Wednesday, March 21, 2012

Playing around with the EPiServer.Util.SimpleEncryption class

The other day I was playing around with Reflector and I ran into the EPiServer.Util.SimpleEncryption class, which I haven’t really noticed before. The class includes the usual self-explaining cryptography methods like Encrypt and Decrypt, but it also contains some not so self-explaining methods like ClearText and EncryptedText.
So I had to play around with this a little bit, hoping I’d understand why EPiServer has included this class. I browsed for usages of the class and the only usages I could find was in the ExceptionManager and in the EPiServer.Cmo.Cms assembly. I found one comment from 2005 stating that EPiServer.Util originally wasn’t planned on being made public. If this it the case it might explain why there’s so little information about it.

The SimpleEncryption constructor
The SimpleEncryption constructor takes one parameter, an initializer used for generating the cryptography key:

SimpleEncryption simpleEncryption = new SimpleEncryption("myInitializer");

Encrypting text
There are two encryption methods you can use, Encrypt or EncryptedText. They will return the same encrypted string, but the string returned from EncryptedText will be prefixed with ENCRYPTED:

string original = "Testing encryption with SimpleEncryption";

string encrypt = simpleEncryption.Encrypt("myKey", original);
// encrypt == AvVayN0k1jSXjUVHzRmtq9rl9yCtmNLq+sBvz53vr0A6CIbzMaASE2LZ1LHR7hPT

string encryptedText = simpleEncryption.EncryptedText("myKey", original);
// encryptedText == ENCRYPTED:AvVayN0k1jSXjUVHzRmtq9rl9yCtmNLq+sBvz53vr0A6CIbzMaASE2LZ1LHR7hPT
It took me a while to understand why the EncryptedText method is included at all, I found it a bit pointless in the beginning.

Checking if a string is encrypted
Let’s assume you have a piece of text, and you don’t know whether this text is encrypted or not. If you’ve made a habit of using the EncryptedText method, you can use the IsEncrypted method to check if the text is encrypted:

bool isEncrypted = simpleEncryption.IsEncrypted("AvVayN0k1jSXjUVHzRmtq9rl9yCtmNLq+sBvz53vr0A6CIbzMaASE2LZ1LHR7hPT");
// isEncrypted == false

bool isEncryptedText = simpleEncryption.IsEncrypted("ENCRYPTED:AvVayN0k1jSXjUVHzRmtq9rl9yCtmNLq+sBvz53vr0A6CIbzMaASE2LZ1LHR7hPT");
// isEncrypted == true
Here I’m calling the IsEncrypted method with the two encrypted strings from the previous example. Both these texts are encrypted, so you’d assume that both isEncrypted and isEncryptedText would be true. That’s not the case, the IsEncrypted method only checks if the value specified is prefixed with “ENCRYPTED:”. This means that the following would return true even though the text is not encrypted:
bool isEncrypted = simpleEncryption.IsEncrypted("ENCRYPTED:This text is not encrypted");
// isEncrypted == true

Decrypting text
If you encrypted the text using the Encrypt method, you can decrypt the text by using the Decrypt method. If you encrypted the text using the EncryptedText method, you need to use the ClearText method in order to decrypt it.

This class is old, outdated and not safe. It will be phased out, so don't use it. See comments for more information. Conclusion: you've just wasted your time reading this blog post! Sorry...


  1. The SimpleEncryption class apparently uses TripleDES encryption. I was under the impression *DES encryption was inferior to e.g. AES encryption. Any idea how safe this encryption method is considered nowadays?

  2. IsEncrypted will of course never know if the text is *really* encrypted, since there is no way of knowing this without knowing the exact unencrypted text.

    Interesting this, though. But I've never been in a case where i need to *encrypt* things. Things that go in a database and needs to be super secret is usually hashed, and I never write my own SSL-encryption, soooo... Anyone ever used them?

  3. I can see how a wrapper for some simple encryption can be useful but this is surely old and outdated and shoulndn't be used. 3DES isn't considered safe anymore so if the SimpleEncryption behaviour should be needed one should write a similar wrapper for either AES (for safety) or Blowfish (for speed).

  4. This class predates when ASP.NET had encryption support for configuration files, we are phasing out this class.

  5. This is how the appSettings values were encrypted in EPiServer CMS 4. You could tick a box in admin, and it would look for a set of known settings to encrypt, and you could add and have EPiServer encrypt these too.

    As John and Arild wrote, this is old, and not regarded safe (but then what is?), so leave this class be. It could very well be removed soon.

  6. Thanks for all the comments, you've been of great help! I'll update the blogpost with the information you've supplied me with :)