Understanding the Supported Cryptographic Methods

Previous page
Table of content
Next page


It’s important to understand how the .NET Framework arranges the various cryptographic methods and how CLR uses them. Not every cryptographic algorithm is equal and you need to use the right algorithm for your specific need. The cryptographic hierarchy begins with the two types of cryptography in use on computers today: symmetric (SymmetricAlgorithm class) and asymmetric (AsymmetricAlgorithm class). You can’t use either class directly, but these classes do form the basis for cryptographic analysis for .NET applications. In fact, these classes are basic dividers in the functionality that the .NET Framework provides.

Note

The System.Security.Cryptography namespace also contains a HashAlgorithm class that you won’t use for cryptographic purposes. See the “Circumventing and Fixing the Standard Check” section of Chapter 6 for details on using this algorithm for verifying code. You can also use this algorithm for verifying data integrity and for detecting changes to essential security elements such as digital signatures. See the “Using Hash Functions” section of this chapter for further details on other hash uses.

A symmetric algorithm relies on a single private key. Anyone who wishes to decrypt data encrypted with a certain key must have access to that key. The advantages of symmetric algorithms include relative simplicity and fast data translation speed. In addition, a symmetric algorithm tends to produce a smaller encrypted file. For example, given a 209-byte input file, the RijndaelManaged class produces a 224-byte encrypted result, while the Rivest, Shamir, and Adleman (RSA) class produces a 768-byte result. (See the TempCryptA.TXT and TempCryptA.TXT files in the \Chapter 07 folder located on the Sybex Web site as examples.) This is the kind of algorithm to use when encrypting personal data or transferring a large quantity of data between trusted associates. The symmetric algorithms supported by the .NET Framework include:

  • DES

  • RC2

  • Rijndael

  • TripleDES

An asymmetric algorithm relies on a public and private key pair. The cryptographic cipher relates the keys through a very large prime number, which means you can’t realistically expect to guess the private key by knowing the public key. You encrypt data using the private key and use the public key to decrypt the information (or vice versa—encrypt using the public key and decrypt using the private key). The advantage of the asymmetric system is that you can give the public key out to anyone who needs to decrypt the data without making it possible for them to also encrypt data using your private key. You can also receive information from multiple sources that the senders encrypted using the public key that only you can decrypt using your private key. Consequently, an asymmetric algorithm is also more secure than a symmetric algorithm when two parties are involved (such as an email sender and a recipient). The asymmetric algorithm classes include:

  • Digital Signature Algorithm (DSA)

  • RSA

    Note

    In some cases, a cryptographic technique will combine symmetric and asymmetric methods. The cryptographic technique will exchange symmetric keys using asymmetric encrypting. Because the technique encrypts the symmetric key before transmitting it, there’s little chance of someone eavesdropping and discovering this key. The two parties might use the symmetric key only during the current session, so the two parties exchange new symmetric keys for each session—increasing security. The two parties use the symmetric key to encrypt the data, making the data encryption, transferral, and decryption process faster.

Beware of the Cracked Symmetric Algorithm

It’s important that you use a trustworthy algorithm to encrypt your code. This means researching the algorithm before you use it in your current project to see what the current threats to that algorithm are. Don’t assume that the encryption technique you used yesterday is still fine today. For example, many people are still under the assumption that DES is safe—it isn’t. This particular algorithm was cracked five years (or even more) ago.

A number of online sources chronicle the fall of the venerable DES algorithm. For example, the five-year-old Wired article at http://www.wired.com/news/technology/0,1282,13800,00.html states that computers of that time could break the DES encryption in about 3 days. A 1999 article from Network World Fusion (http://www.nwfusion.com/news/1999/0120cracked.html ) shows the time has gone down to around 22 hours. The reason that Triple DES exists is that the government is trying to extend the life of this aging algorithm. You can use DES as long as you create a large key, but some people steadfastly refuse to move beyond the 56-bit key that a five-year-old computer can crack in 3 days and a modern computer can crack in a few hours. It’s best to consider the DES class as the backward compatibility addition to the .NET Framework and move on from there.

Before you latch on to the TripleDES class as the solution for your problems, consider the complaints of some developers that this algorithm is extremely slow. The Network World Fusion article at http://www.nwfusion.com/links/Encyclopedia/D/596.html explains why. This algorithm actually encrypts the data three times—no wonder it’s slow. The article also states that the National Institutes of Standards and Technology (NIST) has moved to the Advanced Encryption Standard (AES). It so happens that AES appears as the Rijndael class in the .NET Framework. Although you can use any symmetric algorithm that the .NET Framework supports natively or you add using techniques such as those shown in the “Using Configuration Files to Map Algorithm Names” section, the Rijndael class provides good value for today and is still a safe method to use. You can read more about the origins of this algorithm at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/.

Learning about the Asymmetric Algorithm

Now that we’ve covered the symmetric algorithm, what do you need to know about the asymmetric algorithm? The good news is that there’s little evidence to suggest that either of the asymmetric algorithms supported by the .NET Framework are even close to getting cracked. However, you’re going to run into news stories that say a hacker in the Philippines recently cracked the RSA algorithm. According to articles on many sites including Slashdot (http://slashdot.org/articles/01/02/05/1911258.shtml), the hacker was less than successful. Unfortunately, the article is still circulating on the Internet. If you have any doubts about RSA, you can use the newer DSA algorithm instead.

The problem with the DSA algorithm is that it’s less flexible than RSA and you can only use it for digital signatures. Many developers also claim that the algorithm is slower than using RSA for similar tasks. You can read a professional evaluation of DSA at http://www.rsasecurity.com/rsalabs/faq/3-4-1.html.


Previous page
Table of content
Next page
.Net Development Security Solutions
.NET Development Security Solutions
ISBN: 0782142664
EAN: 2147483647
Year: 2003
Pages: 168
Authors: John Paul Mueller
BUY ON AMAZON
WebLogic: The Definitive Guide
FileMaker Pro 8: The Missing Manual
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy