simple yet secure encrypt / decrypt asp to asp.net

I have a ASP/VB6 web-app that logs in a user. I want开发者_StackOverflow to encrypt the users identity field and pass(querystring) it to a asp.net app and then decrypt it to do a db lookup.

I've googled it and found rot13, albeit not secure enough. I've also found some hits on MD5 / RC4, but did not find any good examples of encrypt / decrypt.

Any ideas on how to implement secure encryption/description logic?

I agree with @Brian - don't go doing your own crypto, the crypto is easy until you start doing the key management. Do use SSL/TLS unless you have a very VERY V.E.R.Y. good reason not to do so.

It's generally conceded that you should never decrypt such information, but rather compare encrypted to encrypted.

MD5, for example, can be used in this 'trapdoor' fashion. Encode the information, then store the MD5 hash. When you need to authenticate, encode the new information and compare hashes. The unencrypted information is never exposed or available.

If this doesn't work for your situation, then look into the Windows Crypto API, which offers alternatives that allow full-cycle encrypt / decrypt.

Here is a basic encryption example. You'll want to figure out your own key. I did mine this way to just add one more level of complexity (I hope). As Jim points out you could use this to encrypt a new password, then store the results. After the password is created instead of ever trying to decrypt this value (which is just the reverse), you would encrypt the entered password and compare it against the stored value.

'combine these constants to build the encryption key'
Private Const KEY1 = "abcde"
Private Const KEY2 = "fghij"
Private Const KEY3 = "klmno"
Private Const KEY4 = "pqrst"
Private Const KEY5 = "uvwxy"

Private Function Encrypt(ByVal s As String, ByVal EncryptionType As  CAPICOM.CAPICOM_ENCODING_TYPE) As String
   Dim oEN As New CAPICOM.EncryptedData
   Dim intENCType As CAPICOM.CAPICOM_ENCRYPTION_ALGORITHM
   Dim strSecret As String
   Dim intTries As Integer

   On Error GoTo errEncrypt

   intENCType = CAPICOM_ENCRYPTION_ALGORITHM_AES ' try this first and fall back if not supported'

   With oEN
startEncryption:
      .Algorithm = intENCType
      strSecret = KEY2 & KEY5 & KEY4 & KEY1 & KEY3
      .SetSecret strSecret
      strSecret = ""
      .Content = s
      ' the first encryption type needs to be base64 as the .content property'
      ' can loose information if I try to manipulate a binary string'
      .Content = StrReverse(.Encrypt(CAPICOM_ENCODE_BASE64))
      strSecret = KEY1 & KEY4 & KEY3 & KEY2 & KEY5
      .SetSecret strSecret
      strSecret = ""
      Encrypt = .Encrypt(EncryptionType)
   End With

   Set oEN = Nothing

   Exit Function

errEncrypt:
   If Err.Number = -2138568448 Then
      ' if this is the first time the step the encryption back and try again
      If intTries < 1 Then
         intTries = intTries + 1
         intENCType = CAPICOM_ENCRYPTION_ALGORITHM_3DES
         Resume startEncryption
      End If
   End If

   Err.Raise Err.Number, Err.Source & ":Encrypt", Err.Description
   strSecret = ""
   Set oEN = Nothing

End Function