Application of Cryptography in .NET Framework

weyrharrasΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 4 μήνες)

58 εμφανίσεις

Application of Cryptography
in .NET Framework
Paul Lo
Software Engineer in Cyberwisdom.net
M.Math(CS), MCSD..net
Overview
•Basic Cryptography
•CryptoAPI enhancement in .NET
•AES support in .NET
•XML Signature support in .NET
•DPAPI support in .NET
Cryptography
• Major categories:
• Hashing
• Produces a unique message digest of known fixed size. It
is computationally infeasible to get the original data
from message digest
.
• Symmetric encryption
• Encrypting data with a key (secret-key), making it
computationally infeasible to decrypt without using the
same key. Symmetric encryption is faster than
asymmetric encryption
• Asymmetric encryption
• Encrypting data with a key (public-key or private-key) of a
key-pair, making it computationally infeasible to decrypt
without using the complement key in the same key-pair.
Application
• Digital Envelope
• Use Asymmetric encryption for key exchange
• Use symmetric encryption for message encryption
• Digital Signing
• Use Hash algorithm and Asymmetric encryption to
provide authentication and data integrity
• Digital Certificate
• PKI and CA (Certification Authority)
• Facilitate the exchange of public key for encryption
CryptoAPI
Application A
Application A
• Application programming interface that
enables application developers to add
authentication, encoding, and encryption to
Windows-based applications
Application C
Application C
Application B
Application B
(CryptoAPI)
Operating System
(CryptoAPI)
Operating System
Cryptographic
Service Provider #1
Cryptographic
Service Provider #1
CryptoAPI
CryptoSPI
Application
Layer
System
Layer
Service
Provider
Layer
Cryptographic
Service Provider #N
Cryptographic
Service Provider #N
Cryptography in .NET
• Namespace: System.Security.Cryptography
Classes defined in the System.
Cryptography.Xml namespace used to
represent digital signatures in XML
documents
XML Digital
Signature
Classes defined in the System.Security.
Cryptography.X509Certificates namespace
used to represent digital certificates
X.509
Certificates
Classes used to generate random numbers,
perform conversions, interact with the Crypto
API store.
Helper
Classes
A set of classes used to implement both
symmetric and asymmetric encryption and
hash algorithms
Encryption
Algorithms
Hashing
HashAlgorithm
HashAlgorithm
KeyedHashedAlgorithm
KeyedHashedAlgorithm
HMACSHA1
HMACSHA1
MACTripleDES
MACTripleDES
SHA256
SHA256
SHA512
SHA512
SHA384
SHA384
SHA1CryptoServiceProvider
SHA1CryptoServiceProvider
SHA1Managed
SHA1Managed
SHA256Managed
SHA256Managed
SHA384Managed
SHA384Managed
SHA512Managed
SHA512Managed
SHA1
SHA1
MD5
MD5
MD5CryptoServiceProvider
MD5CryptoServiceProvider
Symmetric Algorithm
SymmetricAlgorithm
SymmetricAlgorithm
DESCryptoServiceProvider
DESCryptoServiceProvider
TripleDES
TripleDES
RijndaelManaged
RijndaelManaged
TripleDESCryptoServiceProvider
TripleDESCryptoServiceProvider
Rijndael
Rijndael
RC2
RC2
RC2CryptoServiceProvider
RC2CryptoServiceProvider
DES
DES
Asymmetric Algorithm
AsymmetricAlgorithm
AsymmetricAlgorithm
DSACryptoServiceProvider
DSACryptoServiceProvider
RSA
RSA
RSACryptoServiceProvider
RSACryptoServiceProvider
DSA
DSA
Enchancement
• How Is the programming model exposed in
System.Security.Cryptography different from Microsoft
CryptoAPI?
• System.Security.Cryptographyuses a stream based
programming model, based on the CryptoStreamclass, which
derives from the System.IO.Stream class). The CryptoStream
class takes care of all necessary buffering.
• System.Security.Cryptography populates the algorithm
parameters with strong defaults, subject to the availability of
strong cryptography on the platform, so that users will get a
strong crypto algorithm by simply instantiating the respective
class.
• Result?
EASY TO USE!!
Application: User password
encryption
• Goal: Keep user password safe, yet usable.
• Recommendation: Hash (Salt + Password)
• Storing a password:
• Create a unique “salt” for the user
• Prepend the salt to the password string
• Encrypt using SHA1: SHA1.ComputeHash( );
• Store both salt and cipher text
• To verify, re-hash with salt and password
Application: User password
encryption
•Demo
Application: Encryption using AES
• What is AES ?
• The Advanced Encryption Standard (AES) is the
current encryption standard intended to be used by
U.S. Government to protect sensitive information.
• On 2nd Oct 2002, NIST selected Rijndael as the
new AES (replacing DES).
• 128-bit AES for use up to SECRET level
• 192-bit AES for use up to TOP SECRET level.
• NIST also proposed SHA-256, SHA-384, SHA-
512 to support Rijndael
Application: Encryption using AES
•Demo
Recommendations in using
AES
•AES is strong only when it is applied
carefully
•Possible weak point: Key exchange
•Recommend:
•Use 1024-bit RSA for key exchange
•Use ECC key exchange algorithm
Application: Signing and verifying
XML Signature
•System.Security.Cryptography.Xml
•Provides integrity and authentication
•Application:
•Sign XML files
•Sign file specified by a URI using a detached
signature
Application: Signing and verifying
XML Signature
•Demo
Data Protection API (DPAPI)
• Extends CryptoAPI
•Key is derived from
current user credentials
•Uses TripleDES
encryption
• Supports entropy
• Additional secret used
to secure the data to a
single application
• Best for:
• Protecting offline data
• Protecting user-
specific configuration
data
Application
Application
DataProtection.vb
DataProtection.vb
CryptoAPI
Crypt32.dll
CryptoAPI
Crypt32.dll
DPAPI
Local Security
Authority (LSA)
Local Security
Authority (LSA)
DPAPI
Now is the
time for all
Good…
Now is the
time for all
Good…
qANQR1D
BAsUHIsQ
EA…
qANQR1D
BAsUHIsQ
EA…
Local RPC
Calls
Plaintext data
Operating
System
Application: Storing a connection
string using DPAPI
•Demo
Application: Store offline data
using DPAPI
•Demo
Recommendation in using DPAPI
• For use with user-specific or machine-specific
data
• The generated keys are either user-specific or
machine-specific
• Data encrypted by DPAPI cannot be decrypted
by machine other than the encrypting one.
• Use DPAPI for encrypting symmetric keys
instead, which is further used to
encrypt/decrypt cross machine data.
Summary
• Powerful yet easy to use
System.Security.Cryptography namespace
• AES support
• Xml Signature
• DPAPI provides a fast and easy way for
encryption without managing the keys.
Reference
• MSDN
http://msdn.microsoft.com/library/default.asp?url=/library/
en-us/cpguide/html/cpconCryptographyOverview.asp
• Microsoft Patterns and Practices
http://www.microsoft.com/resources/practices/
• Cryptography and Secure Communications
http://www.microsoft.com/technet/security/topics/crypto/d
efault.mspx
Q & A