locked
Partition Key and Base64 Values RRS feed

  • Question

  • I'm trying to store session data in Table Storage and wanted to use RngCryptoServiceProvider to generate the session key, which would also serve as the partition key.  However, when the rng value is converted using ToBase64String it periodically runs afoul of the partition key rules as it contains invalid characters such as /.  Potential work arounds would be:

    1. Use a plain old GUID

    2. Use a GUID that uses a RngCryptoServiceProvider value in its constructor

    Everything I've read indicates that the basic GUID (option 1) is not secure and that RngCSP should be used but then I run into the issue I mentioned above.  So I'm wondering if option 2 would be a viable trade off? Or should I simply replace the invalid characters in the base64 value?

    Thanks in advance for any help.

    Wednesday, February 15, 2012 5:07 AM

Answers

  • Regarding the encoding, you just need to make sure that what's sent "over the wire" is URL encoded (meaning that the partition key in table storage will be the URL encoded version).  Other than that, you can encode/decode wherever it makes the most sense for you.

    Regarding the method of creating keys, this is more of a general security quesstion.  Guid's will work fine as partition keys, but I really can't speak to whether or not this approach will meet your security requirements.  You may try reposting this question on the "Security for Windows Azure" forum: http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/threads.


    -Jeff

    • Marked as answer by Stoolio Wednesday, February 15, 2012 10:00 PM
    Wednesday, February 15, 2012 9:10 PM

All replies

  • Hi - thanks for the question.

    You're correct - a Base64 encoding will include chars that will give you problems.  The problem is actually that the partition key is used in the URL, and that the chars "/" and "+" (the two non-alphanumeric chars in Base64 encodings) are not URL safe.  To get around this, URL encoding is probably the most frequent change.  Note that the same would apply to Row Key if you have URL unsafe chars in that as well.  See "Querying entities" for more information on encoding considerations, in the "Remarks" section: http://msdn.microsoft.com/en-us/library/dd179421.aspx.  See more on URL Encoding here: http://msdn.microsoft.com/en-us/library/4fkewx0t.aspx.

    Hope that helps, let us know if you have further questions!


    -Jeff

    Wednesday, February 15, 2012 5:37 PM
  • Thanks for the reply. 

    So would the correct approach be to store the URL Encoded base64 value in the partition key or leave it unencoded in the partition key and then encode the value as it is sent out and decode as it is passed in?

    Did you happen to have any thoughts on using a GUID created using RNG Crypto as the partition key instead of a URL Encoded Base64 representation of the RNG Crypto value? If you think this question is more appropriate for another forum just let me know.

    Wednesday, February 15, 2012 8:38 PM
  • Regarding the encoding, you just need to make sure that what's sent "over the wire" is URL encoded (meaning that the partition key in table storage will be the URL encoded version).  Other than that, you can encode/decode wherever it makes the most sense for you.

    Regarding the method of creating keys, this is more of a general security quesstion.  Guid's will work fine as partition keys, but I really can't speak to whether or not this approach will meet your security requirements.  You may try reposting this question on the "Security for Windows Azure" forum: http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/threads.


    -Jeff

    • Marked as answer by Stoolio Wednesday, February 15, 2012 10:00 PM
    Wednesday, February 15, 2012 9:10 PM
  • Thanks again for your help and quick replies.
    Wednesday, February 15, 2012 9:59 PM