Cryptography Application Block in Enterprise Library 2.0 - Part I
by David Hayden ( Florida .NET Developer )
The Cryptography Application Block in Enterprise Library 2.0 provides both hashing and encryption services to your winform and web applications. It is a convenience wrapper for the hashing and encryption included in the .NET 2.0 Framework. The Cryptography Application Block does what all the other blocks do - it hides the implementation details from your application in your app.config or web.config so that you can change hashing and encryption providers at will under the covers without changing a single line of code. As I will show it also provides assistance with generating and securing encryption keys for your application and a couple of other nice features. Initially, I just want to talk about encryption and later on I will provider another article on hashing.
Keeping Secrets
Almost all applications need to keep secrets. Perhaps you are building an e-commerce architecture and you need to keep credit card numbers and customer information away from prying eyes. Maybe your application includes other personal information about people or your employees, like social security numbers. Or, maybe you just want to protect a list of passwords used to access other systems.
The .NET 2.0 Framwork includes a number of encryption providers to help you with encrypting this information so it remains a secret. The Cryptography Application Block exposes the Symmetric Encryption Providers to you so you can keep your secrets. Symmetric Encryption Providers use a single key for encrypting and decrypting secrets, whereas Asymmetric Encryption Provides use two keys - a private key for encrypting information and a public key for decryption information.
Shown below are the encryption providers exposed by the Cryptography Application Block. Notice that it is only the classes that inherit from System.Security.Cryptography.SymmetricAlgorithm:
Enterprise Library 2.0 Configuration Tool
As with all the blocks in Enterprise Library 2.0, it is best to use the Enterprise Library Configuration Tool for all your configuration needs.
Shown below is how I have chosen to use the Cryptography Application Block in my application. By default when you add the Cryptography Application Block, it includes the nodes for Hash Providers and Symmetric Providers. The default is none, so I added the RijndaelManaged Symmetric Encryption Provider. For symmetric algorithms, AES, also known as Rijndael, is recommended.
You will need to generate a key for use with Rijndael, and the Cryptography Application Block provides a very useful Cryptographic Key Wizard to help you generate the key, save it to a file, and protect the key file with DPAPI ( Data Protection API ):
So what we have done here is generated a single key to encrypt and decrypt data for our application using the Rijndael Symmetric Encryption Provider. To protect the key, we used DPAPI to secure our key using information about the current logged-in user account. This means that your application needs to be using the logged-in user credentials to access the key. If this is not ideal, you could use Machine mode, which means any application running on the machine can access the key file. If the user account gets accidentally deleted or your machine bites the dust, you won't be able to access the key file. The Cryptography Application Block allows you to export the key for safe keeping. It is up to you decide what “safe keeping“ means:
Using the Cryptography Application Block
The information saved in the app.config or web.config looks similar to below. Notice the references to the key file and the CurrentUser protection scope so the key can be pulled from the DPAPI protected key file.
<symmetricCryptoProviders>
<add algorithmType="System.Security.Cryptography.
RijndaelManaged, mscorlib..."
protectedKeyFilename="...Path to Key File..."
protectedKeyProtectionScope="CurrentUser"
type="...SymmetricAlgorithmProvider..."
name="RijndaelManaged" />
</symmetricCryptoProviders>
By using the Cryptographer Class that comes with the Cryptography Application Block, encrypting and decrypting is as simple as:
string encryptedContents = Cryptographer.EncryptSymmetric
("RijndaelManaged", "creditcardnumber");
string creditCardNumber = Cryptographer.DecryptSymmetric
("RijndaelManaged", encryptedContents);
You could do this yourself using the SymmetricCryptoProviderFactory, but I wouldn't :)
// Get my default RijndaelManaged Provider
IConfigurationSource source =
new SystemConfigurationSource();
SymmetricCryptoProviderFactory factory =
new SymmetricCryptoProviderFactory(source);
ISymmetricCryptoProvider provider =
factory.CreateDefault();
// Encrypt the string
byte[] unencryptedByteArray =
Encoding.Unicode.GetBytes("creditcardnumber");
byte[] encryptedByteArray =
provider.Encrypt(unencryptedByteArray);
string encryptedText =
Convert.ToBase64String(encryptedByteArray);
// Decrypt the string
byte[] encryptedByteArray2 =
Convert.FromBase64String(encryptedText);
byte[] unencryptedByteArray2 =
provider.Decrypt(encryptedByteArray2);
string unencryptedText = Encoding.Unicode.
GetString(unencryptedByteArray2);
Clearing Unencrypted Memory Space
Just a note that keeping unencrypted information in memory is a vulnerability. I would avoid using strings and stick with byte arrays. The Cryptography Application Block includes a CryptographyUtility Class that it uses internally that randomizes unencrypted information in byte arrays after using it:
CryptographyUtility.GetRandomBytes(byte[] bytes);
If you are doing the encryption and decryption yourself, I recommend using the class above as soon as possible that replaces the unencrypted bytes with random bytes in a byte array:
CryptographyUtility.GetRandomBytes(unencryptedByteArray);
Conclusion
Enterprise Library 2.0 has made a complex problem easy with the Cryptography Application Block.
Source: David Hayden ( Florida .NET Developer )
Enterprise Library 2.0 Tutorials and Examples