subhashini (Moderator):
hello everbody . A very good evening to all of you. :-)
subhashini (Moderator):
Welcome to today's chat on .NET Cryptography
subhashini (Moderator):
We have Arun Ganesh (MVP) with us today
subhashini (Moderator):
To give you a quick intro about him
subhashini (Moderator):
G. Gnana Arun Ganesh, a Microsoft XML Web Services MVP is a .NET
Developer, Author, Editor and Reviewer, who has been working with
Microsoft .NET Technologies since its initial beta version. Currently
he is working for Accenture-Microsoft Engagement. As a .NET author,
he has published more than 60 articles on .NET technology in various
top .NET Web sites, such as eXPerienceDotNet, MSDNAA (MSDN Academic
Alliance), Developersdex, etc and conducted various .NET sessions
in colleges.
subhashini (Moderator):
Co-author of the Prentice Hall PTR book, .NET Security and Cryptography,
part of The Integrated .NET Series from Object Innovations. As an
Active member of Prentice Hall’s technical review panel, he
has performed many technical reviews, beginning with C# How to Program,
written by Harvey and Paul Deitel. He is also one of the Managers
of MUGH (Microsoft User Group, Hyd) and One of the authors of ObjectInnovations.com,
which offers training course materials in fundamental software technologies.
subhashini (Moderator):
NET Blog: <<http://arun.mvpblog.com/>>
VS 2005 Blog:<<http://spaces.msn.com/members/arun>>
Web services and XBOX Blog: <<http://weblogs.asp.net/arunganesh>>
.NET Web Site: www.arunmicrosystems.netfirms.com
<<http://www.arunmicrosystems.netfirms.com/>>
UG Site: www.mugh.net <<http://www.mugh.net/>>
subhashini (Moderator):
and he can be reached at ggarung@rediffmail.com
subhashini (Moderator):
Before we start a few chat rules as always
subhashini (Moderator):
Please refrain from sending any private messages to the expert during
the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts
will respond to as many questions as they can. Please understand
that there may be some questions we cannot respond to due to lack
of information or because the information is not yet public. We
encourage you to submit questions for our Experts.
subhashini (Moderator):
We ask that you stay on topic for the duration of the chat. This
helps the Guests and Experts follow the conversation more easily.
We invite you to ask off topic questions after this chat is over.
subhashini (Moderator):
Please us ethe radial button "submit a question " to ask
any questions to the expert
subhashini (Moderator):
Please use the radial button "submit a question " to ask
any questions to the expert
subhashini (Moderator):
So let's get the chat rolling and let's welcome Arun
subhashini (Moderator):
Hi Arun
Arun Ganesh_MVP (Expert):
Great
Arun Ganesh_MVP (Expert):
Hi All, Good Evening. Welcome to today’s community chat session
on .NET Cryptography
Arun Ganesh_MVP (Expert):
Let me first; give some brief about .NET cryptography and jump into
Q/A
Arun Ganesh_MVP (Expert):
The following Topics would be covered in Today’s chat.
Security Principles
What is Cryptography?
Symmetric Cryptography
Asymmetric Cryptography
Cryptography and the .NET Framework
Arun Ganesh_MVP (Expert):
Before entering into the chat: Few tips for better security in your
application:
Arun Ganesh_MVP (Expert):
Learn from Mistakes
Minimize your attack surface area
Use Defense in Depth principle
Use Least Privilege
Assume external systems are insecure
Plan on Failure
Security Features ! = Secure Features
Arun Ganesh_MVP (Expert):
Hope you guys; enjoy the last one! :)
Arun Ganesh_MVP (Expert):
Security Features != Secure Features
Arun Ganesh_MVP (Expert):
Ok, first - What is Cryptography?!
Arun Ganesh_MVP (Expert):
Security is the art of protecting access to information and other
computing resources from those whom you do not fully trust.
Arun Ganesh_MVP (Expert):
Cryptography (from Greek kryptós, "hidden", and
gráphein, "to write") is, traditionally, the practice
of converting information to an obscured form to prevent others
from understanding it.
Arun Ganesh_MVP (Expert):
Cryptography is generally nothing more than hiding large secrets
(which are themselves awkward to hide) with small secrets (which
are more convenient to hide).
Arun Ganesh_MVP (Expert):
Some Basic Cryptographic Terminology:
Arun Ganesh_MVP (Expert):
A cipher is a system or an algorithm used to transform an arbitrary
message into a form that is intended to be unintelligible to anyone
other than one or more desired recipients.
Arun Ganesh_MVP (Expert):
2. § The original message (text or binary) is referred to as
plaintext.
Arun Ganesh_MVP (Expert):
3. The encrypted message is referred to as cipher text.
Arun Ganesh_MVP (Expert):
4. A key is used by a cipher as an input that controls the encryption
in a desirable manner.
Arun Ganesh_MVP (Expert):
The security of a cryptosystem usually depends on the secrecy of
some of the keys rather than secrecy of the algorithm.
Arun Ganesh_MVP (Expert):
A strong cryptosystem has a large range of possible keys so that
it is not possible to just try all possible keys a "brute force"
approach.
Arun Ganesh_MVP (Expert):
Ciphertext makes it possible to transmit sensitive information over
an insecure channel or to store sensitive information on an insecure
storage medium.
Arun Ganesh_MVP (Expert):
The term encryption refers to the process of transforming plaintext
into ciphertext.
Decryption is the inverse process of encryption, transforming ciphertext
back into the originalplaintext.
Arun Ganesh_MVP (Expert):
The design and application of ciphers is known as cryptography,
which is practiced by cryptographers.
The breaking of ciphers is known as cryptanalysis.
Arun Ganesh_MVP (Expert):
Cryptology refers to the combined mathematical foundation of cryptography
and cryptanalysis.
Arun Ganesh_MVP (Expert):
A cryptanalytic attack is the application of specialized techniques
that are used to discover the key and/or plaintext originally used
to produce a given ciphertext.
Arun Ganesh_MVP (Expert):
Ok, Wait .....!
Arun Ganesh_MVP (Expert):
Wht I can acheive through this!
Arun Ganesh_MVP (Expert):
Confidentiality: means that sensitive information is protected from
disclosure to unauthorized persons. This is closely related to the
concept of privacy.
Arun Ganesh_MVP (Expert):
Integrity: means that data consistency is assured and that the data
is tamper-proof.
Arun Ganesh_MVP (Expert):
Authentication: is the process of proving the identity of an individual
or a system.
Arun Ganesh_MVP (Expert):
Nonrepudiation: means that an individual cannot take an action and
then deny it later. This is closely related to the concept of proof
of receipt.
Arun Ganesh_MVP (Expert):
In short: Cryptography is used to achieve the following goals:
Confidentiality: To help protect a user's identity or data from
being read.
Data integrity: To help protect data from being altered.
Authentication: To assure that data originates from a particular
party.
Arun Ganesh_MVP (Expert):
Now, let us look at Very Very Very simple Cipher!!!!
Arun Ganesh_MVP (Expert):
Over the course of human history, secret-keeping and secret-breaking
technologies have developed in a continuous struggle resembling
the game of leapfrog.
Arun Ganesh_MVP (Expert):
Let us consider a very simple cipher that is attributed to Julius
Caesar.
Arun Ganesh_MVP (Expert):
In the Caesar cipher, each plaintext letter is shifted by three
so that A is replaced with D, B is replaced with E, and so on.
Arun Ganesh_MVP (Expert):
Cipher text: KHOOR FDHVDU FLSKHU
Arun Ganesh_MVP (Expert):
Any guess: what is the plain text?!
Arun Ganesh_MVP (Expert):
It is: HELLO CAESAR CIPHER
Arun Ganesh_MVP (Expert):
Symmetric Cryptography:
Arun Ganesh_MVP (Expert):
Encryption and Decryption use the same key or keys.
Keys are mathematically related to one another in such away that
it is easy to compute one key from knowledge of the other, which
is effectively a single key.
Arun Ganesh_MVP (Expert):
Since the single key is the only secret to encryption and decryption,
it is critical that this key be kept strictly private.
Arun Ganesh_MVP (Expert):
There are two basic types of symmetric algorithms: block ciphers
and stream ciphers.
Arun Ganesh_MVP (Expert):
A block cipher processes a block of bytes (usually 64 or 128 bits)
at a time.
A stream cipher processes a single byte or even a single bit at
a time.
Arun Ganesh_MVP (Expert):
ok, so any pbr with Symmetric Algorithms
Arun Ganesh_MVP (Expert):
One big issue with using symmetric algorithms is the key exchange
problem
Arun Ganesh_MVP (Expert):
The other main issue is the problem of trust between two parties
that share a secret symmetric key. Problems of trust may be encountered
when encryption is used for authentication and integrity checking.
Arun Ganesh_MVP (Expert):
so wht is the resolution to this?!
Arun Ganesh_MVP (Expert):
answer - Asymmetric cryptography
Arun Ganesh_MVP (Expert):
Asymmetric cryptography uses a private key that must be kept secret
from unauthorized users and a public key that can be made public
to anyone.
Arun Ganesh_MVP (Expert):
Asymmetric cryptography does not replace symmetric cryptography.
Rather, it is important to recognize the relative strengths and
weaknesses of both techniques so that they can be used appropriately
and in a complementary manner.
Arun Ganesh_MVP (Expert):
Symmetric algorithms tend to be much faster than asymmetric algorithms,
especially for bulk data encryption.
Arun Ganesh_MVP (Expert):
They also provide much greater security than asymmetric algorithms
for a given key size. On the down side, symmetric key cryptography
requires that the secret key be securely exchanged and then remain
secret at both ends.
Arun Ganesh_MVP (Expert):
A traditional symmetric cipher is analogous to a lockbox with a
combination lock that has one combination used both to open it and
close it.
Arun Ganesh_MVP (Expert):
The analogy for an asymmetric cipher is a somewhat stranger device:
The single lock has two distinct combinations, one for opening it
and another for closing it.
Arun Ganesh_MVP (Expert):
By keeping one of these combinations secret and making the other
combination public, you can effectively control who can place or
remove the contents in the lockbox.
Arun Ganesh_MVP (Expert):
This added flexibility supports two useful scenarios: confidentiality
without prior key exchange and data integrity enforcement.
Arun Ganesh_MVP (Expert):
Ok... Let me give some interesting scenario!
Arun Ganesh_MVP (Expert):
to acheive data confedentiality and Integrity
Arun Ganesh_MVP (Expert):
Scenario1:
You know “Public Combination” – For locking…
but no “Private Key” for opening the lock..
So once you placed your content and locked.. It is impossible to
open with out Private Key.
------ Data Confidentiality (With out Key Exchange)….
Arun Ganesh_MVP (Expert):
Scenario 2:
You know “Private Combination” – For locking …
Now any one can open the lock but no body else can lock other contents
into the lockbox…
------- Tamper Proof….
Arun Ganesh_MVP (Expert):
Integrity!
Arun Ganesh_MVP (Expert):
so say u are sending a letter to your friend (!)
Arun Ganesh_MVP (Expert):
Imagine the above scenarios
Arun Ganesh_MVP (Expert):
In short: In a real world scenario, use public key (asymmetric)
encryption to transfer a secret (symmetric) key and use secret key
encryption for the remainder of the session.
Arun Ganesh_MVP (Expert):
Wait................
Arun Ganesh_MVP (Expert):
The topic is .NET Cryptography.... Not Cryptography
Arun Ganesh_MVP (Expert):
right?!
Arun Ganesh_MVP (Expert):
so let us look at some .NET Stuff toooo!
Arun Ganesh_MVP (Expert):
Cryptography and the .NET Framework
Arun Ganesh_MVP (Expert):
The .NET Framework class library provides the System.Security.Cryptography
namespace, which supports the most important symmetric and asymmetric
ciphers as well as several secure hash algorithms and a cryptographic
quality random number generator.
Arun Ganesh_MVP (Expert):
So Wht are the standards implemented in it?
Arun Ganesh_MVP (Expert):
Any Guess?!
Arun Ganesh_MVP (Expert):
DES: Data Encryption Standard (symmetric block cipher)
3DES: Triple DES (symmetric block cipher; stronger alternative to
DES)
Rijndael: AES (symmetric block cipher)
Arun Ganesh_MVP (Expert):
RC2: Cipher design by Ronald Rivest (symmetric stream cipher)
Arun Ganesh_MVP (Expert):
RSA: Cipher design by Rivest, Shamir, and Adleman (asymmetric algorithm
for both encryption and digital signatures)
Arun Ganesh_MVP (Expert):
DSA: Digital Signature Algorithm (asymmetric algorithm only for
digital signatures)
Arun Ganesh_MVP (Expert):
MD5: Message digest (i.e., a secure hash) algorithm developed by
Rivest
Arun Ganesh_MVP (Expert):
SHA-1, SHA-256, SHA-384, SHA-512: Standard secure hash algorithms
Arun Ganesh_MVP (Expert):
Pseudorandom Number Generator (PRNG)
XML Signatures: Digital signatures for XML data
Arun Ganesh_MVP (Expert):
so are we covering all this today
Arun Ganesh_MVP (Expert):
No! Let us look @ DES alone
Arun Ganesh_MVP (Expert):
Horst Feistel, working at IBM in the early 1970s, developed
symmetric block cipher designs that eventually evolved into the
Data Encryption Standard.
Arun Ganesh_MVP (Expert):
DES is a symmetric block cipher that transforms 64-bit data blocks
using a 56-bit shared secret key, involving 16 rounds of permutation
and substitution.
Arun Ganesh_MVP (Expert):
I will answer all your questions; once the brief is over ;)
Arun Ganesh_MVP (Expert):
please wait
Arun Ganesh_MVP (Expert):
Modes of Operation
To handle sequences of data blocks, these ciphers must operate according
to certain agreed-upon rules, as defined by modes of operation.
Arun Ganesh_MVP (Expert):
so what is this mode of operations ?!
Arun Ganesh_MVP (Expert):
u have to handle the plain text in data blocks
Arun Ganesh_MVP (Expert):
and the modes are:
Arun Ganesh_MVP (Expert):
Electronic Codebook (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Cipher Text Stealing (CTS)
Arun Ganesh_MVP (Expert):
ECB, which encrypts each block individually
Arun Ganesh_MVP (Expert):
CBC, which introduces feedback
Arun Ganesh_MVP (Expert):
CFB or OFB, which use a shift register to process data in smaller
chunks
Arun Ganesh_MVP (Expert):
CTS, which is a slight variation of the CBC mode of operation.
Arun Ganesh_MVP (Expert):
Padding mode used in the symmetric algorithm, this is used to fill
any remaining bytes of the last block.
Arun Ganesh_MVP (Expert):
For simple code sample:
Arun Ganesh_MVP (Expert):
Look at this MSDN URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityCryptographySymmetricAlgorithmClassTopic.asp
Arun Ganesh_MVP (Expert):
This is for symmetric algorithm
Arun Ganesh_MVP (Expert):
In that code, if you notice some thing like this : rijnIV!
Arun Ganesh_MVP (Expert):
right
Arun Ganesh_MVP (Expert):
It is nothing but: Initialization vector (IV)
Arun Ganesh_MVP (Expert):
A block of bits that is combined with the first block of data in
any of several feedback modes.
Initialization vectors are very important when different files are
encrypted using the same key.
make each ciphertext unique, even when similar plain text is encrypted
with the same key.
Arun Ganesh_MVP (Expert):
One more thing; u have to look is: Padding Mode
Arun Ganesh_MVP (Expert):
It has 3 values
Arun Ganesh_MVP (Expert):
PKCS7, which indicates that each padding byte is equal to the total
number of padding bytes
Arun Ganesh_MVP (Expert):
Zeros, which indicates that the padding bytes are all zero;
Arun Ganesh_MVP (Expert):
or None, which means that no padding is used.
Arun Ganesh_MVP (Expert):
For more details and examples: Check out my book!!!!! ;):
http://www.amazon.com/exec/obidos/tg/detail/-/013100851X/002-0869067-5508812
Arun Ganesh_MVP (Expert):
You can download the code samples and some sample chapters here:
<http://www.objectinnovations.com/Library/Books/NetSecurity/>
Arun Ganesh_MVP (Expert):
For Book Reviews:
<http://weblogs.asp.net/arunganesh/archive/2004/12/18/323986.aspx>
Arun Ganesh_MVP (Expert):
Okay. Now let me jump into the Q/A session.
Arun Ganesh_MVP (Expert):
Q: what is Cryptography?
A: Cryptology refers to the combined mathematical
foundation of cryptography and cryptanalysis!!!! Cryptography is
generally nothing more than hiding large secrets (which are themselves
awkward to hide) with small secrets (which are more convenient to
hide).
Arun Ganesh_MVP (Expert):
Q: Arun, do you mean to say that .NET doesn't support
SHA5?
A: .NET Support only these algorithms: SHA-1,
SHA-256, SHA-384, SHA-512: Standard secure hash algorithms. Chk
it out here for more info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityCryptography.asp
Arun Ganesh_MVP (Expert):
Q: It is mentioned that the key & initialization
vector must be present for both encrypting & decrypting. But
doesn't the initialization vector keep changing?
A: creating a new instance of an asymmetric algorithm
will automatically generate a random key and initialization vector
(IV) for that instance.
Arun Ganesh_MVP (Expert):
Q: How can i break some bodys cryptography steam
?
A: Most of the latest algorithm are very secure.
But few earlier algorithm like DES etc.. are not more seucre. DES
has been cracked publicly several times now. For example, the Electronic
Frontier
Foundation (EFF) built a specialized DES cracking machine, costing
about
$250,000, and won the RSA DES Challenge II contest in 1998 after
a 56-hour bruteforce
attack. The same machine, working with approximately 100,000 PCs
on the
Internet (http://www.distributed.net),
cracked DES in just over 22 hours. But still if you take some money
in a ATM, they are using DES... If the data is not ver ysensitive
u can use DES
Arun Ganesh_MVP (Expert):
Q: well... i have an extension to my question...
i dont want the data from the WebApp be seen on WinApp... viceversa...
is there any token that can be added to the data ?
A: You can use cryptography techniques to achieve
Confidentiality and Data Integrity irrespective of apps
Arun Ganesh_MVP (Expert):
Q: Arun, how can i crypt the user interface data
to store in database?
A: U can use Hash algorithms to hash the data
and store it in database. But as the hash algortihm is one way function;
u can't re-hash again. Otherwise you have to use symmetric or asymmetric
algortihtm to encrypt and decrypt; depending on the data
Arun Ganesh_MVP (Expert):
Q: Where do we use these Algorithms in the Web
Application
A: U can use this in any application (Windows
or Web ...) ....
Arun Ganesh_MVP (Expert):
Q: I have one Question , How the Encryption algorithm
secured our share assembly
A: For security in assembly; u have to digitally
sign the assembly. chk out this:http://blogs.pingpoet.com/overflow/archive/2005/03/13/1350.aspx
Chk the MSDN for Authenticode and Digital Signing - assembly
Arun Ganesh_MVP (Expert):
Q: I understand that this may be a little off-track,
but could you talk a bit about strong named assemblies?
A: You can create this key pair using
Sn.exe (Strong Name utility). For example, the following command
line creates a new key
pair file called MyKeyPair.snk. Sn.exe can also write the resulting
keys to a named key
container managed by a CSP (cryptographic service provider). Check
the tool’s documentation
for details.
sn -k MyKeyPair.snk
The resulting file contains both public and private keys, but it
must be kept secret, since
it does contain the private key. To expose only the public key in
the key pair file, you must
extract and copy it to a separate file. The following command line
extracts the public key
from MyKeyPair.snk and places it into MyPublicKey.snk.
sn -p MyKeyPair.snk MyPublicKey.snk
To sign a DLL or an EXE assembly, you can use the Assembly Linker
utility Al.exe. For more info chk here : http://msdn.microsoft.com/library/en-us/cpguide/html/cpconworkingwithstrongly-namedassemblies.asp
subhashini (Moderator):
So the time's almost up and I request all of you to wind up with
the last few questions for Arun
Arun Ganesh_MVP (Expert):
Q: Arun, Before it is too late... can you share
some piece of code as how we can implement these algorithms?
A: You can download all the code samples from
my book from here: <http://www.objectinnovations.com/Library/Books/NetSecurity/>
Arun Ganesh_MVP (Expert):
Q: Arun, what is the exact difference between key
and Initialization Vector
A: For a given secret key k, a simple block cipher
that does not use an initialization vector will encrypt the same
input block of plain text into the same output block of cipher text.
If you have duplicate blocks within your plain text stream, you
will have duplicate blocks within your cipher text stream. If unauthorized
users know anything about the structure of a block of your plain
text, they can use that information to decipher the known cipher
text block and possibly recover your key. To combat this problem,
information from the previous block is mixed into the process of
encrypting the next block. Thus, the output of two identical plain
text blocks is different. Because this technique uses the previous
block to encrypt the next block, an IV is used to encrypt the first
block of data.
Hope this ansers u r question
subhashini (Moderator):
On demand , we have extended the chat for another 5 mins
Arun Ganesh_MVP (Expert):
Q: Could you recommend some good blogers who write
about .NET cryptography?
A: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/security1.asp
and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/security1.asp
; To my knowledge there is no specific cryptography bloggers...
but chk out her e for some coool blogs: http://www.msdn.microsoft.com/security/
Arun Ganesh_MVP (Expert):
Q: Arun...Can you pls. explain us the exact situation
in our application development public key pair ,turnoff the verification
process and then enable the verification process with private key
pair?
A: I htink; u are asking about delay signing:
Chk it out here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconDelayedSigningAssembly.asp
... This will give u a clear idea.
subhashini (Moderator):
The chat transcript would be available at http://www.microsoft.com/india/communities/chat/Transcripts.aspx
Arun Ganesh_MVP (Expert):
Q: Ok, but whats the utility of strong naming your
assembly?
A: A strong name consists of the assembly's identity
— its simple text name, version number, and culture information
(if provided) — plus a public key and a digital signature.
Chk here for more info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconDelayedSigningAssembly.asp
Arun Ganesh_MVP (Expert):
Friends: Time is up; But you can send all your queires to arunganesh@gmail.com
or check my blog: http://arun.mvpblog.com/
Arun Ganesh_MVP (Expert):
yep, please tell
Arun Ganesh_MVP (Expert):
Yep. It is not machine specific.
Arun Ganesh_MVP (Expert):
But if you use DPAI ...... like this:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod22.asp
then it has dependency with machine store
subhashini (Moderator):
Thanks for attending the webchat
subhashini (Moderator):
and hope this chat was useful and informative.
subhashini (Moderator):
The details of these webchats are put up on http://www.microsoft.com/india/communities/chat/default.aspx
subhashini (Moderator):
Please feel free to pool in your feedback at commind@microsoft.com
Arun Ganesh_MVP (Expert):
Thanks a lot guys.
subhashini (Moderator):
Thanks Arun for delivering this interesting and informative session
Arun Ganesh_MVP (Expert):
Ping me at any time: arunganesh@gmail.com...
for more info: http://aspnet2.com/mvp.ashx?GnanaArunGaneshGnanavel
subhashini (Moderator):
And thanks to all of you for attending. Have a lovely evening
|
