Difference between encryption and encoding

 

Both are not same. But seems to be synonymous.

1. Encoding is to convert data by the use of a code.
2. Encrypting is to format (electronic data) according to a standard format

Encryption is secret . This can be achieved by converting string to cipher text using cryptographic algorithm and key. Encryption and decryption happens using this unique key. The cryptographic encryptioalgorithm and key are responsible for the encryption quality. Encryption involves encoding internally. encoding of the data takes place both before and after encryption.

To use encryption in .NET we need to import the name space  System.Security.Cryptography

Encoding is the way the data get formatted. Generally used in cryptography to mean that secrecy is not involved. If we know the format that is used to encode the data,the encoded data can be decoded by anonymous. So please do not use encoding to store passwords in database instead use encryption.

http://himabinduvejella.blogspot.com/2011/02/what-is-machine-key-in-webconfig.html

What is Machine Key in Web.Config

The <machineKey> attribute is used in web.config settings when encrypting and decrypting the data for the webapplication in ASP.NET. It is used to set Encryption algorithm for validation in general. Machine Key attribute can be used to set

1. Encryption of View State

2. Encryption for Forms authentication cookie data

In order to make view state tamper proof we use EnableViewStateMac = true .  This can be applied at page level too. MAC stands for Message Authentication Code. By setting this property to true Viewstate is encrypted in a cipher format .

If we encrypt Viewstate we must speicify validation and encryption method in machine key attribute of the web.config  as below.

Example

<system.web>
<pages buffer ="true" enableViewStateMac ="true" />
<machineKey validationKey="autogenerate | value" decryptionKey="autogenerate | value"
validation ="SHA1 | MD5 | 3DES" />
<httpRuntime maxRequestLength ="2048" />
</system.web>

So the application takes encryption validation method that is specified and validation key settings for the decryption.

For forms authentication ticket encryption, the <machineKey>  can be set as shown below.

<machineKey
  validationKey="AutoGenerate,IsolateApps"
  decryptionKey="AutoGenerate,IsolateApps"
  validation="AES"
  decryption="Auto" />

Why do we need to encrypt and decrypt the viewstate?

View State is not secured. It is good design practice to encrypt the View State and store due to security reasons. By default ASP.NET uses SHA1 algorithm to encrypt View State.When working with sensitive data, it is best practice to utilize encryption.

How to do it at Page Level or control Level?

ViewStateEncryptionMode is the attribute that is used for encrypting viewstate. It can be applied at page level or web.config level for the application. Below is the code how we use viewstateencryption mode attribute

<configuration>

<system.web>

<pages  ViewStateEncryptionMode="Always" />

</system.web> </configuration>

ViewStateEncryptionMode attribute has 3 properties as

• Auto (deafult),
• None( No Encryption for the control’s View State)
• Always

If the mode is “Always” ASP.NET does not wait for a control in the page to request encryption. View State is always encrypted.

If the mode is “Auto” ASP.NET will encrypt the View State for a page if any control on the page requests it only. This is the default value.

If the mode is “None”, encryption is never done for View State  even though it is applied and controls on the page requested it.

http://himabinduvejella.blogspot.com/atom.xml