ecurity is one of the most important aspects in the software development life cycle. Everyday some software product’s exploit is published all over the Internet. As soon as an attacker has gains access to the software system, he can do with the system what he wants?as well as gain access to the database in the background. For example, a smart client that stores all application data in a local database is an easy target for a hacker who knows how to exploit its vulnerability. The solution to this problem is to encrypt the sensitive data (such as credit card numbers, etc.) stored in your data storage, such as SQL Server. That way, an attacker must work much harder to take control of a system or hack into important data in your database.
During the development of the Enterprise Library, Microsoft addressed these security requirements. The Enterprise Library offers the Security Application Block for authenticating and authorizing users and the Cryptography Application Block for encrypting and decrypting sensitive data through several implemented algorithms. This article demonstrates the Cryptography Application Block, which provides the following functionalities:
- Encryption and decryption of sensitive data
- Calculation of hash values
|Figure 1. The Configuration Console of the Enterprise Library
Like all the other Enterprise Library application blocks, the Cryptography Application Block also is completely extensible, so you can implement your own security enhancements such as homegrown algorithms developed within your own organization. The following section offers a detailed look at the configuration of the Cryptography Application Block.
Cryptography Application Block Configuration
As with the other Application Blocks in the Enterprise Library, you perform all configurations for the Cryptography Application Block through the Configuration Console tool (see Figure 1).
Through the Configuration Console, you can determine which algorithms the application block uses for the encryption and decryption of sensitive data and how these algorithms are configured. Currently, the Cryptography Application Block supports only symmetric algorithms, which use one shared key for both encryption and decryption. One big advantage this approach has over public/private key solutions is better performance. (Public/private key solutions always take more time for calculation.) Its disadvantage is that you work with a shared secret that both parties must know. Therefore, you must use your shared key very carefully, because as soon as an attacker gets your shared key, he has direct access to your encrypted data!
To use the Cryptography Application Block, you must add it to your configuration through the Configuration Console as shown in Figure 2.
|Figure 2. Adding the Cryptography Application Block to Your Configuration
As soon as you have added the Cryptography Application Block, you can add symmetric algorithms and hash providers to your configuration. Currently, the Cryptography Application Block provides three algorithm providers out of the box (see Table 1).
|Custom Symmetric Cryptography Provider
|This provider enables you to add your own symmetric algorithm to the Cryptography Application Block.
|DAPI Symmetric Cryptography Provider
|This provider enables you to encrypt your data through the DAPI (Data Protection API) of the underlying operating system.
|Symmetric Algorithm Provider
|This provider enables you to configure a symmetric key algorithm.
|Table 1. Out-of-the-Box Algorithm Providers in Cryptography Application Block
If you choose the Symmetric Algorithm Provider, you can configure an existing algorithm. Currently, the Enterprise Library provides the following algorithms:
- DESCryptoServiceProvider ? the cryptographic service provider (CSP) version of the Data Encryption Standard (DES) algorithm
- RC2CryptoServiceProvider ? the CSP version of the RC2 encryption standard algorithm
- RijndaelManaged ? the CSP version of the Rijndael encryption standard algorithm
- TripleDESCryptoServiceProvider ? the CSP version of the Triple DES algorithm
To enable the provider to be accessed from code (C# or VB.NET), you also must give each added provider a unique name. The following subsection details the configuration of a hash provider.
Hash Provider Configuration
You need a hash provider in order to calculate the hash value of some given data. This approach is often used for safely storing passwords in a data store: the application calculates the hash value of the provided password and stores this hash value in the database. When the user enters his password again, the system calculates the hash value of the current password and compares it to the stored hash value. When both hash values match, the user entered the correct password. Otherwise, he entered a wrong password.
The only disadvantage of this solution is that you can’t recreate the password from the hash value stored in the database. So, for example, you can’t email the password to the user when he forgets it. Table 2 lists the two hash providers available in the Cryptography Application Block.
|Custom Hash Provider
|This provider enables you to implement your own hash provider with your own underlying algorithm.
|This provider uses a hash provider provided by the Cryptography Application Block.
|Table 2. Hash Providers Available in Cryptography Application Block
When you use the HashAlgorithmProvider you can use the following hash algorithms:
- HMACSHA1 ? Hash-based Message Authentication Code (HMAC) using the SHA1 hash algorithm
- MACTripleDES ? Message Authentication Code (MAC) using the Triple DES hash algorithm
- MD5CryptoServiceProvider ? The MD5 hash algorithm CSP
- SHA1CryptoServiceProvider ? The SHA1 hash algorithm CSP
- SHA1Managed ? The SHA1 hash algorithm CSP for input data using the managed library
- SHA256Managed ? The SHA246 hash algorithm CSP for input data using the managed library
- SHA384Managed ? The SHA384 hash algorithm CSP for input data using the managed library
- SHA512Managed ? The SHA512 hash algorithm CSP for input data using the managed library
You must also give the hash providers a unique name, as you do with the symmetric providers described previously.
Development with the Cryptography Application Block
Now that you know about the configuration of the Cryptography Application Block, it’s time to dive into actual programming code that demonstrates its simple usage. This section is divided into four scenarios, each of which shows a different use for the application block.
To encrypt sensitive data, you first must configure a symmetric provider as described previously. As soon as you have done that, you can use the method Cryptographer.EncryptSymmetric for data encryption as shown in Listing 1.
string encryptedData = Cryptographer.EncryptSymmetric( "MySymmetricProvider", "Data to encrypt");Console.WriteLine(encryptedData);
As you can see, the first parameter must be the unique name of the symmetric provider you configured through the Configuration Console. The second string parameter contains the sensitive data to encrypt. You also have an overloaded version of this method, which allows you to supply the sensitive data as a byte array. The call to this overloaded method returns the encrypted data as a byte array as well. This approach enables you to encrypt binary data as well as string data.
Decrypting the encrypted data can be done through a call to the method Cryptographer.DecryptSymmetric, which also has an overloaded version for supplying a byte array for the decryption process. Listing 2 shows the necessary code.
string decryptedData = Cryptographer.DecryptSymmetric( "MySymmetricProvider", "Data to decrypt");Console.WriteLine(decrytedData);
As you can see from both listings, the methods used for encryption and decryption are very easy and straightforward. All information regarding the different providers and algorithms is completely separated from development and configured visually through the Configuration Console. Therefore, an administrator also can reconfigure all the security aspects of the application without a recompilation of the underlying source code.
Hash Value Calculation
An additional function that the Cryptography Application Block offers is the usage of hash providers for calculating hash values. As mentioned previously, you can use hash values for the careful storage of passwords in a database (no cleartext). You also can create a hash value from a string through the method Cryptographer.CreateHash. Listing 3 provides further details.
string hashValue = Cryptographer.CreateHash( "MyHashProvider", "Data to hash");Console.WriteLine(hashValue);
The method accepts the name of the configured hash provider in the first parameter. (This hash provider is configured through the Configuration Console as described earlier.) The second parameter contains the data for which the hash value should be calculated.
Hash Value Comparison
As soon as you have calculated a hash value, you can compare it with another hash value through the method Cryptographer.CompareHash. Listing 4 shows how this works.
bool theSame = Cryptographer.CompareHash( "MyHashProvider", "stringToCompare", "generated hash value");Console.WriteLine(theSame);
When you call this method, you must provide in the first parameter the string for which a hash value should be calculated for the comparison?and not the actual hash value.
Quick, Easy, and Essential
The Cryptography Application Block is very simple to use because it consists of only four methods. You handle all the other aspects of the application block through the Configuration Console, a tool that is itself very easy to use. Therefore, you can use this application block to build security solutions very quickly.