1

DATA SECURITY
Security in the .Net Technology
 Security in the Dot Net
2
Technology
 When we are talking about .Net framework, and security specifically, then
we have to talk about:
 Security in assemblies
 Run time security
 Role-Based Security.
 Code-Access Security.
 Isolated Storage.
 Evidence and code identity
 Permission
 Security policy
 Cryptography
 Hashing Algorithms
 Symmetric Encryption
 A symmetric Encryption
 Digital Signature
 ASP.NET application security
 COM+ security
 Event log servicess.
 What we are concern to:
3

 Cryptography
 Hashing Algorithms ‘we might take it if we have
a time’
 Symmetric Encryption
 A symmetric Encryption
 Digital Signature
 Block Cipher Modes of
4
Operation
 A block cipher algorithm is a basic
building block for providing data security
 Five "modes of operation" have been
defined in table 1
 These modes are intended for use with
any symmetric block cipher, including
triple DES and AES
 Table 1. Block Cipher Modes of Operation
Mode Description Typical Application
Electronic Each block of 64 plaintext bits is encoded • Secure transmission of single
Codebook independently using the same key. values (e.g., an encryption key)
(ECB)
Cipher Block The input to the encryption algorithm is the • General-purpose block-oriented
Chaining (CBC) XOR of the next 64 bits of plaintext and the transmission
preceding 64 bits of ciphertext. • Authentication
Cipher Input is processed j bits at a time. Preceding • General-purpose stream-oriented
Feedback (CFB) ciphertext is used as input to the encryption transmission
algorithm to produce pseudorandom output, • Authentication
which is XORed with plaintext to produce
next unit of ciphertext.

Output Similar to CFB, except that the input to the • Stream-oriented transmission over
Feedback encryption algorithm is the preceding DES noisy channel (e.g., satellite
(OFB) output. communication)

Counter (CTR) Each block of plaintext is XORed with an • General-purpose block-oriented

encrypted counter. The counter is transmission
incremented for each subsequent block.
5 • Useful for high-speed
requirements
 Electronic Codebook
6
Mode
 The simplest mode is the electronic codebook (ECB)
mode
 in which plaintext is handled one block at a time and each
block of plaintext is encrypted using the same key, as figure
1
 The ECB method is ideal for a short amount of data,
such as an encryption key. Thus, if you want to
transmit a DES key securely, ECB is the appropriate
mode to use.

 The most significant characteristic of ECB is that the

same b-bit block of plaintext, if it appears more than
once in the message, always produces the same
ciphertext
 Figure 1, ECB
7
 Cipher Block Chaining
8
Mode
 In this scheme, the input to the encryption algorithm is the
XOR of the current plaintext block and the preceding
ciphertext block

 the same key is used for each block

 In effect, we have chained together the processing of the

sequence of plaintext blocks

 repeating patterns of b bits are not exposed.

 To produce the first block of ciphertext, an initialization vector

(IV) is XORed with the first block of plaintext

 The IV must be known to both the sender and receiver as

shown in figure 2
 C1 = E(K, [IV P1])
 P1 = IV D(K, C1)
 Figure 2, CBC
9
 The .NET Framework
10
Encryption Algorithms
 The .NET Framework provides classes for
four different symmetric encryptions.
Table 2 summarizes the encryption
algorithms available and the possible
secret key lengths.
 Table 2, .NET symmetric
11
encryption algorithms
Table 1Summary of .NET symmetric encryption algorithms
Name Block size Key length (bits)

DES 64 56 (although conventionally

expressed as a 64-bit
number)
RC2 64 40, 48, 56, 64, 72, 80, 88, 96,
104, 112, 120, 128

Triple-DES 64 Two or three 56-bit keys,

expressed as 64-bit numbers

Rijndael (AES) 128, 192, 256 128, 192, 256

 Programming Symmetrical
12
Encryption
 There is an abstract classes extend the
System.Security.Cryptography.SymmetricAlgorithm class
for each of the supported algorithms as represented by in
figure 3
 The SymmetricAlgorithm class allows you to configure an
algorithm (select the block size, padding mode, etc.) and
create instances of the classes that encrypt and decrypt
data; this class, and the derived implementation classes,
are not used to process data directly
 Table 3 shows the criteria you should can used to
implement any algorithim
 Figure 3, The .NET Framework class
hierarchy for symmetric encryption
algorithms
13
 Members of the Symmetric Algorithm Class
Member Description
Properties
BlockSize Gets or sets the block size used by the cipher function.
FeedbackSize Gets or sets the block size used to create feedback when encrypting data.
KeySize Gets or sets the size in bits of the secret key used by the algorithm.
IV Get and set the values of the secret key and initialization vector, expressed as an
array of bytes.
Key
LegalBlockSizes Return the range of block and secret key sizes that the algorithm supports.

LegalKeySizes
Mode Gets and sets the cipher mode used to prepare data.
Padding Gets or sets the padding mode that will fill out partial blocks of data.
Methods
Create Creates a new instance of the SymmetricAlgorithm class by name. See the
following section for further details.
CreateEncryptor Create instances of the classes used to encrypt and decrypt data.
CreateDecryptor
GenerateIV Generate random secret keys and initialization vectors.
GenerateKey
ValidKeySize Determines if a key of a given length is valid for the algorithm.
14 Table 3
 Instantiating the
15
Algorithm
 You can instantiate the implementation classes
for symmetric algorithm using Create method of
the SymmetricAlgorithm class
# C#
SymmetricAlgorithm x_alg = SymmetricAlgorithm.Create("RC2");

# Visual Basic .NET

Dim x_alg As SymmetricAlgorithm =
 The Create method instantiates
SymmetricAlgorithm.Create("RC2")an
implementation class based on the value of the
argument; Table 4 shows the list of supported
argument strings and the implementation
classes that they create
 Table 4
16

Mapping string values to algorithm classes

String value Algorithm-implementation class

DES DESCryptoServiceProvider
System.Security.Cryptography.DES DESCryptoServiceProvider

3DES TripleDESCryptoServiceProvider

TripleDES TripleDESCryptoServiceProvider

Triple DES TripleDESCryptoServiceProvider

System.Security.Cryptography.TripleDES TripleDESCryptoServiceProvider

RC2 RC2CryptoServiceProvider
System.Security.Cryptography.RC2 RC2CryptoServiceProvider

Rijndael RijndaelManaged
System.Security.Cryptography.Rijndael RijndaelManaged
 Configuring the
17
Algorithm
1. Block
# C#
and key sizes
SymmetricAlgorithm x_alg = SymmetricAlgorithm.Create("Rijndael");

// print out the current values

Console.WriteLine("Block Size: {0}", x_alg.BlockSize);
Console.WriteLine("Key Size: {0}", x_alg.KeySize);

// change the values

x_alg.BlockSize = 192;
x_alg.KeySize = 128;

# Visual Basic .NET

Dim x_alg As SymmetricAlgorithm =
SymmetricAlgorithm.Create("Rijndael")

' print out the current values

Console.WriteLine("Block Size: {0}", x_alg.BlockSize)
Console.WriteLine("Key Size: {0}", x_alg.KeySize)

' change the values

x_alg.BlockSize = 192
x_alg.KeySize = 128
18

2. Cipher and padding modes

 The .NET Framework supports the two
padding modes. A member of the
System.Security.Cryptography.PaddingMode
enumeration, as summarized in Table 5
 The Padding property of the
SymmetricAlgorithm class allows the padding
mode to be determined and changed.
 The members of the
System.Security.Cryptography.CipherMode
enumeration, listed in table 6
 # C#
// create the encryption algorithm instance
SymmetricAlgorithm x_alg = SymmetricAlgorithm.Create("Rijndael");

// view the current settings

Console.WriteLine("Padding Mode: {0}", x_alg.Padding);
Console.WriteLine("Cipher Mode: {0}", x_alg.Mode);

// change the padding and cipher modes

x_alg.Padding = PaddingMode.Zeros;
x_alg.Mode = CipherMode.ECB;

# Visual Basic .NET

' create the encryption algorithm instance
Dim x_alg As SymmetricAlgorithm =
SymmetricAlgorithm.Create("Rijndael")

' view the current settings

Console.WriteLine("Padding Mode: {0}", x_alg.Padding)
Console.WriteLine("Cipher Mode: {0}", x_alg.Mode)

' change the padding and cipher modes

x_alg.Padding = PaddingMode.Zeros
19 x_alg.Mode = CipherMode.ECB
 Table 5
20

The members of the PaddingMode enumeration

Member Description
PKCS7 Represents the PKCS #7
padding style, where the
value of the padding bytes is
the total number of padding
bytes added to the partial
data block
Zeros Represents the use of
padding bytes that are set to
0
 Table 6
21

The members of the CipherMode enumeration

Member Description
ECB These members represent the modes
described in Section 14.2.2 of this chapter.

CBC
CFB
CTS This member represents the "Cipher Text
Stealing" mode, which is a variation of the
CBC mode that computes the last block of
ciphertext in such a way as to ensure that the
plaintext and the ciphertext are the same size.

OFB This member represents the "Output

Feedback" mode, which is a variation of the
CFB mode, using a different technique to fill
the queue.
22

3. Keys and initialization vectors (IVs)

 The .NET Framework expresses secret
keys and initialization vectors (IVs) as
arrays of bytes
 The Key and IV properties of the
SymmetricAlgorithm class allow you to get
and set the values
 # C#
// create the encryption algorithm instance
SymmetricAlgorithm x_alg = SymmetricAlgorithm.Create("DES");

// we are "getting" the value of the secret key, which

// will lead the SymmetricAlgorithm class to create a
// new random key
byte[] x_secret_key = x_alg.Key;

// we are "setting" the value of the secret key, which

// will now be used for any subsequent encryption or
// decryption operations
x_alg.Key = new byte[] {0xD0, 0x8C, 0xD3, 0xEB, 0x10, 0x60, 0x41,
0x59};
# Visual Basic .NET
' create the encryption algorithm instance
Dim x_alg As SymmetricAlgorithm = SymmetricAlgorithm.Create("DES")

' we are "getting" the value of the secret key, which

' will lead the SymmetricAlgorithm class to create a
' new random key
Dim x_secret_key( ) As Byte = x_alg.Key

' we are "setting" the value of the secret key, which

' will now be used for any subsequent encryption or
23 ' decryption operations
x_alg.Key = New Byte( ) {&HD0, &H8C, &HD3, &HEB, &H10, &H60,
24

4. Encrypting and Decrypting Data

 The SymmetricAlgorithm class delegates the
process of encrypting and decrypting data to the
ICryptoTransform interface, which exposes the
details of handli
 An instance of ICryptoTransform transforms
plaintext to ciphertext or transforms ciphertext to
plantext
 The following statements demonstrate how to
create transformations, using the CreateEncryptor
and CreateDecryptor methods:
 # C#
// create the encryption algorithm SymmetricAlgorithm
x_alg = SymmetricAlgorithm.Create("Rijndael");

// create an ICryptoTransform that can be used to encrypt data

ICryptoTransform x_encryptor = x_alg.CreateEncryptor( );

// create an ICryptoTransform that can be used to decrypt data

ICryptoTransform x_decryptor = x_alg.CreateDecryptor( );

# Visual Basic .NET

' create the encryption algorithm
Dim x_alg As SymmetricAlgorithm =
SymmetricAlgorithm.Create("Rijndael")

' create an ICryptoTransform that can be used to encrypt data

Dim x_encryptor As ICryptoTransform = x_alg.CreateEncryptor( )

' create an ICryptoTransform that can be used to decrypt data

Dim x_decryptor As ICryptoTransform = x_alg.CreateDecryptor( )

25
26

 Instances of the ICryptoTransform interface are not

useful on their own; the .NET Framework provides
the CryptoStream companion class, which is the basis
for using instances of ICryptoTransform.
 The CryptoStream class acts as a wrapper around a
stream and automatically transforms blocks of data
using an ICryptoTransform.
 Creating instances of CryptoStream requires a real
stream.
 and a value from the CryptoStreamMode enumeration,
which defines whether to transform the data as it is read
from the stream (CryptoStreamMode.Read) or as it is
written to the stream (CryptoStreamMode.Write).
 # C#
using System;
using System.Security.Cryptography;
using System.IO;
using System.Text;
class MemoryEncryptionExample {
static void Main( ) {
// define the message that we will encrypt
string x_message = "Programming .NET Security";
// get the bytes representing the message
byte[] x_plaintext = Encoding.Default.GetBytes(x_message);
// create the memory stream
MemoryStream x_memory_stream = new MemoryStream( );
// create the encryption algorithm
SymmetricAlgorithm x_alg = SymmetricAlgorithm.Create("RC2");
// create an ICryptoTransform that can be used to encrypt data
ICryptoTransform x_encryptor = x_alg.CreateEncryptor( );
// create the CryptoStream that ties together the FileStream and
// the ICryptoTransform
CryptoStream x_cryptostream = new CryptoStream(x_memory_stream,x_encryptor,
CryptoStreamMode.Write);
// write the plaintext out to the cryptostream
x_cryptostream.Write(x_plaintext, 0, x_plaintext.Length);
// close the CryptoStream
x_cryptostream.Close( );
// get the ciphertext from the MemoryStream
byte[] x_ciphertext = x_memory_stream.ToArray( );
// print out the cipher text bytes
foreach (byte b in x_ciphertext) {
Console.Write("{0:X2} ", b);
}
}
27 }
 Full example
28

 A Full Example for encryption and

decryption is here