Password Based Key Derivation Functions in .NET

In this article I want to talk a little about Password Based Key Derivation Functions and their use in .NET. A Password Based Key Derivation Function or PBKDF2 as it is known, is a way to encode passwords as an alternative to hashing functions which are susceptible to rainbow table attacks.

Password Based Key Derivation Functions in .NET : PBKDF2
Password Based Key Derivation Functions in .NET : PBKDF2

For this article though I am going to try a different method of explaining it. I am going to talk about this subject and do a little code demo by video. Yes, you have to suffer my voice and video editing. This video was actually recoded back in June, and the astute amongst you will notice that this looks very much like a Pluralsight video. Well, it is, kind of. This is one of my audition videos that I had to produce to  become a Pluralsight author.

I was very pleased with the result seeing as it was my first time recording and editing a video / code demo, and Pluralsight were gracious enough to give me permission to post the video on my blog, but minus the Pluralsight branding, as it is not an official video of theirs.

Now that I have the video recording bug, plus I have paid for all the software and hardware etc, I may do more of these along side my Pluralsight courses.

Advertisements

Block Encrypter .NET Library

I have recently released a small open source library that I thought might be useful to people. The library is called Block Encrypter it is designed to make asymmetric encryption of  data in .NET / C# easier. The code in this library has been developed over the past year and used in my open source tools SafePad and Text Shredder. The way in which this library goes about encryption has been peer reviewed by many people in the open source community so should give you a level of comfort that it is secure in how it goes about encrypting data. Block Encrypter encrypts data using standard cryptographic primitives like AES, HMAC, PBKDF, and cryptographically secure random number generation.

Download the Block Encrypter .NET encryption library.
Download the Block Encrypter .NET encryption library.

I have previously discussed AES encryption in .NET in my cryptography series of articles. I also posted an article linking to some really useful videos by Patrick Townsend about how the AES algorithm works. If you are interested in symmetric cryptography I highly recommend watching them.

encryption

First lets look at some usage examples. The main object in the library to call is the Block Encrypter object and this contains methods that allow you to encrypt/decrypt strings or byte arrays of data.

Overview of the Library

The library itself is quite straight forward to use and there are not that many objects to get to grips with. The main entry point for the library is the BlockEncrypter object. This object will then call out to the GzipCompression object, Aes object, and the ByteHelpers object.

Block Encryter Class Diagram
Block Encryter Class Diagram

The library is also well covered in unit tests that exercise the majority of the functionality.

Text Shredder 1.1 Released

I have released the next version of Text Shredder which incorporates some tweaks and features from peer review of users of the application on the internet.

Text Shredder : A Personal Encryption Tool
Text Shredder : A Personal Encryption Tool

The release notes are as follows :

  • Added a HMAC to the encrypted message. The ciphertext + original salt is HMACed using the AES key. When the message is decrypted, the HMAC is recomputed and compared to the original. If it doesn’t match then the message has been corrupted or tampered with.
  • Removed BCrypt from the internal password hash. After peer review it was deemed unnecessary as a PBKFD (Rfc2898) is used with 70,000 iterations to generate the AES key.
  • When setting up the AesCryptoServiceProvider, make the cipher mode and padding schemes more apparent. This application uses AES set to CBC mode with PKCS7 padding.
  • Add a word wrap option to the file menu. This enables/disables word wrap on all the text boxes.
  • When the user first loads up Text Shredder, show an upgrade warning stating that their message recipients must be using the same version of the tool. They can click on a “Do not show this again” checkbox to disable the warning then they next run the program.

Text Shredder 1.0 Released

I was recently asked to develop a small utility that is a personal encryption tool that uses the same encryption code as my Safe Pad application. I did this on the understanding I could open source the result, which I have.

Text Shredder : A Personal Encryption Tool
Text Shredder : A Personal Encryption Tool

Text Shredder is a utility that simplifies encryption and decryption of plain text data. Plain text data is encrypted and can then be easily copied to the clipboard or saved as a text file. This text file can then be sent via your normal instant chat/messenger programs or email.

Text Shredder allows you to set up to 2 passwords (the 2nd password is optional). These passwords are then used to create a strong encryption key which is used to encrypt your text using the industry standard FIPS Certified AES algorithm (Advanced Security Standard).

For more information on the Text Shredder utility you can view the main project page. Text Shredder is open source and has been released under the GPL v3.0 License. The source code and binaries are available from Codeplex.

Safe Pad 1.2 Released

Safe Pad 1.2 : Text Editor to securely protect your documents using strong AES Encryption
Safe Pad 1.2 : Text Editor to securely protect your documents using strong AES Encryption

have recently released version 1.2 of Safe Pad. Safe Pad is a encrypted text editor that allows you to protect your documents using strong FIPS Compliant AES Encryption using up to 2 passwords to generate your encryption key. Safe Pad is open source and has been released under the GNU Public License.

SafePad Version 1.1 Released

I have now released version 1.1 of my popular encrypted notepad application SafePad. Version 1.1 focuses on many of the requests I have had from users. These are mainly around usability.

Safe Pad 1.1 : Text editor to securely protect your documents using Triple AES
Safe Pad 1.1 : Text editor to securely protect your documents using Triple AES

What is SafePad

SafePad is a simple FREE text editor that lets you encrypt your documents using 3 cascaded iterations of AES encryption (Advanced Encryption Standard). To protect your document you have to provide 2 passwords. Passwords have always been a problem when it comes to security as users tend to pick a password that is easy for them to remember. This also means that the password is most likely easy to crack. By using 2 passwords and performing multiple rounds of encryption, it makes it much harder to crack the passwords. If someone manages to crack password 1, all they will get back is encrypted text, so it would be very hard to them to know they have cracked that password.

Picking strong yet easy to remember passwords is essential when protecting your files. If your passwords are easy to guess or can be cracked by a brute force search then you are leaving your data open to being stolen. Here is a good article over at wolfram.org with some good advice on picking strong passwords.

Securely Storing Passwords

In this article I want to talk about the storage of passwords in your systems. Passwords are still the most common way of being able to authenticate a user, but it is very easy to put yourself in a situation where your system is not secure and susceptible to attacks. In this article I want to discuss ways in which you shouldn’t store passwords, and talk about how you can safely store passwords and protect yourself where you have been a victim of data theft.

Securely Storing Passwords
Securely Storing Passwords

Storing Passwords in the Clear

Easy of Implementation : EASY

Is Good Idea : TERRIBLE IDEA

When you are developing a system that needs to authenticate a user, the biggest mistake you can make is storing passwords as clear text in your database. You may as well not bother having security as you can’t offer any kind of privacy to your users. This may seem like common sense, but there are still plenty of sites that do this. A user’s password should be secret and only known by the person who it belongs too.