.NET application security web application security

Articles

Latest Articles

Will the trend of reverse offshoring continue?
August 06, 2008
A Windows Device Driver Primer (2/10): Device Driver Programming
July 16, 2008
A Windows Device Driver Primer (1/10): Introduction
July 08, 2008
Demystifying Penetration Tests – Planning and Managing Tests (Part 4 of 4)
June 04, 2008
Demystifying Penetration Tests – Classification of Tests (Part 3 of 4)
May 27, 2008
Demystifying Penetration Tests – Attack Vectors (Part 2 of 4)
May 20, 2008
Chapter 1: Security Principles and the SDL (Online Book Preview)
May 20, 2008
Strategic Outsourcing – The Art and Craft of Outsourcing for Long Term Benefit (1/4)
May 13, 2008
Data Protection and Privacy – The Indian Paradigm
May 07, 2008
Conversations Within Asia – Stage 1: India and Japan
May 07, 2008

“Chishiki” is Japanese for “knowledge.” e-chishiki.com aims to bring software developers, information security professionals, IT executives and other IT pros a rich body of knowledge in the form of articles, interviews, tutorials and technical discussions. Our contributors are among the biggest names in the Indian IT industry and include noted authors, educators and practitioners.

Online Book Preview – Microsoft .NET Framework: Web Application Security

Chapter 8: Cryptography (Online Book Preview)

Vijay Mukhi

May 06, 2008

Print this article

Microsoft .NET Framework: Web Application Security

Index

Email has become a way of life, and is one of the best forms of communication, for personal use or commercial purposes. But how can we be sure that the email messages we send will reach their destination without being intercepted and altered? Also, how do we ever know if our thoughts in these messages are being spied upon? If the data flowing through the Internet is in plain text, it is easily readable by all. If this is of concern to us, the best approach is to encrypt the data that is sent back and forth.

The following is an excerpt from Vijay Mukhi's upcoming book "Microsoft .NET Framework: Web Application Security." This book will be available for purchase from this site as an e-book in June, 2008.

Introduction

Email has become a way of life, and is one of the best forms of communication, for personal use or commercial purposes. But how can we be sure that the email messages we send will reach their destination without being intercepted and altered? Also, how do we ever know if our thoughts in these messages are being spied upon? If the data flowing through the Internet is in plain text, it is easily readable by all. If this is of concern to us, the best approach is to encrypt the data that is sent back and forth.

We should not only be considering data encryption for email messages alone. Users of computers generally store all data in plain text format on their desktop or notebook computers, ignorant of or oblivious to the fact that if the system is compromised, then anyone can access all the files on it. It is therefore advisable to store all confidential data in encrypted form. Banks encrypt all their data in online banking transactions. All e-commerce sites use some kind of encryption methods in their business transactions to safeguard data traveling over the Net.

It is a myth to believe that passwords stored in databases are safe and sound. Database servers, if compromised, can provide all the sensitive data stored in them to an attacker, or for that matter, SQL injection attacks can retrieve passwords from databases very easily. Even string parameters in a web.config file are unsafe, if they are not encrypted.

We believe that all programmers today need to implement code to conceal the original data. One aspect of cryptography is the concealment of original data using symmetric and asymmetric algorithms.

In this chapter, we will look at a few of these algorithms that can be implemented in our code using the .NET framework.

Let us examine one of the easiest forms of encryption.

XORing »