.Net demystifies encryption
Published: 23 Jan 2003 14:34 GMT
One way .Net benefits Windows developers is by bringing together previously separate APIs and SDKs under one framework. For example, consider the adaptation of the CryptoAPI to the .Net System.Security.Cryptography namespace. The cryptographic services have left their mysterious corner of the Platform SDK to become, in a sense, "just another .Net namespace." Of course, there is more to it than that, but the point is that the cryptographic services are more approachable because of what they share with the rest of the framework as a whole. Now, you just have to learn what the System.Security.Cryptography namespace does and which classes are appropriate for specific situations.
Grab the code
You can download the .cs files for this article here.
System.Security.Cryptography namespace
The namespace contains classes that implement security solutions such as:
- Encryption and decryption of data.
- Management of persisted encryption keys.
- Verification of the integrity of a piece of data to ensure that it has not been tampered with.
I will limit this article to encryption and decryption, but keep in mind that this is only one piece of the puzzle; a truly secure solution will make use of the other pieces as well. Our examples start with the encryption of a local text file and then move on to the more complicated encryption of messages between networked computers.
Symmetric algorithms
To encrypt a local text file, we use one of the symmetric algorithms; symmetric because the same key and initialisation vector (IV) are used to both encrypt and decrypt a piece of data. (The IV's relationship to the key is explained in the Cryptography Overview section of the .Net documentation.)
.Net implementations of symmetric algorithms derive from a common abstract base class, SymmetricAlgorithm, highlighting that the programmer can treat each of the specific algorithms -- DES, TripleDES, and Rijndael -- in the same fashion. The algorithms differ in how they encrypt the data, but the public interfaces are the same. This doesn't mean that all algorithms are equal. For instance, as you may have guessed by the name, TripleDES is a more secure successor to DES.
Because the same key encrypts and decrypts data, symmetric algorithms are best suited for situations where the key does not need to be broadcast. Network encryption calls for a combination of asymmetric and symmetric algorithms, as you'll later see. But first let's put the symmetric algorithms to good use.
Encrypting a text file
Listing A contains a console program, TextFileCrypt, which encrypts a text file you specify on the command line. The top of Listing A shows how to invoke the program. Let's look at some of the more important pieces of the code.
The symmetric algorithms work by encrypting data as it passes through a stream. We create a "normal" output stream (such as a file I/O stream), followed by an instance of the CryptoStream class, which will then piggyback on that normal stream.
You write byte arrays to the CryptoStream, and as the data streams through, it gets encrypted and put into the normal stream. To put the original text file into an array of bytes to be fed to the CryptoStream, you employ the FileStream class to read it. You also use another instance of FileStream as the output mechanism that the CryptoStream will hand the encrypted data to.FileStream fsIn = File.Open(file,FileMode.Open, FileAccess.Read);FileStream fsOut = File.Open(tempfile, FileMode.Open,FileAccess.Write);
It's all about streams
.Net makes considerable use of streams to read and write data. In fact, the symmetric algorithm classes require you to use them. If you aren't comfortable with .Net's stream-based input and output, I encourage you to familiarise yourself with it.
We can instantiate and use any one of the symmetric algorithm providers while specifying the object variable as the abstract type SymmetricAlgorithm. I chose Rijndael, but you could just as easily instantiate DES or TripleDES:
SymmetricAlgorithm symm = new RijndaelManaged();
// could just as easily be "new TripleDESCryptoServiceProvider()"
.Net sets these provider instances with strong random keys. It can be dangerous to try to choose your own keys; acceptance of the "computer-generated" key is good practice.
Next, the algorithm instance provides an object to perform the actual data transformation. Each algorithm has CreateEncryptor and CreateDecryptor methods for this purpose, and they return objects implementing the ICryptoTransform interface:
ICryptoTransform transform = symm.CreateEncryptor();
Finally, a special CryptoStream is instantiated and told which underlying stream it should piggyback on, which object will perform the transformation of the data, and whether the purpose of the stream is to read or write data:
CryptoStream cstream = new CryptoStream(fsOut,transform,CryptoStreamMode.Write);
Previous
Did you find this article useful?
51 out of 65 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
