBase64String(normalStringBytes);

  if (urlEncode == true) {

    base64String =

          System.Web.HttpUtility.UrlEncode(base64String);

  }

  return base64String;

}

I also have added the option to UrlEncode the string onceit is converted to Base64 so you can use it as a QueryString parameter. TheBase64Encode method wouldn't be much use, however, if you were unable toreverse the process. Here is the Base64Decode method:

string Base64Decode(string base64String, bool urlDecode)

{

  if (urlDecode == true) {

    base64String =

          System.Web.HttpUtility.UrlDecode(base64String);

  }

  byte[]normalStringBytes=

          System.Convert.FromBase64String(base64String);

  string normalString =

          System.Text.Encoding.UTF8.GetString(normalStringBytes);

  return normalString;

}

This type of data obfuscation won't exactly violate theU.S. government's technology exportation restrictions, and it won't prevent thedetermined hacker from reversing the conversion and seeing your data. But you can use it to keep QueryString values inthe URL or prevent hidden form variables from being read easily.

Ken McNamee is a senior software engineer withRelayHealth Corp., the premier provider of secure, Web-based doctor-patientcommunication services. Prior to this, he led a team of developers inre-architecting the Home Shopping Network's e-commerce site, HSN.com, to 100percent ASP.NET with C#. E-mail him at mailto:[email protected].