Encryption and .NET application security

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Expert resolves issues plaguing OpenSTA users What is fuzz testing? What are some ways to use fuzz testing? How do I convince management to take application security seriously? How do I set up a secure login page using membership in ASP.NET? Security testing sales, marketing websites Are there application security certification standards? Top tools for testing Web application security How to prevent HTTP response splitting PCI DSS compliance: WAF, code review or both? Application security careers have bright future Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science'

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

There are a number of cryptographic capabilities available on the .NET platform. The .NET core libraries contain managed implementations of most popular cryptographic functions, including symmetric (secret key) cryptography, asymmetric (public key) cryptography and hashing.

The majority of these capabilities can be found in the System.Security.Cryptography namespace. Available hashing algorithms include MD5, SHA1, SHA256, SHA384 and SHA512. Symmetric algorithms available include DES, RC2, Rijndael (AES) and Triple DES. All of those are industry-proven cryptographic routines available for easy use via .NET libraries. Please note that there have been weaknesses or issues associated with certain algorithms such as MD5, SHA1 and DES, so select algorithms carefully.

Cryptography resources Protecting encrypted data from attacks Beginning Cryptography with Java -- Chapter 2, Symmetric Key Cryptography OWASP Guide to Building Secure Web Applications and Web Services, Chapter 19: Cryptography

Also, starting with the release of Windows 2000, Microsoft has provided a Data Protection API (DPAPI) as part of the operating system. This allows Windows applications to easily have access to powerful encryption capabilities based on either the current user's or the current machine's security identity. At its core, the DPAPI is a Win32 library. Under .NET 1.1 a wrapper library had to be created before DPAPI calls could be made from .NET applications.

An equivalent bridge library has been included in the .NET 2.0 platform, making it even easier to DPAPI-enable applications. This can be found in the DataProtectionConfigurationProvider in the System.Security.Cryptography namespace.

Given increasing requirements to protect sensitive patient and customer information due to laws such as HIPAA and California SB-1386, the use of cryptography in applications is beginning to be a must-have rather than something that's nice to have. Fortunately the .NET platform makes the low-level task of implementing these capabilities unnecessary.