MVC 3

I have just installed VS 2010 and MVC3.
I like the idea that abstraction layers now is part of the programming interface and that it is now possible to test your website using unit testing. Hurra for that... But.. and I think there is a big but.

I have just created a new web application using the MVC 3 template.
This template creates a small site with login/logout/register functionality out of the box. Very nice.

But what I dont fancy at all is the fact that there is a lot of late bound code (Code that is resolved at Runtime).

Examples on late bound code:
1. ViewBag.Title (Set in Views and used in _layout)
2. @Html.Partial("_LogOnPartial") used in _layout
3. @Html.ActionLink("Register", "Register") (I know this is not likely to change name but what if it does and you forget to change it just one place?)

All these issues results in runtime errors but could in the "good" old days have been caught by the compiler by doing following..

1. Using Page.Title or a extension method on Page
2. Using @Register and tag
3. This is pretty much the same but would not resolve in a runtime error but a "not found" page. I dont know which one is better

Am I the only one with this concern?

Asymmetric Encryption on Client and Server

In order to use SSL you need at dedicated server. This is not cost effective so the solution is to encrypt the stuff yourself.

This can be done but is not an easy job due to the fact that you need to find code that can encrypt and decrypt both on client and server.

You need this server class

 using System;  
 using System.Collections.Generic;  
 using System.Linq;  
 using System.Web;  
 using System.Security.Cryptography;  
 using System.IO;  
 public class Cryptography  
 {  
   public static RSACryptoServiceProvider rsa;  
   public static void AssignParameter()  
   {  
     const int PROVIDER_RSA_FULL = 1;  
     const string CONTAINER_NAME = "SpiderContainer";  
     CspParameters cspParams;  
     cspParams = new CspParameters(PROVIDER_RSA_FULL);  
     cspParams.KeyContainerName = CONTAINER_NAME;  
     cspParams.Flags = CspProviderFlags.UseMachineKeyStore;  
     cspParams.ProviderName = "Microsoft Strong Cryptographic Provider";  
     rsa = new RSACryptoServiceProvider(cspParams);  
   }  
   public static string EncryptData(string data2Encrypt)  
   {  
     AssignParameter();  
     StreamReader reader = new StreamReader(System.Web.HttpContext.Current.Server.MapPath(@"App_Data\publickey.xml"));  
     string publicOnlyKeyXML = reader.ReadToEnd();  
     rsa.FromXmlString(publicOnlyKeyXML);  
     reader.Close();  
     //read plaintext, encrypt it to ciphertext  
     byte[] plainbytes = System.Text.Encoding.UTF8.GetBytes(data2Encrypt);  
     byte[] cipherbytes = rsa.Encrypt(plainbytes, false);  
     return Convert.ToBase64String(cipherbytes);  
   }  
   public static void AssignNewKey()  
   {  
     AssignParameter();  
     //provide public and private RSA params  
     StreamWriter writer = new StreamWriter(System.Web.HttpContext.Current.Server.MapPath(@"App_Data\privatekey.xml"));  
     string publicPrivateKeyXML = rsa.ToXmlString(true);  
     writer.Write(publicPrivateKeyXML);  
     writer.Close();  
     //provide public only RSA params  
     writer = new StreamWriter(System.Web.HttpContext.Current.Server.MapPath(@"App_Data\publickey.xml"));  
     string publicOnlyKeyXML = rsa.ToXmlString(false);  
     writer.Write(publicOnlyKeyXML);  
     writer.Close();  
   }  
   public static string DecryptData(string data2Decrypt)  
   {  
     if (data2Decrypt == null)  
       return null;  
     AssignParameter();  
     byte[] getpassword = Convert.FromBase64String(data2Decrypt);  
     StreamReader reader = new StreamReader(System.Web.HttpContext.Current.Server.MapPath(@"App_Data\privatekey.xml"));  
     string publicPrivateKeyXML = reader.ReadToEnd();  
     rsa.FromXmlString(publicPrivateKeyXML);  
     reader.Close();  
     //read ciphertext, decrypt it to plaintext  
     byte[] plain = rsa.Decrypt(getpassword, false);  
     return System.Text.Encoding.UTF8.GetString(plain).Replace(UniqueGuidForEncryption.ToString(), "");  
   }  
 }  

And you need this set of javascript files and a reference to them

http://www.e-keys.dk/js/RSA/jsbn.js
http://www.e-keys.dk/js/RSA/prng4.js
http://www.e-keys.dk/js/RSA/rng.js
http://www.e-keys.dk/js/RSA/rsa.js
http://www.e-keys.dk/js/RSA/base64.js

Add this code to the OnLoad

 if( !System.IO.File.Exists(Server.MapPath("App_Data/publickey.xml")) || Request.QueryString["newkey"] != null )  
   Cryptography.AssignNewKey();  

This will create the public and the private key xml file that is used to encrypt/decrypt the data before it is sent in the postback.

Add this script to you page

 function do_encrypt(val) {  
   if (val.length == 0)  
     return val;  
   var rsa = new RSAKey();  
   rsa.setPublic('', '');  
   var res = rsa.encrypt(val);  
   return hex2b64(res);  
 }  
 function hashAndEncrypt(val) {  
   var rsa = new RSAKey();  
   rsa.setPublic('', '');  
   var res = rsa.encrypt(val);  
   return hex2b64(res);  
 }  

and add this two methods to your code behind

 protected String RSAModulus  
 {  
   get  
   {  
     XmlDocument doc = new XmlDocument();  
     doc.Load(Server.MapPath("App_Data/publickey.xml"));  
     return BitConverter.ToString(Convert.FromBase64String(doc.SelectSingleNode("RSAKeyValue/Modulus").InnerText)).Replace("-", "");  
   }  
 }  
 protected String RSAExponent  
 {  
   get  
   {  
     XmlDocument doc = new XmlDocument();  
     doc.Load(Server.MapPath("App_Data/publickey.xml"));  
   return BitConverter.ToString(Convert.FromBase64String(doc.SelectSingleNode("RSAKeyValue/Exponent").InnerText)).Replace("-", "");  
   }  
 }  

This is needed because the client side encryption needs hexa-decimal keys and the server side uses Base64Strings.

You need to call DataBind() as the last thing in OnLoad.

The last thing you need to do is encrypt the content of the textboxes. This is done in the click event of the button like this

 document.getElementById("textbox-id").value = do_encrypt(document.getElementById("textbox-id").value)  

You need to set the value for one and each of the textboxes that you need encrypted.

On the server you just call Cryptography.DecryptData(text) to decrypt the content of the textbox.

This should be it.