A Simple Quickstart with Encryption (Concepts)
There has been so much talk about Encryption and Decryption in
the forums. We do keep suggesting code snippets to use for the
same. I just thought I would start a small discussion on the
fundamentals of the concept, its needs and a few pointers to
elegant encryption frameworks.
Necessity of Data Security
Data security from prying eyes has always been a problem that
keeps haunting the minds of a project manager. When it comes to a
web application delivered through unsecured HTTP, the essence and
criticality of data security assumes significant momentum.
Furthermore, during these days when we chose to outsource our
hosting requirements to third party hosting companies instead of in
house so that the mundane tasks related to hosting like managing
the infrastructure etc. can be efficiently taken care of. However,
this outsourcing pops up an issue with the security of our
application like Configuration Keys in the Web.config for
instance.
Disclaimer (on this article)
- Here as a quick note, let us tour around a few places from a
beginner's perspective to make encryption easy. Since the target
audience of the note is going to be a beginner, I am refraining
from delving deep into advanced concepts of Cryptography for the
simple reason that they would get overwhelmed. Let us take them as
followup articles as time progresses.
- The encryption technology can not be just applied from a web
developer though it might look that easy after reading this
article. Since it revolves around the security of the data and the
integrity of the system, the encryption algorithm has to be chosen
with care and precaution. Typical enterprises need upto Project
Architect to give a nod on even the particular encryption algorithm
or cipher strength to be adopted for an application.
- Deducing from (2) on a bird's eye view, the following factors
have to be mandatorily considered for a good encryption
implementation in an application:
- Cipher strength needed for encryption
- Type of encryption
- Hash: Typical application credentials are good candidates for
hash but remember that once the password gets hashed you can get it
back. You need to reset the password by creating a new hash.
- Reversible: Based on using a key or without a key, it encrypts
a particular data into unreadable and garbled format. Only on
applying the particular algorithm and the optional key, you can get
the data back.
- Encryption Algorithm: The choice of algorithm also plays a
significant role particularly as a futuristic purpose, when the
application needs to be integrated with other applications.
Surface Area
Let us briefly see which are the little surface areas which we
can try protecting from prying eyes. On the quick recall from the
web application perspective, the following are the very commonly
used ones:
- Transfer data across pages using QueryStrings, Forms and
Cookies
- Passwords and other confidential information in Web.config
Simpler Methods:
- Trusted Connection: Where possible, have the
database credentials to integrate with the operating system
credentials. This way, you need not specify the explicit usernames
and passwords in any files. You can find this informative
configuration information on Trusted Connections here ("http://weblogs.asp.net/achang/archive/2004/04/15/113866.aspx">http://weblogs.asp.net/achang/archive/2004/04/15/113866.aspx).
- Least Privileges: Let the running agent like
ASP.NET Worker Process always have least privileges both on
database (deduced from (1)) and on the local file system. That way,
if a hacker gets hold of the system using the Worker Process
account, the surface area under attack is minimum.
- Security By Obscurity: Not always you need to
earn the heaviness of encryption. Particularly in the case of
querystrings where you just pass some identifier information for
the next page. You can apply a simple obscruity like one of the
following:
- You can simply rotate the characters in the text or shift a few
bits in the ASCII value of the characters of the encryption
text.
- You can also have a Convert.ToBase64String() called to make
string appear as uncomprehendable set of characters and then for
decryption, you can make a Convert.FromBase64String().
I am leaving back all the codesnippets instead of spoon-feeding to
the user and to initiate an exploring initiative from within them.
Each of the snippet that involves From and To Base64 strings are
hardly a couple of lines though. :)
- Frameworks: There are quite a lot of
encryption algorithms supported in .NET Framework. A few of them
are SHA1, MD5, BlowFish, TwoFish. All encryption related
functions are available from System.Cryptography.
P.S.: .NET Framework base class libraries do not support directly
BlowFish and TwoFish cryptography.
- Cipher Strengths The strength of key
significantly affects the performance of the application. Stronger
the key it takes more horsepower to encrypt and decrypt and more
harder for the hacker to break in to the application.
Opensource Framework: I have come across
a framework for encryption from CodeProject called href="http://www.codeproject.com/dotnet/xcrypt.asp" target=
"_blank">XCrypt. Perhaps for encryption related questions, you
would observed me strongly suggesting this. The advantages of this
application are little to many. A few good points on this component
are:
- Opensource. No license involved.
- Full managed code. So no performance penalty or other issues
dealing with COM or unmanaged resources, memory leak, DLL Hell
etc.
- Even supports algorithms like TwoFish and BlowFish which do not
have an implementation in .NET Framework BCL
(Base
Class
Library)
- A simple single assembly that is smaller in size and hence ease
of portability.
- A simple intuitive windows forms application as a test kit to
test encryption and decryption using the component.
Summarizing...
Cryptography is not a big herculean task. The underlying purpose
of cryptography is to keep the data secure from prying eyes thus
ensuring the integrity of the system and timely availability of
data. When I say timely availability, it also addresses the
performance penalties that the cryptography framework applies to
the system.
I hope that this quick starter note would take the beginner user
into the world of cryptography, enabling him to explore more and
make thier applications safer, secure, robust and more
reliable.