ecurity is one of the most important aspects in the software development life cycle. Everyday some software product's exploit is published all over the Internet. As soon as an attacker has gains access to the software system, he can do with the system what he wantsas well as gain access to the database in the background. For example, a smart client that stores all application data in a local database is an easy target for a hacker who knows how to exploit its vulnerability. The solution to this problem is to encrypt the sensitive data (such as credit card numbers, etc.) stored in your data storage, such as SQL Server. That way, an attacker must work much harder to take control of a system or hack into important data in your database.
During the development of the Enterprise Library, Microsoft addressed these security requirements. The Enterprise Library offers the Security Application Block for authenticating and authorizing users and the Cryptography Application Block for encrypting and decrypting sensitive data through several implemented algorithms. This article demonstrates the Cryptography Application Block, which provides the following functionalities:
- Encryption and decryption of sensitive data
- Calculation of hash values
|Figure 1. The Configuration Console of the Enterprise Library|
Like all the other Enterprise Library application blocks, the Cryptography Application Block also is completely extensible, so you can implement your own security enhancements such as homegrown algorithms developed within your own organization. The following section offers a detailed look at the configuration of the Cryptography Application Block.
Cryptography Application Block Configuration
As with the other Application Blocks in the Enterprise Library, you perform all configurations for the Cryptography Application Block through the Configuration Console tool (see Figure 1
Through the Configuration Console, you can determine which algorithms the application block uses for the encryption and decryption of sensitive data and how these algorithms are configured. Currently, the Cryptography Application Block supports only symmetric algorithms, which use one shared key for both encryption and decryption. One big advantage this approach has over public/private key solutions is better performance. (Public/private key solutions always take more time for calculation.) Its disadvantage is that you work with a shared secret that both parties must know. Therefore, you must use your shared key very carefully, because as soon as an attacker gets your shared key, he has direct access to your encrypted data!
To use the Cryptography Application Block, you must add it to your configuration through the Configuration Console as shown in Figure 2.
|Figure 2. Adding the Cryptography Application Block to Your Configuration|
As soon as you have added the Cryptography Application Block, you can add symmetric algorithms and hash providers to your configuration. Currently, the Cryptography Application Block provides three algorithm providers out of the box (see Table 1).
|Custom Symmetric Cryptography Provider
||This provider enables you to add your own symmetric algorithm to the Cryptography Application Block.
|DAPI Symmetric Cryptography Provider
||This provider enables you to encrypt your data through the DAPI (Data Protection API) of the underlying operating system.
|Symmetric Algorithm Provider
||This provider enables you to configure a symmetric key algorithm.
|Table 1. Out-of-the-Box Algorithm Providers in Cryptography Application Block|
If you choose the Symmetric Algorithm Provider, you can configure an existing algorithm. Currently, the Enterprise Library provides the following algorithms:
- DESCryptoServiceProvider the cryptographic service provider (CSP) version of the Data Encryption Standard (DES) algorithm
- RC2CryptoServiceProvider the CSP version of the RC2 encryption standard algorithm
- RijndaelManaged the CSP version of the Rijndael encryption standard algorithm
- TripleDESCryptoServiceProvider the CSP version of the Triple DES algorithm
To enable the provider to be accessed from code (C# or VB.NET), you also must give each added provider a unique name. The following subsection details the configuration of a hash provider.