he indisputable appeal of Web services will drive most organizations to evaluate development platforms such as .NET. However, security concerns have always made organizations reluctant to embrace new technologies. Fortunately, well-proven security and network technologies such as virtual private networks (VPNs) and firewalls can improve the security and performance of Web service applications tremendouslyand free developers from having to implement still-evolving, XML-based security technologies into their applications.
Despite computer security's fundamental importance, few code examples show how to use the .NET security and cryptography classes. Look in the indexes of most .NET books and you won't find any entries for security, much less cryptography.
In this article, I explain how to use the .NET encryption and key-generating classes in your own VB programming. I also provide a working utility that encrypts or decrypts files. With this utility, you can easily maintain a secret file on your hard drive that, for example, holds all your password/username pairs, your various investments, and any other information that you want to keep private. You also could encrypt files before sending them to others over the Internet. Encryption has many uses, and you can customize the utility program to suit your special needs (e.g., adding batch file processing and so on).
Beware the Two Great Dangers
The two great computer security dangers are attacks and peeping. An attack can be a virus that attempts to delete files, slow down your computer, or cause some other damage. Peeping is usually more passive (you may never notice it), but it is a violation of your privacy: someone reads your data by getting access to your hard drive or intercepts messages you send over the Internet. Peeping can also include an attack if the intruder modifies the data that they read.
The best defense against peeping is cryptography. Encrypt your files effectively and you protect them from both peeping and modification by intruders. Encryption is also sometimes used to authenticate communications: users who know the secret password likely are who they say they are.
No security measures against peeping are totally foolproof, however, because someone else can potentially learn your secret password. I found this out the hard way when a friend bought the same model of fire safe that I did. The manufacturer must have produced only a few different keys, because his key fit my safe. Using his own key, he discovered the 1 oz. gold coins I had in my safe, stole them, and provided his girlfriend at the time with some nice presents.
The Requirements for .NET Cryptography
To tap into the .NET security features, you need Imports statements and encryption packs. First, to experiment with any of the code in this article, be sure that you add the following Imports statements at the top of your Visual Basic code window:
Second, note that the U.S. government restricted encryption in the past to prevent certain encryption technology from being exported. Although the restrictions are no longer in effect, the .NET framework prohibits "strong" or "high" encryption in export versions of the Windows OS. If you don't already have strong encryption capabilities in your version of Windows, you can download an update on the Microsoft Web site. Install the High Encryption Pack included in Service Pack 2 for Windows 2000, or Service Pack 6a for NT. Internet Explorer 5.5 also includes the High Encryption Pack for users of Windows ME, 95, and 98.
The Utility Encryptor/Decryptor Program
You can use the included utility to encrypt and decrypt files ( click here for the full code). If you want to jump right in and start hiding the secrets in some of your files, just fire up the utility.
The utility surrounds the encryption, decryption, and key-generating procedures with some user interface conveniences. It provides a TextBox into which the user types a filename and another TextBox to type in the key. In the top TextBox of the utility, provide the path to the file that you want to encrypt. In the one below, type in an eight-character password (see Figure 1). The utility creates a new, encrypted file in the same folder as the original. This new file is given the same name as the original, except xx is appended. For example, MyFile.txt becomes MyFilexx.txt.
You don't have to delete the original file (MyFile.txt), but presumably you will since the whole point of encrypting is to conceal the data in the original file. To restore the plaintext file, enter MyFilexx.txt in the top TextBox and provide the password you used to encrypt it. The utility will then create a new, decrypted file named MyFile.txt that is identical to the original. In other words, the utility recognizes the appended xx on a filename as its cue to decrypt the ciphertext (the encrypted version of the original plaintext data).
Warning: If you encrypt a file and then forget the password you used to encrypt it, you won't be able to restore the file (decrypt it). Also, it's best to use a password that includes digits and special characters (like the pound sign), along with alphabetic characters. If you use only English words as obvious as your dog's name, any relative could get into your secret files.