Q

Encryption and .NET application security

Encrypting sensitive data is an important part of .NET Web application security. Expert Dan Cornell explains how to encrypt your data using the options available.

What are my options for encrypting data on the .NET platform?
There are a number of cryptographic capabilities available on the .NET platform. The .NET core libraries contain managed implementations of most popular cryptographic functions, including symmetric (secret key) cryptography, asymmetric (public key) cryptography and hashing.

The majority of these capabilities can be found in the System.Security.Cryptography namespace. Available hashing algorithms include MD5, SHA1, SHA256, SHA384 and SHA512. Symmetric algorithms available include DES, RC2, Rijndael (AES) and Triple DES. All of those are industry-proven cryptographic routines available for easy use via .NET libraries. Please note that there have been weaknesses or issues associated with certain algorithms such as MD5, SHA1 and DES, so select algorithms carefully.

Cryptography resources
Protecting encrypted data from attacks

Beginning Cryptography with Java -- Chapter 2, Symmetric Key Cryptography

OWASP Guide to Building Secure Web Applications and Web Services, Chapter 19: Cryptography
Also, starting with the release of Windows 2000, Microsoft has provided a Data Protection API (DPAPI) as part of the operating system. This allows Windows applications to easily have access to powerful encryption capabilities based on either the current user's or the current machine's security identity. At its core, the DPAPI is a Win32 library. Under .NET 1.1 a wrapper library had to be created before DPAPI calls could be made from .NET applications.

An equivalent bridge library has been included in the .NET 2.0 platform, making it even easier to DPAPI-enable applications. This can be found in the DataProtectionConfigurationProvider in the System.Security.Cryptography namespace.

Given increasing requirements to protect sensitive patient and customer information due to laws such as HIPAA and California SB-1386, the use of cryptography in applications is beginning to be a must-have rather than something that's nice to have. Fortunately the .NET platform makes the low-level task of implementing these capabilities unnecessary.
This was first published in March 2006

Dig deeper on Building security into the SDLC (Software development life cycle)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close