Click here to Skip to main content
13,901,646 members
Click here to Skip to main content
Add your own
alternative version


32 bookmarked
Posted 30 Aug 2015
Licenced CPOL

Security On The Web By Advanced Encryption Standard (AES) and Security Assertion Markup Language (SAML)

, 30 Aug 2015
Rate this:
Please Sign up or sign in to vote.
Best approach for have more secure channel to transfer user information throughout the web


The most issues in the web is security matters and because of keeping and transdering sensitive data in the web, So we must provide secure system on it. The most popular and practical way to establish secure connection in the web is cryptography techniques. Cryptography techs are the process of encryption and decryption data to keep data secure. For example in the below figure Bob wants to send data to Alice. This data is known as message and input parameter to cryptography process. Then specific key with encryption function will be added to this message and produced cipher text which is our encrypted message so this message goes through the network where hackers are waiting to rob this data.


On the other stage Alice waits to receive Bob`s message and on that side there is decryption function which uses the same secret key to decrypt message. This secret key is absolutely similar to key from Bob`s side. So decryption function with the same secret key and cipher text (encrypted key) will produce decrypted message for Alice and finally Alice will receive Bob`s message. This process is known as Symmetric Encryption.

The most issue in this process is to provide strong and complex key. Because encryption and decryption algorithms are available in the internet and use almost similar steps and function to encrypt data and changing these algorithms is useless due to hackers can find them easily. So we must concentrate on producing power secret key to keep safe confidential data.  

  1. Cryptography is Tremendous and Fabulous tools for any security issue.
  2. But Cryptography is not suitable for naive user to do action to hurt themselves especially for social attackers.
  3. Cryptography needs to innovate new ways, due to using old encryption system is as same as bad to do not use it.
  4. If Cryptography implement incorrectly do not except meet your requirement correctly.
Some Secure Communication Solutions:
  1. Web Traffic: HTTPS -> Secure Socket Layer (SSL/TLS)
  2. Wireless Traffic: GSM: 802.11   Or WPA2: Bluetooth
  3. Encryption File on Disk


Advanced Encryption Standard (AES)

AES is one of the cryptography techniques which uses same secret key and is on the Rijndael cipher algorithm. AES is based on substitution and permutation functions and uses complicated ways to produce strong and almost unbreakable key which is our aim in order to transmitting our sensitive data through the network.

At the first step AES expand key with the 128 bits length to more than ten key which each of these keys have 128 bits length, the number of produced key build variant cycles. Message as input parameter will be mixed with these keys. AES just uses “AddRoundKey” function in the Kand in the Kn uses “SubBytes”, “Shiftrows” and AddRoundKey” and in the AES uses in the K2 to Kn-1 all of four functions “AddRoundKey”, “SubBytes”, “Shiftrows” and AddRoundKey”. Eventually message or plain text passes these complicated functions and will be converted to encrypted message or cipher text. 

AES uses this pattern inversely to produce same message from encrypted message. AES converts message text and key to four by four matrix, because of working by matrix form is more easier than original form. Look at below picture for having more clear imagination of what happens inside AES algorithm. 




This function mixes Ki,j  and Mi,j by XOR function. It means AES picks up ith  rowand jth column from both message and key and applies XOR function for these coincident row and column and produces Ci,j. In this below picture XOR will be applied between blue key and red message to produce orange cypher.



This function finds substitution for Mi,j from substitution table with specific pattern and steps and replaces this new as a M~i,j . It means AES picks up ith  row and jth column from message and applies substitution function for each row and column of message matrix and produces cypher matrix Ci,j.



There is a fix matrix as C which will be affecting on the message matrix. At the first step it does not change first row but it shifts second row to the left and it shift to the left for the third row besides applies XOR function for that.


Shift Rows:

This function picks up message matrix and does not change the first row of this matrix, after that for the second row shift one cell so that M1,0 will be replaced to M1,3 . For the second row shift two and for the third one shift three.


I have illustrated below picture as a more deep through operation inside AES. There are DES and 3DES algorithm which is  almost similar to AES, exception is 3DES is 168 and it has some bits more than AES, but it just uses permutation function for generating key while AES uses both permutation and substitution function and takes less time rather than 3DES. 

My Solution To Have More Security On The Web

I want to issue a solution with authentication and authorization parts for identifying users. Authentication provides us to know if user`s claim is correct or not by getting username and password. There is a solution to make this part as two step verification, first by getting password and second by biometric signs. In this state if someone steal user`s password so hacker cannot go to this user`s profile.

The next part is authorization which is related to permission management and determines if specific role has right to access and see specific section or not. For example here (in an EHealth Care System) doctor has permission to access his or her patient`s health information and read or write EHR.

The third section is cryptography techniques (AES). As I have mentioned above AES uses different function to encrypt data from hackers. So data in database can be saved as encrypted text instead of plain text to increase security issues.


More Description On My Solution

My solution is to use a biometric signs and mix this key to the secret key in order to produce more strong and secure key in AES. This biometric key can be extract from fingerprint or cornea signs. Nowadays capturing fingerprint is possible by mobile phone such as iphon and this data can be converted to second key matrix and mixing it with secret key we have strong key. These signs are available with us always and we will not forget them and hackers cannot achieve to them so it is good solution to keep data confidentiality.

How to Use and Implement The Code

At first open visual studio 2013 -> File (Menu) -> New Project -> ASP.NET MVC -> Empty

Controller -> Add New Controller


using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Web;
using System.Web.Mvc;

namespace WebSecurity.Controllers
    public class AESController : Controller
        // GET: /AES/

        public ActionResult Index()

            ViewData["Encrypted"] = TempData["TEncrypted"];
            ViewData["Decrypted"] = TempData["TDecrypted"];
            return View();

        //txtforEN is PlainText
        //Key is Public Secret Key 
        public ActionResult Encryption(string Text, string Key)
            // Convert String to Byte

            byte[] MsgBytes = Encoding.UTF8.GetBytes(Text);
            byte[] KeyBytes = Encoding.UTF8.GetBytes(Key);

            // Hash the password with SHA256
            //Secure Hash Algorithm
            //Operation And, Xor, Rot,Add (mod 232),Or, Shr
            //block size 1024
            //Rounds 80
            //rotation operator , rotates point1 to point2 by theta1=> p2=rot(t1)p1
            //SHR shift to right
            KeyBytes = SHA256.Create().ComputeHash(KeyBytes);

            byte[] bytesEncrypted = AES_Encryption(MsgBytes, KeyBytes);

            string encryptionText = Convert.ToBase64String(bytesEncrypted);

            TempData["TEncrypted"] = encryptionText;
            return RedirectToAction("Index");

        public byte[] AES_Encryption(byte[] Msg, byte[] Key)
            byte[] encryptedBytes = null;

            //salt is generated randomly as an additional number to hash password or message in order o dictionary attack
            //against pre computed rainbow table
            //dictionary attack is a systematic way to test all of possibilities words in dictionary wheather or not is true?
            //to find decryption key
            //rainbow table is precomputed key for cracking password
            // Set your salt here, change it to meet your flavor:
            // The salt bytes must be at least 8 bytes.  == 16 bits
            byte[] saltBytes = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 };

            using (MemoryStream ms = new MemoryStream())
                using (RijndaelManaged AES = new RijndaelManaged())
                    AES.KeySize = 256;
                    AES.BlockSize = 128;

                    var key = new Rfc2898DeriveBytes(Key, saltBytes, 1000);
                    AES.Key = key.GetBytes(AES.KeySize / 8);
                    AES.IV = key.GetBytes(AES.BlockSize / 8);

                    AES.Mode = CipherMode.CBC;

                    using (var cs = new CryptoStream(ms, AES.CreateEncryptor(), CryptoStreamMode.Write))
                        cs.Write(Msg, 0, Msg.Length);
                    encryptedBytes = ms.ToArray();

            return encryptedBytes;

        public ActionResult Decryption(string Text2, string Key2)
            // Convert String to Byte
            byte[] MsgBytes = Convert.FromBase64String(Text2);
            byte[] KeyBytes = Encoding.UTF8.GetBytes(Key2);
            KeyBytes = SHA256.Create().ComputeHash(KeyBytes);

            byte[] bytesDecrypted = AES_Decryption(MsgBytes, KeyBytes);

            string decryptionText = Encoding.UTF8.GetString(bytesDecrypted);

            TempData["TDecrypted"] = decryptionText;
            return RedirectToAction("Index");

        public byte[] AES_Decryption(byte[] Msg, byte[] Key)
            byte[] decryptedBytes = null;

            // Set your salt here, change it to meet your flavor:
            // The salt bytes must be at least 8 bytes.
            byte[] saltBytes = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 };

            using (MemoryStream ms = new MemoryStream())
                using (RijndaelManaged AES = new RijndaelManaged())
                    AES.KeySize = 256;
                    AES.BlockSize = 128;

                    var key = new Rfc2898DeriveBytes(Key, saltBytes, 1000);
                    AES.Key = key.GetBytes(AES.KeySize / 8);
                    AES.IV = key.GetBytes(AES.BlockSize / 8);

                    AES.Mode = CipherMode.CBC;

                    using (var cs = new CryptoStream(ms, AES.CreateDecryptor(), CryptoStreamMode.Write))
                        cs.Write(Msg, 0, Msg.Length);
                    decryptedBytes = ms.ToArray();

            return decryptedBytes;



Right Click on the Index (Action) -> Select "Add View"

    ViewBag.Title = "Index";
    Layout = "~/Views/Shared/_Layout.cshtml";
<h2>Encryption And Decryption</h2>
<div style="color:red;" id="EncryptedText">Encrypted Message: @ViewData["Encrypted"]</div>

<div style="color:red;" id="DecryptedText">Decrypted Message: @ViewData["Decrypted"]</div>

@using(Html.BeginForm("Encryption", "AES", FormMethod.Post))
     &lt;label id="lbk1">Key:&lt;/label>&lt;input name="Key" id="Key" type="text" />
    <br />
<br />
     &lt;label id="lbk2">Message:&lt;/label>&lt;input name="Text" id="Text" type="text" />
    <br />
<br />
    &lt;input id="btnEncryption" type="submit" value="Encryption" />
    <br />  
    <br />          

How To Test Application

1.  Go to this site:

For Encryption:

2. Enter Key such as: Key=122

3. Enter Message: Message=Mahsa

4. Press "Encryption" button

5. You will see cypher text --> Encrypted Message: 7gkI7SpPzsOiJ8O2OO2jOQ==

For Decryption

6. Enter Same Key="122"

7. Enter Encrypted Message --> 7gkI7SpPzsOiJ8O2OO2jOQ==

8. Press "Decryption" button 

9. You will See: Decrypted Message: Mahsa

Security Assertion Markup Language (SAML)

SAML is XML-based and open standard that format data which is supposed to transfer user information as an encrypted data between an identity provider and service provider. It includes specific tag which contains this encrypted data.

<saml:Assertion ..> 
<span style="font-size: 9pt;">"includes important message from identity provider to service provider
</span><span style="font-size: 9pt;">"Who is this user (Attribute Identity)
</span><span style="font-size: 9pt;"> "Is he/she allowed to consume service?
</span><span style="font-size: 9pt;"><</span><span style="font-size: 9pt;">/saml:Assertion</span><span style="font-size: 9pt;">></span>


SAML protocol is request when service provider calls direct query to identity provider over secure channel. Popular using from SAML is for Web Browser Single Sign-On (SSO). In this issue below matters happens by using SAML:


  1. Request Target Resource

User enter inside address bar via web browser such as chrome or Mozila for example: and send a request to use specific service from stackoverflow as service provider. This user can enter its username and password directly from using stack authentication or choose one of authentication options from log in page.


  1. Redirect to the SSO Service

Assume that user selects Google option for authentication process, then stackoverflow will redirect he/she from to


  1. Request SSO Service

In this example stackoverflow is service provider which provides desired service for user and is an identity provider which does Single Sign-On for user. Google identifies user by requesting some information which is belong to user such as username and password and check if these credential is valid or not. Identity providers use directory services such as LDAP, Radius and Active Directory to authentication process.


  1. Respond with XHTML Form

In this stage user should press on accept button inside as identity provider to allow some of his/her information such as username and email pass and transmit to service provider. When he/she does it identity provider respond with XHTML form (below code) to service provider.

<form method="post" action="" ...>

<span style="font-size: 9pt;">    <</span>"font-size: 9pt">input<span style="font-size: 9pt;"> type="hidden" name="SAMLResponse" value="response" />
</span><span style="font-size: 9pt;">  
    <</span>"font-size: 9pt">input<span style="font-size: 9pt;"> type="submit" value="Submit" />

</span><span style="font-size: 9pt;"></</span>"font-size: 9pt">form<span style="font-size: 9pt;">></span>


  1. Request Assertion Consumer Service

If in the above XHTML identity provider allows user to consume services from service provider so user redirect to service provider while he/she is a valid user for that site and can consume desired services. (Although in this stage service provider make authorisation process to check his/her access permission to consume each service).


  1. Redirect to Target Resource

In this stage service provider make authorisation process to check his/her access permission to consume each service and then user will be redirected to target resource.


  1. Request Target Resource

User request specific resource from service provider and as I mentioned above if the permission is confirmed from service provider so user can consume it. Such as


  1. Respond with Requested Resource

If user has permission to access to that service so service provider redirect user to resource.



In this section I have explained some of specific words which need more description. This part can solve misunderstanding and appear my intentions to use these words in my writing style.



Extensible Markup Language is markup language that includes specific rules to encode and format documents so that are readable for humans and machine. XML is useful for working on the web application and services to organize different kind of data structures and human languages.

XML has rules to define how to arrange our content. It includes tag which is “<div></div>”, attribute such as class attribute inside “<div class=”class1></div>”, finally our data is located inside tags for instance “Hello” inside “<div class=”class1”>Hello</div>” and its declaration starts with <?xml version="1.0" encoding="UTF-8"?>


Security Token

Security token is a device that produces key for authentication process. It is an additional tools to make high security to detect if user is really who claims or not. It is a device such as Key Generator, USB Connector, and Bluetooth Wireless. It sores a key for cryptography issues (encryption and decryption functions) and this key can be a biometric signs such as fingerprint or digital signature. This key with specific cryptography function can generate a new digital number and users enter this digital number after their username and password. This key prove user`s claim is he/she really who claims or not.  In Figure user should enter username and password and then press the key on device and enter number “54392971” to passcode, then click on “Log On”.

Service Provider

Service Provider is called to company where provides list of services to its customers. These services are categorized to telecommunication, application, storage place, and internet.


Identity Provider

Identity Provider is a third party, outside from two parts (authentication situation has two parts consumer as user and supplier as service provider) to detect if user is an authorized user and give some of important information of user to service provider, finally authorized user has permission to consume services.

For an instance, is a supplier (service provider), where you can ask your question in related section. If user wants to log in this site, it has some options to do that such as Log in using Google, Facebook, Yahoo, LiveJournal, WordPress, Blogger, Verisign and AOL or by stackoverflow. If user select stackoverflow then he/she should be create username and password for this site and enter all of repetitive information here again. Whenever user selects other options which are Identity Providers, then will be redirected from stackoverflow to these websites and enter specific username and password to them, then these sites decide if this user is valid or not? If user is valid so user`s information such as email address will be passed to stackoverflow site. Important security issue in his story is that Identity Provider (IP) will not be found out this person is going to do what action and user privacy will be protected.  



Redirect to Google for authentication issue

(using Google account to log in


Lightweight Directory Access Protocol (LDAP) is an internet protocol. LDAP looks up information by making index for each data and filtering just specific item which is wanted. 


Active Directory

Active Directory is a directory service based on windows domain with services to authenticate and authorize. Users log on to computer which is in the windows domain and active directory checks submitted password by LDAP, if username and password has right to access then active directory permit it to use desired services.


Windows Domain

Windows domain is kind of network so that all of users and computers and their peripherals are registered on the central computer.


Federated Identity Provider

Federated identity is a technology to make a link between user identity (username and password) and other identity management in order to authenticate user and inform source node that user is valid. It means you can have just one username and password and be valid across multiple web site. Single Sign-On is subset of federated identity.



U-Prove is a cryptographic technology that reveal minimum information about user who wants to go through multiple web sites, especially when user interacts with identity provider. U-Prove makes hard to track what user wants to do. U-Prove token encrypts information with two features. Firstly the cryptographic “wrapping” of information without correlation handles causes to avoid tracking of user. Secondly users disclose minimum of their information in verifier policy process such as “age” without explicit revealing “birth date”. 



OpenID is a protocol that allows users to continue their authentication process by other web sites are called “Relying Parties” as a third party such as Google, Microsoft, Facebook, AOL and etc.


Stateless and Stateful

Stateless is a communication protocol establishes independent request and response among client and server. It does not need to server to keep its information about communication between requester and responder in contrast Stateful needs server to keep information about its status. Internet Protocol, IP foundation for the internet and Hyper Text Transfer Protocol, HTTP, foundation of data communication on the web are examples for stateless. Transmission Control Protocol TCP is example for Stateful that provides a reliable and error checked communication between client and server. 



I used one of most popular cryptography technique as AES in my application. AES is a symmetric encryption function by using same secret key in the sender and receiver sides and AES produces strong key which hackers are not able to break it. So AES is a good way to keep data confidential and integrity. 



First Version: 31th  August



Feel free to leave any feedback on this article; it is a pleasure to see your opinions and vote about this code. If you have any questions, please do not hesitate to ask me here.




This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Mahsa Hassankashi
Doctorandin Technische Universität Berlin
Iran (Islamic Republic of) Iran (Islamic Republic of)
I have been working with different technologies and data more than 10 years.
I`d like to challenge with complex problem, then make it easy for using everyone. This is the best joy.

ICT Master in Norway 2013
Doctorandin at Technische Universität Berlin in Data Scientist ( currently )
Diamond is nothing except the pieces of the coal which have continued their activities finally they have become Diamond.

*Article of The Community Spotlight in Microsoft ASP.NET, Wednesday, February 11, 2015,
*Article of The Day in Microsoft ASP.NET Tuesday, February 3, 2015,
*1 Jan 2015: CodeProject MVP 2015
*22 Mar 2014: Best Web Dev Article of February 2014 - Second Prize

You may also be interested in...

Comments and Discussions

GeneralMessage Closed Pin
18-Jan-17 23:53
memberMember 1295775418-Jan-17 23:53 
QuestionNew Comment Pin
Member 1294529011-Jan-17 5:27
memberMember 1294529011-Jan-17 5:27 
AnswerRe: New Comment Pin
Mahsa Hassankashi8-Jun-18 12:18
memberMahsa Hassankashi8-Jun-18 12:18 
QuestionMessage Closed Pin
4-Jan-17 23:45
memberrajesh jhamb4-Jan-17 23:45 
QuestionMessage Closed Pin
4-Jan-17 4:17
memberMilan Shah4-Jan-17 4:17 
QuestionMessage Closed Pin
25-Dec-16 10:49
memberYvonne Zweigl25-Dec-16 10:49 
GeneralNice article....need the content and its chapter Pin
Hammed Olanrewaju5-Dec-16 10:19
memberHammed Olanrewaju5-Dec-16 10:19 
GeneralRe: Nice article....need the content and its chapter Pin
Mahsa Hassankashi8-Jun-18 12:18
memberMahsa Hassankashi8-Jun-18 12:18 
PraiseMessage Closed Pin
26-Oct-16 20:10
memberMember 1281821726-Oct-16 20:10 
GeneralArticle of the day Pin
Gaurav Aroraa17-Jul-16 19:44
professionalGaurav Aroraa17-Jul-16 19:44 
GeneralRe: Article of the day Pin
Mahsa Hassankashi14-Aug-16 4:50
memberMahsa Hassankashi14-Aug-16 4:50 
GeneralRe: Article of the day Pin
Member 1297446630-Jan-17 8:13
memberMember 1297446630-Jan-17 8:13 
QuestionGood one Pin
Vignesh Mani10-Jul-16 10:27
professionalVignesh Mani10-Jul-16 10:27 
AnswerRe: Good one Pin
Mahsa Hassankashi14-Aug-16 4:49
memberMahsa Hassankashi14-Aug-16 4:49 
GeneralMy vote of 5 Pin
Tridip Bhattacharjee15-May-16 21:24
professionalTridip Bhattacharjee15-May-16 21:24 
GeneralRe: My vote of 5 Pin
Mahsa Hassankashi14-Aug-16 4:49
memberMahsa Hassankashi14-Aug-16 4:49 
GeneralMy vote of 5 Pin
Hoangitk26-Feb-16 17:33
professionalHoangitk26-Feb-16 17:33 
GeneralRe: My vote of 5 Pin
Mahsa Hassankashi14-Aug-16 4:48
memberMahsa Hassankashi14-Aug-16 4:48 
GeneralMy vote of 5 Pin
Kenneth sri11-Sep-15 5:39
memberKenneth sri11-Sep-15 5:39 
GeneralRe: My vote of 5 Pin
Mahsa Hassankashi14-Aug-16 4:48
memberMahsa Hassankashi14-Aug-16 4:48 
General5 ed Pin
Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ)1-Sep-15 22:12
protectorTadit Dash (ତଡିତ୍ କୁମାର ଦାଶ)1-Sep-15 22:12 
GeneralRe: 5 ed Pin
Mahsa Hassankashi2-Sep-15 2:27
memberMahsa Hassankashi2-Sep-15 2:27 
GeneralRe: 5 ed Pin
Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ)2-Sep-15 9:32
protectorTadit Dash (ତଡିତ୍ କୁମାର ଦାଶ)2-Sep-15 9:32 
GeneralRe: 5 ed Pin
Member 1296716824-Jan-17 23:54
memberMember 1296716824-Jan-17 23:54 
GeneralMy vote of 5 Pin
PVX0071-Sep-15 6:55
memberPVX0071-Sep-15 6:55 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web06 | 2.8.190306.1 | Last Updated 30 Aug 2015
Article Copyright 2015 by Mahsa Hassankashi
Everything else Copyright © CodeProject, 1999-2019
Layout: fixed | fluid