I am working on an MVC project. I need to encrypt some information and store it in a hidden field. The solution is being deployed in an intranet scenario and the information is private but probably not critical but encrypting it would be best practice. We are using Windows Authentication.
To prevent the user from seeing these values I am using the Rijndael Encryption method to create an encrypted string then converting the encrypted value to hex string and placing in a hidden field.
I am currently hard-coding values for the Key and IV (storing them in a web.config - and encrypting). I have read that the IV should be different in every encryption. However I do not really want to have to start storing each IV server side and retrieving it on the post back unless I have to.
How critical is it to generate a new IV key with every request?
Would there be a more suitable encryption algorithm that would not require generated values?
You can store your Key and IV values in database for each user. It prevent generating them on each request, but make unique for each employee accesed your web application
Regeneration could be make each midnight by using windows service or sql job.