Mon 15 Mar 2010

This post posted by Vladimir Kuzin on 15th Oct 2009. For Quick reference posted here.

Few weeks ago I was working on project which required data to be encrypted using C# and then decrypted using JavaScript. In my case JavaScript was an internal scripting language, which wasn’t exposed to public so I didn’t have to worry about people accessing encryption keys. Project objective was to encode parameter in URL preventing users from substituting it with sequential numbers.


At first I’ve decided to use symmetric algorithm and looked online for available JavaScript libraries. In my search I’ve found few AES libraries to choose form. After further analysis it was determined that most people had good luck with slowAES, and I’ve attempted to implement it. After spending some time I was unable to decrypt any data encoded with RijndaelManaged class in C#. Since I had to find solution fast I’ve moved on.

Next I’ve decided to try asymmetric encryption algorithm, and after quick research I went with RSA. After downloading most popular RSA library for JavaScript I’ve run into several issues with its implementation. I was able to use C# to decode everything what was encoded in JavaScript, but it didn’t work when data was flowing in opposite direction. After looking into the issue it appeared that JavaScript library was missing padding, however using patched versionof the library didn’t help.


Due to lack of time I’ve decided to use simpler encryption algorithm and went with RC4. After downloading RC4 JavaScriptlibrary I’ve got it to work within minutes. Since there is no such thing as RC4 cryptographic provider in the Security.Cryptography namespace I had to use open source RC4 library.

After encrypting data I’ve also converted it to hex (base 16) in the same way as it was done on the JavaScript RC4 demo page.

Encrypting URL parameter with RC4 didn’t completely meet the objective, since it still was possible for users to use sequential numbers. Take a look at example of encrypted data below:

Input Output
10001 49845da1c0
10002  49845da1c3

Notice that only last digit of the encrypted data has changed, therefore substituting it with sequential numbers will cause an issue. To solve this I’ve added random prefix and suffix blocks to data before encrypting. Prefix and suffix blocks consisted from random letters and were anywhere between 10 and 25 characters in length. Now data looked like this:

32e523ddb00fbf2465002bc1b4251dd12876677d47d6a 6a3101a68517dfb6a86fa525139300d65225e365a38

Every time encrypted value is changing, since it’s generated from new random data. After transferring and decrypting this data on the JavaScript side I’ve spited string by semicolon to get the actual parameter value.

I am sure there are different and possibly better solutions somewhere out there, but this one worked for my client and was implemented within a small project budget.

This is post is from original Post @


Tags: , ,
E-mail this post to someone or Comments (3)


3/17/2010 | sajid  Sweden
nice post. but i was curious about the performace when you are adding random prefix and suffux to you data.
3/17/2010 | sd  United States
3/18/2010 | fsl  U.A.E.
it depends the length of random data being pre/suffix to the data. the random data would be any random number between 1 to 100 or a random 3 to 5 alphanumeric characters, as its being done via javascript in client browser itself so it would not affect any performance degrade. also adding random data would be benefitial if data itself is not random.

Add Comment Post comment

   Country flag


For mobile, tablets or touch devices, if verify button is disabed, please press Enter after entering captcha verfication text than click Verify button.