Cryptography Essentials
This section provides an in-depth look at cryptographic concepts and their implementation within Microsoft technologies.
Introduction to Cryptography
Cryptography is the science of secret communication. It provides methods for ensuring confidentiality, integrity, and authenticity of data. In software development, it's crucial for protecting sensitive information, securing network communications, and verifying the identity of users and systems.
Key goals of cryptography include:
- Confidentiality: Ensuring that only authorized parties can access information.
- Integrity: Guaranteeing that information has not been altered during transmission or storage.
- Authenticity: Verifying the source of information and the identity of the sender.
- Non-repudiation: Preventing a sender from denying that they sent a message.
Types of Cryptography
There are two primary types of cryptographic algorithms:
Symmetric Cryptography
Also known as secret-key cryptography, symmetric cryptography uses a single, shared secret key for both encryption and decryption. It's generally faster than asymmetric cryptography, making it suitable for encrypting large amounts of data.
Common symmetric algorithms include:
- Advanced Encryption Standard (AES)
- Data Encryption Standard (DES) - Largely superseded by AES
- Triple DES (3DES)
Example Use Case: Encrypting files stored on a disk or securing communication channels where both parties already share a secret.
Asymmetric Cryptography
Also known as public-key cryptography, asymmetric cryptography uses a pair of keys: a public key for encryption and a private key for decryption. The public key can be shared freely, while the private key must be kept secret. This enables secure communication without prior secret key exchange.
Common asymmetric algorithms include:
- Rivest–Shamir–Adleman (RSA)
- Elliptic Curve Cryptography (ECC)
- Diffie-Hellman key exchange
Example Use Case: Digital signatures, secure key exchange (e.g., in TLS/SSL), and encrypting small amounts of data like symmetric keys.
Hashing Functions
Cryptographic hash functions are one-way functions that take an input of any size and produce a fixed-size output, known as a hash or message digest. They are essential for data integrity verification and password storage.
Key properties of secure hash functions:
- Deterministic: The same input always produces the same output.
- Pre-image resistance: It's computationally infeasible to find the original input given only the hash output.
- Second pre-image resistance: It's computationally infeasible to find a different input that produces the same hash as a given input.
- Collision resistance: It's computationally infeasible to find two different inputs that produce the same hash output.
Common hash algorithms include:
- SHA-256 (Secure Hash Algorithm 256-bit)
- SHA-3
- MD5 (Message-Digest Algorithm 5) - Considered cryptographically broken and should not be used for security purposes.
Example Use Case: Verifying file integrity after download, storing password hashes instead of plain text passwords.
Digital Signatures
Digital signatures provide authenticity and integrity using asymmetric cryptography. A sender uses their private key to sign a message (or a hash of the message), and the recipient uses the sender's public key to verify the signature.
The process involves:
- The sender hashes the message.
- The sender encrypts the hash with their private key, creating the digital signature.
- The sender sends the original message and the digital signature to the recipient.
- The recipient hashes the received message.
- The recipient decrypts the digital signature using the sender's public key to retrieve the original hash.
- The recipient compares their calculated hash with the decrypted hash. If they match, the signature is valid, proving authenticity and integrity.
Key Management
Securely managing cryptographic keys is as important as using strong algorithms. This includes generation, storage, distribution, rotation, and revocation of keys.
Cryptography in the .NET Framework / .NET Core
The .NET platform provides a robust set of classes in the System.Security.Cryptography namespace for implementing various cryptographic operations.
Key classes include:
Aesfor symmetric encryption.RSAfor asymmetric encryption and digital signatures.SHA256for hashing.X509Certificate2for managing X.509 certificates used in public key infrastructure.
Example: AES Encryption and Decryption in C#
using System;
using System.Security.Cryptography;
using System.Text;
public class AesExample
{
public static void Main(string[] args)
{
string original = "This is a secret message.";
using (Aes aes = Aes.Create())
{
// Get an encryptor.
ICryptoTransform encryptor = aes.CreateEncryptor(aes.Key, aes.IV);
// Create the streams and lists to hold the encrypted data.
using (MemoryStream msEncrypt = new MemoryStream())
{
using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
{
using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
{
//Encrypt the all the text from the subscriber.
swEncrypt.Write(original);
}
byte[] encrypted = msEncrypt.ToArray();
Console.WriteLine("Encrypted: " + Convert.ToBase64String(encrypted));
// Create a decryptor to go from Cryptograpgic Operation to Plain text
ICryptoTransform decryptor = aes.CreateDecryptor(aes.Key, aes.IV);
//Create the streams and lists to hold all the decrypted data.
using (MemoryStream msDecrypt = new MemoryStream(encrypted))
{
using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (StreamReader srDecrypt = new StreamReader(csDecrypt))
{
// Read the decrypted bytes from the decryptor stream and convert them to string.
string decrypted = srDecrypt.ReadToEnd();
Console.WriteLine("Decrypted: " + decrypted);
}
}
}
}
}
}
}
}