“Chishiki” is Japanese for “knowledge.” e-chishiki.com aims to bring software developers, information security professionals, IT executives and other IT pros a rich body of knowledge in the form of articles, interviews, tutorials and technical discussions. Our contributors are among the biggest names in the Indian IT industry and include noted authors, educators and practitioners.
Online Book Preview – Microsoft .NET Framework: Web Application Security
Chapter 8: Cryptography (Online Book Preview)
Microsoft .NET Framework: Web Application Security
Index
The following is an excerpt from Vijay Mukhi's upcoming book "Secure Your Applications Using the .NET Framework." This book will be available for purchase from this site as an e-book in April, 2008.
TripleDESCryptoServiceProvider
c.cs
using System.Security.Cryptography;
using System;
using System.IO;
using System.Text;
class zzz
{
public static void Main()
{
TripleDESCryptoServiceProvider t = new TripleDESCryptoServiceProvid
er();
t.GenerateKey();
String sk = Convert.ToBase64String(t.Key);
Console.WriteLine("Key is {0}",sk);
t.GenerateIV();
String sIV = Convert.ToBase64String(t.IV);
Console.WriteLine("Initialization Vector is {0}",sIV);
ICryptoTransform ct;
MemoryStream m;
CryptoStream c;
byte[] b;
ct = t.CreateEncryptor(t.Key, t.IV);
b = Encoding.UTF8.GetBytes("Vijay");
m = new MemoryStream();
c = new CryptoStream(m, ct ,CryptoStreamMode.Write);
c.Write(b, 0, b.Length);
c.FlushFinalBlock();
c.Close();
String se = Convert.ToBase64String(m.ToArray());
Console.WriteLine("Encrypted String is {0}",se);
ct = t.CreateDecryptor(t.Key, t.IV);
b = Convert.FromBase64String(se);
m = new MemoryStream();
c = new CryptoStream(m, ct, CryptoStreamMode.Write);
c.Write(b, 0, b.Length);
c.FlushFinalBlock();
c.Close();
String sd = Encoding.UTF8.GetString(m.ToArray());
Console.WriteLine("Decrypted String is {0}",sd);
}
}
Command Prompt Window
C:\encrypt>c
Key is Y+S6gjQQ7RrZnXDItYB7SzRAlOEG3CTj
Initialization Vector is 5eTPY68ZnBU=
Encrypted String is o6xpIrRIfqY=
Decrypted String is Vijay
TripleDES uses a symmetric algorithm whereby the same key or password is used to encrypt data as well as decrypt data. It is implemented in .NET through the class TripleDESCryptoServiceProvider.
A key is generated using a method called GenerateKey in the TripleDESCryptoServiceProvider. In the TripleDES algorithm, a strong key of 128 bits to 192 bits long is generated, while the good old DES algorithm creates a 64-bit key. We can use the KeySize property to discover the actual size of the key. The key is converted into a Base64 string for display purposes.
After the key has been generated, we use the method GenerateIV to create another key or an initialization vector ( which we’ll abbreviate to IV). This is not used by the encryption process, but is used by the algorithm to generate the blocks of data before encryption occurs. Without an IV, the string would be encrypted in the same way as if any other algorithm were used, so if the key were to be obtained, the encryption would be broken. The IV is a random component, which starts the encryption for the first block. Thus, the key may be the same, but if the IV is different, the encrypted data looks very different.
Let’s us understand block ciphers once again with an example. If we encrypt the text Vijay using the same key, mukhi, every time, the encrypted text will always be the same. Consequently, all occurrences of the word Vijay in text will have the same cipher text, and once the cipher text has been cracked, an attacker can use the same key to return to the input stream . The approach adopted in this algorithm to resolve this problem is to use a block that has been previously encrypted and mix it into the block to be encrypted. The two blocks, and therefore the two occurrences of Vijay, will never be the same, since the blocks preceding them differ.
For the first block with no previous block, the IV is used to encrypt the data. The size of the IV is the same size as the property BlockSize (we display the IV onscreen here).
The CreateEncryptor method is called in the provider class and provided with a key and the IV to create an actual TripleDES object to be used for encryption. All these objects are derived from the ICryptoTransform interface.
Next, we supply the data to be encrypted. Since a byte array is required, string Vijay is converted into a series of bytes using the GetBytes method.
Now the key and the data have been obtained, a MemoryStream object m is created. A MemoryStream is similar to a FileStream, except that it reads and writes data from and to memory and not from and to disk.
Lastly, a CryptoStream object is created with the MemoryStream object m, the actual TripleDES object, ct and the mode of the stream, Write, used to write the encrypted data in the memory stream.
For the actual encryption to take place, the Write method of the TripleDES object ct is used to write a byte array into the memory stream and encrypt it. To do this, it takes the byte array, the offset in the array (0 refers to the start), and the length of the array.
The Write function encrypts the data in the array and writes the encrypted data to the MemoryStream. A FileStream object in place of the MemoryStream would write the encrypted data to disk. This MemoryStream is thereafter converted into an array and then to a Base64 string for display purposes.
The CryptoStream object associates a TripleDES object with any stream object. The Flush method is used to enforce the write or the encryption, which at times may be delayed. It is also good practice to close the objects that have been opened in the program.
To decrypt the encrypted string, we call the method CreateDecryptor with the same key and IV. This creates a TripleDES object, ct. Next, a byte array is retrieved from the Base64 encoded string of the encrypted value and then a similar CryptoStream object c is created, linking the MemoryStream to the TripleDES object. This class is a stream object used to link data streams to objects that understand cryptography.
The Write method is used once again with the byte array holding the encrypted data and the MemoryStream. The function decrypts the data and serves up the original plain text.
In short, encrypting plain text with a key gives encrypted text, conversely, running the process on encrypted text with the same key results in plain text.
If the first line of the program is changed to
RC2CryptoServiceProvider t = new RC2CryptoServiceProvider();
The following code will use the RC2 algorithm to encrypt the same string. No other lines of code need to be changed.
Command Prompt Window C:\encrypt>c Key is HTqI49/9ucjhlf2apQx+bA== Initialization Vector is nB+TLMgyKDQ= Encrypted String is xU8bi8DP7Yo= Decrypted String is Vijay
One advantage of using the cryptography classes in .NET is that if we know one, we can safely say we know them all, as they follow the same pattern. The help is useful if you want to try all the other service providers for yourself.
