I have recently released a small open source library that I thought might be useful to people. The library is called Block Encrypter it is designed to make asymmetric encryption of data in .NET / C# easier. The code in this library has been developed over the past year and used in my open source tools SafePad and Text Shredder. The way in which this library goes about encryption has been peer reviewed by many people in the open source community so should give you a level of comfort that it is secure in how it goes about encrypting data. Block Encrypter encrypts data using standard cryptographic primitives like AES, HMAC, PBKDF, and cryptographically secure random number generation.
First lets look at some usage examples. The main object in the library to call is the Block Encrypter object and this contains methods that allow you to encrypt/decrypt strings or byte arrays of data.
Overview of the Library
The library itself is quite straight forward to use and there are not that many objects to get to grips with. The main entry point for the library is the BlockEncrypter object. This object will then call out to the GzipCompression object, Aes object, and the ByteHelpers object.
The library is also well covered in unit tests that exercise the majority of the functionality.
I have released the next version of Text Shredder which incorporates some tweaks and features from peer review of users of the application on the internet.
The release notes are as follows :
Added a HMAC to the encrypted message. The ciphertext + original salt is HMACed using the AES key. When the message is decrypted, the HMAC is recomputed and compared to the original. If it doesn’t match then the message has been corrupted or tampered with.
Removed BCrypt from the internal password hash. After peer review it was deemed unnecessary as a PBKFD (Rfc2898) is used with 70,000 iterations to generate the AES key.
When setting up the AesCryptoServiceProvider, make the cipher mode and padding schemes more apparent. This application uses AES set to CBC mode with PKCS7 padding.
Add a word wrap option to the file menu. This enables/disables word wrap on all the text boxes.
When the user first loads up Text Shredder, show an upgrade warning stating that their message recipients must be using the same version of the tool. They can click on a “Do not show this again” checkbox to disable the warning then they next run the program.
I was recently asked to develop a small utility that is a personal encryption tool that uses the same encryption code as my Safe Pad application. I did this on the understanding I could open source the result, which I have.
Text Shredder is a utility that simplifies encryption and decryption of plain text data. Plain text data is encrypted and can then be easily copied to the clipboard or saved as a text file. This text file can then be sent via your normal instant chat/messenger programs or email.
Text Shredder allows you to set up to 2 passwords (the 2nd password is optional). These passwords are then used to create a strong encryption key which is used to encrypt your text using the industry standard FIPS Certified AES algorithm (Advanced Security Standard).
For more information on the Text Shredder utility you can view the main project page. Text Shredder is open source and has been released under the GPL v3.0 License. The source code and binaries are available from Codeplex.
I have recently released version 1.2 of Safe Pad. Safe Pad is a encrypted text editor that allows you to protect your documents using strong FIPS Compliant AES Encryption using up to 2 passwords to generate your encryption key. Safe Pad is open source and has been released under the GNU Public License.
I have now released version 1.1 of my popular encrypted notepad application SafePad. Version 1.1 focuses on many of the requests I have had from users. These are mainly around usability.
What is SafePad
SafePad is a simple FREE text editor that lets you encrypt your documents using 3 cascaded iterations of AES encryption (Advanced Encryption Standard). To protect your document you have to provide 2 passwords. Passwords have always been a problem when it comes to security as users tend to pick a password that is easy for them to remember. This also means that the password is most likely easy to crack. By using 2 passwords and performing multiple rounds of encryption, it makes it much harder to crack the passwords. If someone manages to crack password 1, all they will get back is encrypted text, so it would be very hard to them to know they have cracked that password.
Picking strong yet easy to remember passwords is essential when protecting your files. If your passwords are easy to guess or can be cracked by a brute force search then you are leaving your data open to being stolen. Here is a good article over at wolfram.org with some good advice on picking strong passwords.
In this article I want to talk about the storage of passwords in your systems. Passwords are still the most common way of being able to authenticate a user, but it is very easy to put yourself in a situation where your system is not secure and susceptible to attacks. In this article I want to discuss ways in which you shouldn’t store passwords, and talk about how you can safely store passwords and protect yourself where you have been a victim of data theft.
Storing Passwords in the Clear
Easy of Implementation : EASY
Is Good Idea : TERRIBLE IDEA
When you are developing a system that needs to authenticate a user, the biggest mistake you can make is storing passwords as clear text in your database. You may as well not bother having security as you can’t offer any kind of privacy to your users. This may seem like common sense, but there are still plenty of sites that do this. A user’s password should be secret and only known by the person who it belongs too.
2013 has been an interesting year for whistle blowing about surveillance from the American and British governments. Earlier in the year Edward Snowden, a former NSA technologist, decided to put his own life on the line and leak a huge cache of documents about the NSA’s surveillance capabilities against its own people in the USA. This goes against the 4th amendment in the constitution that prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause.
The notion of surveillance is a complex topic. There are a lot of bad people out there that want to cause America, Britain, and Europe a lot of harm, and we need a way to keep tabs on these people. In this case I believe surveillance is justified. There will always be threats from domestic threats which also need to be monitored. The question here though is, have our governments crossed the line with the mass data collection that they are doing. In my opinion yes they have, but now this is all starting to get out in the open, maybe something will start to be done about it, hopefully. This all really started when George Bush gave the NSA the remit to collect this data after the September 11th attacks against the USA.