Applied Cryptography in .NET and Azure Key Vault from Apress Now Available.

After a year of writing, reviewing and editing, I am pleased to announce that my first book for a traditional publisher, Applied Cryptography in .NET and Azure Key Vault has now been released. It has been an exciting journey writing for APress, and the experience was excellent. You sometimes hear bad stories of working with traditional publishers, but I am glad to say this wasn’t the case for me.

Applied Cryptography in .NET and Azure KeyVault

The journey for me started at NDC Oslo in 2017 where I was introduced an acquisition editor for APress. We got talking, and I suggested an idea for a book which I then formally pitched. After the pitch was accepted, I then signed the contract and agreed on a schedule for the first three chapters. To get a good start on the book, I decided to take a little writing holiday to Whitby where I could lock myself away near beautiful surroundings and make a start on drafting the first three chapters. I have always liked the idea of going on a short holiday to write, so this was helping to realize a small dream. I locked myself away for four days and managed to write the first draft for these chapters, and I was then joined by my wife and kids to spend a long weekend in Whitby. I submitted the three chapters to APress and waiting for them to be approved. Thankfully they were, and we agreed on a schedule to write the rest of the book.

I spent the majority of 2018 drafting the rest of the book and finished the first draft towards the end of October. If I was to work on the book full time, I really could have written it in two to three months, but because I have no idea how well the book will sell, or how much I can make from it, I decided to spread the work out while continuing to write courses for Pluralsight.

Once the first draft had been completed, the book was peer-reviewed; which involved an independent developer reading the book and checking it was accurate, made sense and the examples work. As each chapter was reviewed, I had to address any comments or concerns. I thought this part of the process would be difficult, but luckily I didn’t have to change much. Once peer review had finished the book went to be copy edited. At this point, I asked my friend Troy Hunt to write the foreward where he discusses data breaches. The book was officially finished at the end of January where it was then typeset and sent for printing.

Although I have self-published a lot of books, it has always been a dream to write a book for a traditional publisher, and now that dream has been realized. I have been asked several times if I will write another book like this. At the moment, I am not sure. I enjoyed the process, but I need to see how this book performs first. If it does well, then hopefully I can extend the book into a second edition. As for a new book, I have a few ideas, but I will wait until later in the year to decide.

The book is available from most online book retailers as well as traditional bookshops.

Barnes and Nobel



Pluralsight Blockchain Webinar

Earlier in the year I did a live Pluralsight webinar to about 700 people talking about what a Blockchain is? Why you would want to use one? The differences between a Blockchain and a Database and other interesting facts about the technology.

The recording of that Webinar is now available to watch on YouTube.

If you are interested in learning more about Blockchain from either a high level executive briefing standpoint or more as a software developer and architect, then I have the following courses available at Pluralsight.

State of Blockchain : Executive Briefing

Blockchain : Principles and Practices

Play by Play: Enterprise Data Encryption with Azure Revealed

I am pleased to announce that my latest course has been released by Pluralsight, called Play by Play: Enterprise Data Encryption with Azure Revealed. This course is a bit different to my previous courses as a Play by Play course is recorded live with 2 people. In this case, myself and my good friend Lars Klint.

Play by Play: Enterprise Data Encryption with Azure Revealed with Stephen Haunts and Lars Klint
Play by Play: Enterprise Data Encryption with Azure Revealed with Stephen Haunts and Lars Klint

I first hinted at this course back in January after attending NDC London, as this Play by Play was recorded at the conference. It is the first time I have done anything like this and I really enjoyed the whole experience. The subject we discussed in the course is about protecting your data in a multi-tenant environment in the cloud (Azure for example) using Azure Key Vault. This is a subject that is vital for organisations to get right, which is why we thought it would make a good Play by Play.

Here is the course description:

Play by play is a series in which top technologists work through a problem in real time, unrehearsed and unscripted. In this course, Play by Play: Enterprise Data Encryption with Azure Revealed, Stephen Haunts and Lars Klint look at the different ways in which enterprises can protect their data, especially in a cloud-first, multi-tenant world. You’ll learn concepts around encrypting enterprise data, look at what you should encrypt, and cover robust patterns and practices you can follow in your organizations. By the end of this course, you’ll have a better understanding of enterprise data encryption methods and how to apply them to your organization.

As the description states these courses are unrehearsed and unscripted, which is true. We have an idea of the demos and a list of bullet points of things we want to cover but apart from that the course is done as a conversation between me and Lars.

Stephen Haunts at NDC {London} 2017
Stephen Haunts at NDC {London} 2017

These courses are designed to be deliberately short, around an hour, because we pick one narrow subject and discuss that in detail. These are not full subject, in depth courses, but they give you enough knowledge to be practical and useful with tips for further research. This means that the courses are very easy to watch in a short space of time. This course is about an hour in length, so is the length of a normal podcast or conference talk.

If you watch this course and then want to go into much more depth, then this course compliments my other course called Practical Cryptography in .NET which goes into much more detail on the AES and RSA cryptographic algorithms. What this Play by Play features is how to securely protect any encryption keys you use to protect your data.

The Play by Play is quite practical and I run through several code demos. The source code for all these demos are included with the course.

I hope you like the course. Thanks for watching.

My Cryptography Talk at NDC London

The Video recording of my talk at NDC London is now available to watch on-line. This was my first major conference so it was a little scary, but I really enjoyed the experience. The room was about 2 thirds full and I got an excellent speaker rating at the end so I must have done something right.

Cryptography in .NET slides from NDC London Now Available

NDC London - Stephen Haunts - Cryptography in .NET
NDC London – Stephen Haunts – Cryptography in .NET

The slide deck from my Cryptography in .NET talk at NDC London are now available to download from this site. If you have any questions about this talk and it’s contents then please do either leave a comment here on this post, or get in touch with me from my contacts page.

Talking About Cryptography on Dot Net Rocks

Stephen Haunts on the Dot Net Rocks Show
Stephen Haunts on the Dot Net Rocks Show

Today I am on the Dot Net Rocks show talking about Cryptography with Carl and Richard. We talk mostly about secure ways to store passwords and also talk about Hybrid Cryptography where you use a combination of AES, RSA, and SHA256 to create a robust encryption scheme.

The show was a lot of fun to record. It is quite daunting when you are suddenly on a show that you have been listened too every week for 5 years, but Carl and Richard made the experience very easy going and fun.

Here is the show description.

Encrypt all the things! Carl and Richard talk to Stephen Haunts about how to use cryptography properly. And as it turns out, you don’t have to be a mathematician to put crypto to work for you! The conversation starts out focusing on password hashing – lots of ways to do it wrong, salting seems complicated, but in the end, there is a built-in, poorly named function in the .NET Framework that will give you proper leading edge password hashing, you just have to know what it is (check the links on the show page). From there Stephen talks about 2-way symmetric and asymmetric encryption. Best used together, and best used on any and all data that you have. Good stuff!


Talking at NDC London

In January I will be attending the NDC conference in London and doing a talk on Cryptography in .NET. This talk will be on Thursday 14th January at 4.20pm. I am really excited to be doing this talk as it is my first major conference.

Cryptography in .NET is a subject I am very passionate about and have been teaching developers about all this year at user groups, and also with my book from syncfusion called “Cryptography in .NET Succinctly” and my course on the same subject, “Practical Cryptography in .NET” over at Pluralsight.

NDC London - Stephen Haunts - Cryptography in .NET
NDC London – Stephen Haunts – Cryptography in .NET

On Friday 15th January, I will also be at the Pluralsight stand at 1pm and 4pm to talk about authoring for Pluralsight. If you are interested in hearing about what it takes to develop courses for Pluralsight and are at NDC, then please come along and I will be happy to answer your questions.

I will also be hanging around the Usergroups and Community stand at the conference promoting the idea of attending and running user group.

If you are at NDC, then please pop along and say hello.

Password Based Key Derivation Function Iteration Counts

I have already spoken about Password Based Key Derivation Functions before on this blog and I have discussed secure password storage with PBKDF2 at length in my Pluralsight course, Practical Cryptography in .NET, but in this post I want to expand this a bit and talk about picking suitable iteration lengths for the PBKDF2 key derivation process.

Choosing a good number of iterations for PBKDF2
Choosing a good number of iterations for PBKDF2

A reader of this blog, Geoff Hirst, gave me a heads up to an episode of the Security Now podcast and specifically episode 512 where the recent security breach at LastPass was discussed. Luckily no one’s data was actually at risk due to their security policies and good use  of encryption, but the podcast talked about something that was interesting and that was, what should you set your PBKDF2 iteration count too?

I must admit I have always used round numbers like 50,000 or 100,000 but the podcast says this isn’t a good idea and you should use 5 figure number, beginning with a number larger than 2, but a random number which isn’t rounded up to specific whole number, as in 50,000 or 100,000.

By making this a random number that you do not disclose you are making an attackers life much harder as they have to get the iteration count correct. Of course you shouldn’t rely on this as a main piece of security information, but anything that can make an attackers life a little harder has to be a good thing.

If you are dealing with a system that has multiple users, why not randomly generate different iteration counts per user. Then if one user does get compromised and their password recovered, your other users are still safe as the attacker would still need to guess their number of iterations.

Practical Cryptography in .NET Course Released by Pluralsight

I am pleased to announce that my latest course, Practical Cryptography in .NET has been released by Pluralsight.

The course description is as follows:

As a software developer you have a duty to your employer to secure and protect their data. In this course you will learn how to use the .NET Framework to protect your data to satisfy confidentiality, integrity, non-repudiation and authentication.

This course covers random number generation, hashing, authenticated hashing and password based key derivation functions. The course also covers both symmetric and asymmetric encryption using DES, Triple DES, AES and RSA. You then learn how to combine these all together to product a hybrid encryption scheme which includes AES, RSA, HMACS and Digital Signatures.

The course is aimed at teaching developers about the importance of protecting sensitive data within their systems.

Practical Cryptography in .NET Coming Soon to Pluralsight
Practical Cryptography in .NET Coming Soon to Pluralsight

As-well as giving lots of technical background, the course will be very practical with lots of live code demonstrations. The course will be split into the following modules.

1. Course Outline and Introduction
2. Cryptographic Random Numbers
3. Hashing Algorithms
4. Secure Password Storage
5. Symmetric Encryption
6. Asymmetric Encryption
7. Hybrid Encryption
8. Digital Signatures
9. Secure String
10. Course Summary

Modules 2 – 6 covers a lot of theory and practical advice on using what is built into the .NET Framework. Module 7 on Hybrid Cryptography takes this a step further to combine a lot of the cryptographic primitives discussed into a cryptography scheme that gives the flexible key management benefits of RSA with the benefits and speed of algorithms like AES which includes full authenticated integrity checking.

Practical Cryptography in .NET Coming Soon to Pluralsight
Practical Cryptography in .NET Coming Soon to Pluralsight

This then gets expanded on further by introducing the concept of Digital Signatures to build in non-repudiation into the system.

Practical Cryptography in .NET Coming Soon to Pluralsight
Practical Cryptography in .NET Coming Soon to Pluralsight

The course has been a lot of fun to produce and I hope you find it useful. Protecting data is something that every developer should take very seriously and this course gives you all the tools you need to protect your companies data from ex-filtration by hackers or anyone else that wants to cause organisations harm.

Cryptography in .NET talk at the Derbyshire.Net User Group

Cryptography in .NET talk at the Derbyshire Dot Net User Group
Cryptography in .NET talk at the Derbyshire Dot Net User Group

I will be doing a talk at the Derbyshire Dot Net user group on March 26th 2015 in Derby. The talk will be on Cryptography in .NET.  The talk will be at Sadler Bridge Studios in the City Centre and start at 7pm.

The talk synopsis is:

Data security is something that we as developers have to take seriously when developing solutions for our organizations. Cryptography can be a deeply complicated and mathematical subject but as developers we need to be pragmatic and use what is available to us to secure our data without disappearing down the mathematical rabbit hole.

In this talk Stephen Haunts will take you through what is available in the .NET framework for enterprise desktop and server developers to allow you to securely protect your data to achieve confidentiality, data integrity and non-repudiation of exchanged data. Stephen will cover the following:

  • Cryptographically secure random number generation.
  • Hashing and Authenticated Hashes.
  • Secure Password Storage
  • Symmetric Encryption with DES, TripleDES, and AES.
  • Asymmetric Encryption with RSA.
  • Hybrid Encryption by using Symmetric and Asymmetric encryption together.
  • Digital Signatures.

Stephen Haunts is a Development Manager working in the healthcare division at Boots and has been developing code since he was 10. Stephen is also an author with Pluralsight and a book author writing for the Syncfusion Succinctly series of books.

%d bloggers like this: