Troubleshooting Tips
LANGUAGES:VB .NET
ASP.NET VERSIONS:1.0 | 1.1
Encryption Made (Sort of) Easy
Encrypt your .NET data in a few simple steps.
By Don Kiely
Microsoft designed the .NET Framework with careful thoughtto security, making it one of the most secure development environments ever.That certainly isn't meant to say that it issecure; there are far too many flaws found in almost any widely deployedsoftware product to claim complete security. But .NET meets many of the needsof secure applications and the .NET Framework provides a host of securityservices.
Encryption is one of the strongest security features inthe .NET Framework, with rich support for widely used encryption and hashingalgorithms. It is highly extensible so that you can take advantage of newalgorithms and new implementations of new algorithms easily throughconfiguration files. Many features are built on top of the Windows Crypto API,while many others are available only in .NET. Its features are designed toallow the protection of transient data only while it is moving across thenetwork, as well as secure, long-term storage of sensitive data.
Encrypting data in .NET requires a few simple steps,assuming that you understand enough about which algorithms to use and how touse them securely:
'Get the plaintext and put it into a memory stream
Dim mStream As MemoryStream = New MemoryStream
Dim binMemWriter As BinaryWriter = New BinaryWriter(mStream)
binMemWriter.Write(txtPlaintext.Text)
mStream.Position = 0
'Define the algorithm: here, use TripleDES, using the defaultimplementation
Dim algorithm As TripleDES = TripleDES.Create
'Create a CryptoStream to wrap the plain text data stream
Dim cStream As CryptoStream = _
New CryptoStream(mStream,algorithm.CreateEncryptor(algorithm.Key, algorithm.IV), _
CryptoStreamMode.Read)
'Read the plain text, encrypting the data
Dim cipher(mStream.Capacity - 1) As Byte
cStream.Read(cipher, 0, mStream.Capacity)
Dim str(mStream.Capacity - 1) As Char
For i As Int32 = 0 To mStream.Capacity - 1
str(i) = Chr(cipher(i))
Next
Once this code executes, the str variable contains theencrypted cipher text. There are many ways to encrypt plaintext in .NET, ofwhich the code above is one example. The steps are identical in C#.
Decrypting the cipher text is basically the same thing butin reverse:
'Define the algorithm
Dim algorithm As TripleDESCryptoServiceProvider = _
NewTripleDESCryptoServiceProvider
'Read the crypto data, including key length, key, andinitialization vector
'from some secure storage location
...
'Create a CryptoStream to decrypt the data
Dim mStream As MemoryStream = New MemoryStream
Dim cStream As CryptoStream = _
New CryptoStream(mStream,algorithm.CreateDecryptor(key, iv), _
CryptoStreamMode.Write)
'Get the plaintext
cStream.Write(encryptData, 0, iCipherLength)
mStream.Position = 0
Dim binMemReader As BinaryReader = New BinaryReader(mStream)
txtPlaintext.Text = binMemReader.ReadString
Simple, right? Unfortunately, the really hard part isembodied in the comment in the decryption code about reading the key from "somesecure storage location." Key management is very difficult in any applicationof encryption. If you use symmetric encryption you have a shared secret thatone party needs to transmit securely to another party so that they canalternately encrypt and decrypt data. If you use asymmetric encryption - suchas with public and private key pairs - you still have to store your private keysecurely. These are not easy things to do securely. Doing it wrong can open hugesecurity holes in custom applications, and particularly in Web applications.
That's why one of the most useful encryption technologiesisn't a part of .NET at all. Instead, it is part of all desktop and serverversions of Windows since Windows 2000. It is called the Data Protection API(DPAPI) and acts as a vehicle for encrypting data as well as using the deepest,most secure bowels of Windows to protect your data. It can greatly simplify thecode you need to write while taking care of securely storing encryption keys.Used correctly, it can even protect data from rogue applications running underthe same login used to encrypt the data in the first place.
In the next few installments of this column, I'll cover inmore detail what DPAPI can and can't do for you and explore some of the waysyou can get around its limitations when used with ASP.NET applications.
Don Kiely is seniortechnology consultant for Information Insights, a business and technologyconsultancy in Fairbanks, Alaska. E-mail him at mailto:donkiely@computer.org.