Security On The Web By Advanced Encryption Standard (AES) and Security Assertion Markup Language (SAML)

Best approach for have more secure channel to transfer user information throughout the web


The major issues in the web is security, this is because sensitive data is kept and transferred, so we must provide secure system on it. The most popular and practical way to establish secure connection on the web is cryptography technique. Cryptography techs are the process of encryption and decryption data to keep the data secure. For example, in the following figure Bob want to send data to Alice. This data is known as message and input parameter to cryptography process. Then specific key with encryption function will be added to this message and cipher text is produced which is our encrypted message, so this message goes through the network where hackers are waiting to rob this data.


On the other stage, Alice waits to receive Bob`s message and on that side there is decryption function which uses the same secret key to decrypt the message. This secret key is absolutely similar to the key from Bob`s side. So decryption function with the same secret key and cipher text (encrypted key) will produce decrypted message for Alice and finally Alice will receive Bob`s message. This process is known as Symmetric Encryption.

The major issue in this process is to provide strong and complex key. Because encryption and decryption algorithms are available on the internet and uses almost similar steps and function to encrypt data, changing these algorithms is useless because hackers can find them easily. So we must concentrate on producing power secret key to keep the confidential data safe.

  1. Cryptography is a tremendous and fabulous tool for any security issue.
  2. But Cryptography is not suitable for a naive user to do action to hurt themselves especially for social attackers.
  3. Cryptography needs to innovate new ways because using old encryption system is as bad as not using it.
  4. If Cryptography implements incorrectly, then do not expect to meet your requirement correctly.

Some Secure Communication Solutions:

  1. Web Traffic: HTTPS -> Secure Socket Layer (SSL/TLS).
  2. Wireless Traffic: GSM: 802.11 Or WPA2: Bluetooth.
  3. Encryption File on Disk.

Advanced Encryption Standard (AES)

AES is one of the cryptography technique which uses same secret key and is on the Rijndael cipher algorithm. AES is based on substitution and permutation functions and uses complicated ways to produce strong and almost unbreakable key which is our aim in order to transmit our sensitive data through the network.

In the first step, AES expands key with the 128 bits length to more than ten key which each of these keys have 128 bits length, the number of produced key build variant cycles. Message as input parameter will be mixed with these keys. AES just uses “AddRoundKey” function in the K0 and the Kn uses “SubBytes”, “Shiftrows” and AddRoundKey” and AES uses K2 to Kn-1 all the four functions “AddRoundKey”, “SubBytes”, “Shiftrows” and AddRoundKey”. Eventually message or plain text passes these complicated functions and will be converted to encrypted message or cipher text.

AES uses this pattern inversely to produce same message from encrypted message. AES converts message text and key to four by four matrix, because working by matrix form is more easier than the original form. Look at the following image for having clear imagination of what happens inside AES algorithm.



This function mixes Ki,j and Mi,j by XOR function. It means AES picks up ith row and jth column from both the message and key and applies XOR function for these coincident row and column and produces Ci,j. In the following image XOR will be applied between blue key and red message to produce orange cypher.



This function finds substitution for Mi,j from substitution table with specific pattern and steps and replaces this new as a M~i,j. It means AES picks up ith row and jth column from the message and applies substitution function for each row and column of message matrix and produces cypher matrix Ci,j.



There is a fix matrix as C which will be affecting on the message matrix. At the first step it does not change first row but it shifts second row to the left and it shift to the left for the third row besides applying XOR function for that.


Shift Rows:

This function picks up message matrix and does not change the first row of this matrix, after that for the second row shift one cell so that M1,0 will be replaced to M1,3. For the second row shift two and for the third one shift three.

second row shift

I have illustrated the following image as a more deep through operation inside AES. There are DES and 3DES algorithm which is almost similar to AES, exception is 3DES is 168 and it has some bits more than AES, but it just uses permutation function for generating key while AES uses both permutation and substitution function and takes less time rather than 3DES.

substitution function

My Solution To Have More Security On The Web

I want to give a solution with authentication and authorization parts for identifying users. Authentication provides us to know if user`s claim is correct or not by getting username and password. There is a solution to make this part as two step verification, first by getting password and second by biometric signs. In this state if someone steal user`s password so hacker cannot go to this user`s profile.

The next part is authorization which is related to permission management and determines if specific role has right to access and see specific section or not. For example, here (in an EHealth Care System) doctor has permission to access his or her patient`s health information and read or write EHR.

The third section is cryptography technique (AES). As I have mentioned above AES uses different function to encrypt data from hackers. So data in database can be saved as encrypted text instead of plain text to increase security issues.


More Description On My Solution

My solution is to use a biometric sign and mix this key to the secret key in order to produce more strong and secure key in AES. This biometric key can be extracted from fingerprint or cornea signs. Nowadays capturing fingerprint is possible by mobile phone such as iPhone and this data can be converted to second key matrix and mixing it with secret key we have strong key. These signs are available with us always and we will not forget them and hackers cannot achieve them, so it is a good solution to keep data confidential.


How to Use and Implement The Code

At first open visual studio 2013, File (Menu), New Project, then ASP.NET MVC,  Empty, select Controller and Add New Controller.

add controller

  1. using System;  
  2. using System.Collections.Generic;  
  3. using System.IO;  
  4. using System.Linq;  
  5. using System.Security.Cryptography;  
  6. using System.Text;  
  7. using System.Web;  
  8. using System.Web.Mvc;  
  10. namespace WebSecurity.Controllers  
  11. {  
  12.     public class AESController : Controller  
  13.     {  
  14.         //  
  15.         // GET: /AES/  
  17.         public ActionResult Index()  
  18.         {  
  20.             ViewData["Encrypted"] = TempData["TEncrypted"];  
  21.             ViewData["Decrypted"] = TempData["TDecrypted"];  
  22.             return View();  
  23.         }  
  25.         //txtforEN is PlainText  
  26.         //Key is Public Secret Key   
  27.         [HttpPost]  
  28.         public ActionResult Encryption(string Text, string Key)  
  29.         {  
  30.             // Convert String to Byte  
  32.             byte[] MsgBytes = Encoding.UTF8.GetBytes(Text);  
  33.             byte[] KeyBytes = Encoding.UTF8.GetBytes(Key);  
  35.             // Hash the password with SHA256  
  36.             //Secure Hash Algorithm  
  37.             //Operation And, Xor, Rot,Add (mod 232),Or, Shr  
  38.             //block size 1024  
  39.             //Rounds 80  
  40.             //rotation operator , rotates point1 to point2 by theta1=> p2=rot(t1)p1  
  41.             //SHR shift to right  
  42.             KeyBytes = SHA256.Create().ComputeHash(KeyBytes);  
  44.             byte[] bytesEncrypted = AES_Encryption(MsgBytes, KeyBytes);  
  46.             string encryptionText = Convert.ToBase64String(bytesEncrypted);  
  50.             TempData["TEncrypted"] = encryptionText;  
  51.             return RedirectToAction("Index");  
  52.         }  
  54.         public byte[] AES_Encryption(byte[] Msg, byte[] Key)  
  55.         {  
  56.             byte[] encryptedBytes = null;  
  58.             //salt is generated randomly as an additional number to hash password or message in order o dictionary attack  
  59.             //against pre computed rainbow table  
  60.             //dictionary attack is a systematic way to test all of possibilities words in dictionary wheather or not is true?  
  61.             //to find decryption key  
  62.             //rainbow table is precomputed key for cracking password  
  63.             // Set your salt here, change it to meet your flavor:  
  64.             // The salt bytes must be at least 8 bytes.  == 16 bits  
  65.             byte[] saltBytes = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 };  
  67.             using (MemoryStream ms = new MemoryStream())  
  68.             {  
  69.                 using (RijndaelManaged AES = new RijndaelManaged())  
  70.                 {  
  71.                     AES.KeySize = 256;  
  72.                     AES.BlockSize = 128;  
  74.                     var key = new Rfc2898DeriveBytes(Key, saltBytes, 1000);  
  75.                     AES.Key = key.GetBytes(AES.KeySize / 8);  
  76.                     AES.IV = key.GetBytes(AES.BlockSize / 8);  
  78.                     AES.Mode = CipherMode.CBC;  
  80.                     using (var cs = new CryptoStream(ms, AES.CreateEncryptor(), CryptoStreamMode.Write))  
  81.                     {  
  82.                         cs.Write(Msg, 0, Msg.Length);  
  83.                         cs.Close();  
  84.                     }  
  85.                     encryptedBytes = ms.ToArray();  
  86.                 }  
  87.             }  
  89.             return encryptedBytes;  
  90.         }  
  92.         [HttpPost]  
  93.         public ActionResult Decryption(string Text2, string Key2)  
  94.         {  
  95.             // Convert String to Byte  
  96.             byte[] MsgBytes = Convert.FromBase64String(Text2);  
  97.             byte[] KeyBytes = Encoding.UTF8.GetBytes(Key2);  
  98.             KeyBytes = SHA256.Create().ComputeHash(KeyBytes);  
  100.             byte[] bytesDecrypted = AES_Decryption(MsgBytes, KeyBytes);  
  102.             string decryptionText = Encoding.UTF8.GetString(bytesDecrypted);  
  105.             TempData["TDecrypted"] = decryptionText;  
  106.             return RedirectToAction("Index");  
  107.         }  
  109.         public byte[] AES_Decryption(byte[] Msg, byte[] Key)  
  110.         {  
  111.             byte[] decryptedBytes = null;  
  113.             // Set your salt here, change it to meet your flavor:  
  114.             // The salt bytes must be at least 8 bytes.  
  115.             byte[] saltBytes = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 };  
  117.             using (MemoryStream ms = new MemoryStream())  
  118.             {  
  119.                 using (RijndaelManaged AES = new RijndaelManaged())  
  120.                 {  
  121.                     AES.KeySize = 256;  
  122.                     AES.BlockSize = 128;  
  124.                     var key = new Rfc2898DeriveBytes(Key, saltBytes, 1000);  
  125.                     AES.Key = key.GetBytes(AES.KeySize / 8);  
  126.                     AES.IV = key.GetBytes(AES.BlockSize / 8);  
  128.                     AES.Mode = CipherMode.CBC;  
  130.                     using (var cs = new CryptoStream(ms, AES.CreateDecryptor(), CryptoStreamMode.Write))  
  131.                     {  
  132.                         cs.Write(Msg, 0, Msg.Length);  
  133.                         cs.Close();  
  134.                     }  
  135.                     decryptedBytes = ms.ToArray();  
  136.                 }  
  137.             }  
  139.             return decryptedBytes;  
  140.         }  
  142.     }  
  143. }  
Right Click on the Index (Action) and select "Add View".

Add view
  1. @  
  2. {  
  3.     ViewBag.Title = "Index";  
  4.     Layout = "~/Views/Shared/_Layout.cshtml";  
  5. }  
  7. < h2 > Encryption And Decryption < /h2>  
  9. < div style = "color:red;"  
  10. id = "EncryptedText" > Encrypted Message: @ViewData["Encrypted"] < /div>  
  14. < div style = "color:red;"  
  15. id = "DecryptedText" > Decrypted Message: @ViewData["Decrypted"] < /div>  
  19. < pre > @using(Html.BeginForm("Encryption""AES", FormMethod.Post)) { & lt;  
  20.     label id = "lbk1" > Key: & lt;  
  21.     /label><input name="Key" id="Key" type="text" / >  
  22.     < br / >  
  23.         < br / >  
  24.         & lt;  
  25.     label id = "lbk2" > Message: & lt;  
  26.     /label><input name="Text" id="Text" type="text" / >  
  27.     < br / >  
  28.         < br / >  
  29.         & lt;  
  30.     input id = "btnEncryption"  
  31.     type = "submit"  
  32.     value = "Encryption" / >  
  33.         < br / >  
  34.         < br / >  
  35. }  
How To Test An Application
  1. Go to the following site:

    For Encryption:

  2. Enter Key such as: Key=122.
  3. Enter Message: Message=Mahsa.
  4. Press "Encryption" button.
  5. You will see cypher text --> Encrypted Message: 7gkI7SpPzsOiJ8O2OO2jOQ==

    For Decryption

  6. Enter Same Key="122".
  7. Enter Encrypted Message --> 7gkI7SpPzsOiJ8O2OO2jOQ==
  8. Press "Decryption" button.
  9. You will See: Decrypted Message: Mahsa.

Security Assertion Markup Language (SAML)

SAML is an XML-based and open standard that format data which is supposed to transfer user information as an encrypted data between an identity provider and service provider. It includes specific tag which contains this encrypted data.

  1. <saml:Assertion ..>   
  2.    “includes important message from identity provider to service provider  
  3.    “Who is this user (Attribute Identity)  
  4.    “Is he/she allowed to consume service?  
  5. </saml:Assertion>  
SAML protocol is a request when service provider calls direct query to identity provider over secure channel. Popular using from SAML is for Web Browser Single Sign-On (SSO). In this issue the following happens by using SAML:

1. Request Target Resource

User enter inside address bar via web browser such as chrome or Mozilla, for example and send a request to use specific service from stackoverflow as service provider. This user can enter its username and password directly from using stack authentication or choose one of the authentication options from log in page.

2. Redirect to the SSO Service

Assume that user selects Google option for authentication process, then stackoverflow will redirect he/she from to

3. Request SSO Service

In this example, stackoverflow is a service provider which provides desired service for user and is an identity provider which does Single Sign-On for user. Google identifies user by requesting some information which is belonged to the user such as username and password and check if these credentials are valid or not. Identity providers use directory services such as LDAP, Radius and Active Directory to authenticate process.

4. Respond with XHTML Form

In this stage user should press on accept button inside as identity provider to allow some of his/her information such as username and email password and transmit to service provider. When he/she does it identity provider respond with XHTML form (below code) to service provider.
  1. <form method="post" action="" ...>  
  3.    <input type="hidden" name="SAMLResponse" value="response" />  
  5.    <input type="submit" value="Submit" />  
  7. </form>  
5. Request Assertion Consumer Service

If in the above XHTML identity provider allows user to consume services from service provider so user redirect to service provider while he/she is a valid user for that site and can consume desired services. (Although in this stage service provider make authorization process to check his/her access permission to consume each service).

6. Redirect to Target Resource

In this stage service provider make authorization process to check his/her access permission to consume each service and then user will be redirected to the target resource.

7. Request Target Resource

User request specific resource from service provider and as I mentioned above if the permission is confirmed from service provider user can consume it such as

8. Respond with Requested Resource

If user has permission to access to that service so service provider redirect user to resource.

service provider


In this section I have explained some of the specific words which need more description. This part can solve misunderstanding and shows my intentions to use these words in my writing style.


Extensible Markup Language is a markup language that includes specific rules to encode and format documents for making it readable for humans and machine. XML is useful for working on the web application and services to organize different kind of data structures and human languages.

XML has rules to define how to arrange our content. It includes tag which is “<div></div>”, attribute such as class attribute inside “<div class=”class1”></div>”, finally our data is located inside tags, for example “Hello” inside “<div class=”class1”>Hello</div>” and its declaration starts with <?xml version="1.0" encoding="UTF-8"?>

Security Token

Security token is a device that produces key for authentication process. It is an additional tool to make high security to detect if user is really who claims or not. It is a device such as Key Generator, USB Connector, and Bluetooth Wireless. It sores a key for cryptography issues (encryption and decryption functions) and this key can be a biometric sign such as fingerprint or digital signature. This key with specific cryptography function can generate a new digital number and users enter this digital number after their username and password. This key prove users claim, is he/she really who claims or not. In the figure, user should enter username and password and then press the key on device and enter the number “54392971” to passcode, then click “Log On”.

Log On

Service Provider

Service Provider calls the company where it provides list of services to its customers. These services are categorized to telecommunication, application, storage place, and internet.

Identity Provider

Identity Provider is a third party, outside from the two parts (authentication situation has two parts consumer as user and supplier as service provider) to detect if user is an authorized user and give some important information of user to service provider, finally authorized user has permission to consume services.

For an instance, is a supplier (service provider), where you can ask your question in related section. If user want to log in this site, it has some options to do that such as Log in using Google, Facebook, Yahoo, LiveJournal, WordPress, Blogger, and AOL or by stackoverflow. If user select stackoverflow, then he/she should create username and password for this site and enter all repetitive information here again. Whenever user selects other options which are Identity Providers, then will be redirected from stackoverflow to these websites and enter specific username and password to them, then these sites decide if this user is valid or not? If user is valid, so user`s information such as email address will be passed to stackoverflow site. Important security issue is that the Identity Provider (IP) can't find out this person is going to do what action and user privacy will be protected.



Redirect to Google for authentication issue.

(using Google account to log in


Lightweight Directory Access Protocol (LDAP) is an internet protocol. LDAP looks up information by making index for each data and filtering just specific item which is wanted.

Active Directory

Active Directory is a directory service based on windows domain with services to authenticate and authorize. Users log on to computer which is in the windows domain and active directory checks submitted password by LDAP, if username and password has right to access then active directory permit it to use desired services.

Windows Domain

Windows domain is a kind of network so that all of users and computers and their peripherals are registered on the central computer.

Federated Identity Provider

Federated identity is a technology to make a link between user identity (username and password) and other identity management in order to authenticate user and inform source node that user is valid. It means you can have just one username and password and be valid across multiple web site. Single Sign-On is a subset of federated identity.


U-Prove is a cryptographic technology that reveal minimum information about user who want to go through multiple web sites, especially when user interacts with identity provider. U-Prove makes hard to track what user wants to do. U-Prove token encrypts information with two features. Firstly, the cryptographic “wrapping” of information without correlation handles causes to avoid tracking of user. Secondly, users disclose minimum of their information in verifier policy process such as “age” without explicit revealing “birth date”.


OpenID is a protocol that allows users to continue their authentication process by other web sites are called “Relying Parties” as a third party such as Google, Microsoft, Facebook, AOL and etc.

Stateless and Stateful

Stateless is a communication protocol that establishes independent request and response among client and server. It does not need the server to keep its information about communication between requester and responder. In contrast, Stateful needs server to keep information about its status. Internet Protocol, IP foundation for the Internet and Hyper Text Transfer Protocol, HTTP, foundation of data communication on the web are examples for stateless. Transmission Control Protocol TCP is an example for Stateful that provides a reliable and error checked communication between client and server.


I used one of the most popular cryptography technique as AES in my application. AES is a symmetric encryption function by using same secret key in the sender and receiver sides and AES produces strong key which hackers are not able to break it. So AES is a good way to keep data confidential (with integrity).


Feel free to leave any feedback on this article; it is a pleasure to see your opinions and vote about this code. If you have any questions, please do not hesitate to ask me here.