Cryptography in .NET Talk : Slides and Sample Code

Today I did a talk on Cryptography in .NET. The talk synopsis is as follows :

Data security is something that we as developers have to take seriously when developing solutions for our organizations. Cryptography can be a deeply complicated and mathematical subject but as developers we need to be pragmatic and use what is available to us to secure our data without disappearing down the mathematical rabbit hole.

In this talk Stephen Haunts will take you through what is available in the .NET framework for enterprise desktop and server developers to allow you to securely protect your data to achieve confidentiality, data integrity and non-repudiation of exchanged data. Stephen will cover the following:

• Cryptographically secure random number generation
• Hashing and Authenticated Hashes
• Symmetric Encryption with DES, TripleDES, and AES
• Asymmetric Encryption with RSA
• Hybrid Encryption by using Symmetric and Asymmetric encryption together.
• Digital Signatures

RC4 Stream Cipher

I recently started to look at some other cryptography ciphers outside what is included in my development platform of choice, .NET, and started reading up on RC4. RC4 is a stream cipher.

Stream Ciphers

A stream cipher is a symmetric key cipher where plain-text digits are combined with a pseudo-random cipher digit stream (key-stream). In a stream cipher each plain-text digit is encrypted one at a time with the corresponding digit of the key-stream, to give a digit of the cipher-text stream. With a stream cipher a digit is typically a bit and the combining operation an exclusive-or (XOR).

The pseudo-random key-stream is typically generated serially from a random seed value using digital shift registers. The seed value serves as the cryptographic key for decrypting the cipher-text stream.

Stream ciphers represent a different approach to symmetric encryption from block ciphers. Block ciphers operate on large blocks of data n a fixed block size. Stream ciphers typically execute at a higher speed than block ciphers and have lower hardware complexity.

RC4 Stream Cipher

In cryptography, RC4 (also known as ARC4 or ARCFOUR meaning Alleged RC4) is the most widely used software stream cipher and is used in popular protocols such as Transport Layer Security (TLS) (to protect Internet traffic) and WEP (to secure wireless networks). While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems.

RC4 was designed by Ron Rivest of RSA Security in 1987. RC4 was initially a trade secret, but in September 1994 a description of it was anonymously posted to a mailing list. The leaked code was confirmed to be genuine as its output was found to match that of proprietary software using licensed RC4. Because the algorithm is known, it is no longer a trade secret. The name RC4 is trademarked, so RC4 is often referred to as ARCFOUR or ARC4 (meaning alleged RC4) to avoid trademark problems.

Cryptography in .NET Talk at the DotNet Notts Usergroup

On January 26th 2015 I will be doing a talk at the DotNet Notts usergroup in Nottingham UK. The talk will be on Pragmatic Cryptography in .NET. The talk synopsis is as follows.

Data security is something that we as developers have to take seriously when developing solutions for our organizations. Cryptography can be a deeply complicated and mathematical subject but as developers we need to be pragmatic and use what is available to us to secure our data without disappearing down the mathematical rabbit hole.

In this talk Stephen Haunts will take you through what is available in the .NET framework for enterprise desktop and server developers to allow you to securely protect your data to achieve confidentiality, data integrity and non-repudiation of exchanged data. Stephen will cover the following:

Cryptographically secure random number generation.

Hashing and Authenticated Hashes.

Symmetric Encryption with DES, TripleDES, and AES.

The pitfalls of key exchange

Asymmetric Encryption with RSA.

Hybrid Encryption by using Symmetric and Asymmetric encryption together.

Digital Signatures.

Cryptography in .NET : Digital Signatures

I have previously written a number of articles on Cryptography in .NET, like the following :

Part 1 – Advanced Encryption Standard (AES)

Part 2 – RSA

Part 3 – Random Numbers and Hashes

Part 4 – Hybrid Encryption Protocols

Block Encrypter .NET Library for secure AES Encryption

In this article I will show you how to create and use Digital Signatures in .NET.

A digital signature is a mathematical scheme that demonstrates the authenticity of a message or document. A valid digital signature gives the recipient reason to believe that the message was created by a known sender, such that the sender cannot deny having sent the message (authentication and non-repudiation) and that the message was not altered in transit (integrity). Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.

Digital signatures are often used to implement a digital analog to hand written signatures. In broader terms this refers to any electronic data that carries the intent of a signature. Digital signatures employ a type of asymmetric cryptography. For messages sent through a non-secure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects, but properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes, in the sense used here, are cryptographic based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret.

A digital signature scheme consists of three algorithms

• A key generation algorithm that generates a private and public key, such as RSA.
• A signing algorithm that, given a message and a private key, produces a signature.
• A signature verifying algorithm that, given a message, public key and a signature, either accepts or rejects the message’s claim to authenticity.

Two main properties are required. First, the authenticity of a signature generated from a fixed message and fixed private key can be verified by using the corresponding public key. Secondly, it should be computationally infeasible to generate a valid signature for a party without knowing that party’s private key. A digital signature is an authentication mechanism that enables the creator of the message to attach a code that act as a signature. It is formed by taking the hash of message and encrypting the message with creator’s private key.

Password Based Key Derivation Functions in .NET

In this article I want to talk a little about Password Based Key Derivation Functions and their use in .NET. A Password Based Key Derivation Function or PBKDF2 as it is known, is a way to encode passwords as an alternative to hashing functions which are susceptible to rainbow table attacks.

For this article though I am going to try a different method of explaining it. I am going to talk about this subject and do a little code demo by video. Yes, you have to suffer my voice and video editing. This video was actually recoded back in June, and the astute amongst you will notice that this looks very much like a Pluralsight video. Well, it is, kind of. This is one of my audition videos that I had to produce to  become a Pluralsight author.

I was very pleased with the result seeing as it was my first time recording and editing a video / code demo, and Pluralsight were gracious enough to give me permission to post the video on my blog, but minus the Pluralsight branding, as it is not an official video of theirs.

Now that I have the video recording bug, plus I have paid for all the software and hardware etc, I may do more of these along side my Pluralsight courses.

Block Encrypter .NET Library

I have recently released a small open source library that I thought might be useful to people. The library is called Block Encrypter it is designed to make asymmetric encryption of  data in .NET / C# easier. The code in this library has been developed over the past year and used in my open source tools SafePad and Text Shredder. The way in which this library goes about encryption has been peer reviewed by many people in the open source community so should give you a level of comfort that it is secure in how it goes about encrypting data. Block Encrypter encrypts data using standard cryptographic primitives like AES, HMAC, PBKDF, and cryptographically secure random number generation.

I have previously discussed AES encryption in .NET in my cryptography series of articles. I also posted an article linking to some really useful videos by Patrick Townsend about how the AES algorithm works. If you are interested in symmetric cryptography I highly recommend watching them.

First lets look at some usage examples. The main object in the library to call is the Block Encrypter object and this contains methods that allow you to encrypt/decrypt strings or byte arrays of data.

Overview of the Library

The library itself is quite straight forward to use and there are not that many objects to get to grips with. The main entry point for the library is the BlockEncrypter object. This object will then call out to the GzipCompression object, Aes object, and the ByteHelpers object.

The library is also well covered in unit tests that exercise the majority of the functionality.

Text Shredder 1.1 Released

I have released the next version of Text Shredder which incorporates some tweaks and features from peer review of users of the application on the internet.

The release notes are as follows :

• Added a HMAC to the encrypted message. The ciphertext + original salt is HMACed using the AES key. When the message is decrypted, the HMAC is recomputed and compared to the original. If it doesn’t match then the message has been corrupted or tampered with.
• Removed BCrypt from the internal password hash. After peer review it was deemed unnecessary as a PBKFD (Rfc2898) is used with 70,000 iterations to generate the AES key.
• When setting up the AesCryptoServiceProvider, make the cipher mode and padding schemes more apparent. This application uses AES set to CBC mode with PKCS7 padding.
• Add a word wrap option to the file menu. This enables/disables word wrap on all the text boxes.
• When the user first loads up Text Shredder, show an upgrade warning stating that their message recipients must be using the same version of the tool. They can click on a “Do not show this again” checkbox to disable the warning then they next run the program.

Text Shredder 1.0 Released

I was recently asked to develop a small utility that is a personal encryption tool that uses the same encryption code as my Safe Pad application. I did this on the understanding I could open source the result, which I have.

Text Shredder is a utility that simplifies encryption and decryption of plain text data. Plain text data is encrypted and can then be easily copied to the clipboard or saved as a text file. This text file can then be sent via your normal instant chat/messenger programs or email.

Text Shredder allows you to set up to 2 passwords (the 2nd password is optional). These passwords are then used to create a strong encryption key which is used to encrypt your text using the industry standard FIPS Certified AES algorithm (Advanced Security Standard).

For more information on the Text Shredder utility you can view the main project page. Text Shredder is open source and has been released under the GPL v3.0 License. The source code and binaries are available from Codeplex.