Troubleshooting Tips

LANGUAGES: VB .NET

ASP.NET VERSIONS: 1.0 | 1.1

 

Encryption Made (Sort of) Easy

Encrypt your .NET data in a few simple steps.

 

By Don Kiely

 

Microsoft designed the .NET Framework with careful thought to security, making it one of the most secure development environments ever. That certainly isn't meant to say that it is secure; there are far too many flaws found in almost any widely deployed software product to claim complete security. But .NET meets many of the needs of secure applications and the .NET Framework provides a host of security services.

 

Encryption is one of the strongest security features in the .NET Framework, with rich support for widely used encryption and hashing algorithms. It is highly extensible so that you can take advantage of new algorithms and new implementations of new algorithms easily through configuration files. Many features are built on top of the Windows Crypto API, while many others are available only in .NET. Its features are designed to allow the protection of transient data only while it is moving across the network, as well as secure, long-term storage of sensitive data.

 

Encrypting data in .NET requires a few simple steps, assuming that you understand enough about which algorithms to use and how to use them securely:

 

'Get the plaintext and put it into a memory stream

Dim mStream As MemoryStream = New MemoryStream

Dim binMemWriter As BinaryWriter = New BinaryWriter(mStream)

binMemWriter.Write(txtPlaintext.Text)

mStream.Position = 0

 

'Define the algorithm: here, use TripleDES, using the default implementation

Dim algorithm As TripleDES = TripleDES.Create

 

'Create a CryptoStream to wrap the plain text data stream

Dim cStream As CryptoStream = _

 New CryptoStream(mStream, algorithm.CreateEncryptor(algorithm.Key, algorithm.IV), _

 CryptoStreamMode.Read)

 

'Read the plain text, encrypting the data

Dim cipher(mStream.Capacity - 1) As Byte

cStream.Read(cipher, 0, mStream.Capacity)

Dim str(mStream.Capacity - 1) As Char

 

For i As Int32 = 0 To mStream.Capacity - 1

     str(i) = Chr(cipher(i))

Next

 

Once this code executes, the str variable contains the encrypted cipher text. There are many ways to encrypt plaintext in .NET, of which the code above is one example. The steps are identical in C#.

 

Decrypting the cipher text is basically the same thing but in reverse:

 

'Define the algorithm

Dim algorithm As TripleDESCryptoServiceProvider = _

  New TripleDESCryptoServiceProvider

 

'Read the crypto data, including key length, key, and initialization vector

'from some secure storage location

...

 

'Create a CryptoStream to decrypt the data

Dim mStream As MemoryStream = New MemoryStream

Dim cStream As CryptoStream = _

 New CryptoStream(mStream, algorithm.CreateDecryptor(key, iv), _

 CryptoStreamMode.Write)

 

'Get the plaintext

cStream.Write(encryptData, 0, iCipherLength)

mStream.Position = 0

Dim binMemReader As BinaryReader = New BinaryReader(mStream)

 

txtPlaintext.Text = binMemReader.ReadString

 

Simple, right? Unfortunately, the really hard part is embodied in the comment in the decryption code about reading the key from "some secure storage location." Key management is very difficult in any application of encryption. If you use symmetric encryption you have a shared secret that one party needs to transmit securely to another party so that they can alternately encrypt and decrypt data. If you use asymmetric encryption - such as with public and private key pairs - you still have to store your private key securely. These are not easy things to do securely. Doing it wrong can open huge security holes in custom applications, and particularly in Web applications.

 

That's why one of the most useful encryption technologies isn't a part of .NET at all. Instead, it is part of all desktop and server versions of Windows since Windows 2000. It is called the Data Protection API (DPAPI) and acts as a vehicle for encrypting data as well as using the deepest, most secure bowels of Windows to protect your data. It can greatly simplify the code you need to write while taking care of securely storing encryption keys. Used correctly, it can even protect data from rogue applications running under the same login used to encrypt the data in the first place.

 

In the next few installments of this column, I'll cover in more detail what DPAPI can and can't do for you and explore some of the ways you can get around its limitations when used with ASP.NET applications.

 

Don Kiely is senior technology consultant for Information Insights, a business and technology consultancy in Fairbanks, Alaska. E-mail him at mailto:donkiely@computer.org.