| Welcome to the NCrypto home page |
So you need some crypto stuff (easy to use and ready for shipping) and don’t have enough time or interest in learning and writing all that crypto code?
If this is your scenario, this article might be for you. I
have seen lot of people asking how to use some of the common cryptographic
primitives (encryption, hashing, signing, etc.). To help those people I have
written these classes that contain all the named primitives and a bunch of handy
functions to protect in-memory data as well as gather user credentials from UI
and many others nice to have functions. It’s important to note that these
classes are essentially wrappers to the methods found in the Cryptography
namespace of the .NET Framework security classes. The real value added to this
wrapper is basically all the implementation “Best Practices” gathered from
several well-known sources as the ones listed at the end of this page.
Downloads
You can download the last version of this library as well as all the documentation from here:
You can find more related and useful information on my weblog or on my employee web site
Usage
One of the main goals of these classes is being very simple to use and understand. Here is the easiest function overload for encrypting a string.
|
// Use ProtectedData.Protect method (DPAPI) string cipherText = CryptoHelper.Encrypt( "InputData" ); |
As you probably wonder where the password or encryption key is. It happens that this overload uses the ProtectedData class that in turn calls a DPAPI (Data Protection API) function that do the final encryption. DPAPI is particularly useful in that it can eliminate the key management problem exposed to applications that use cryptography. This method return the encrypted data encoded in base64 in order to make things easier when you need to manipulates binary strings. Other methods like the ones that compute a hash, returns strings encoded in hexadecimal, the usual data encoding for these operations. There are many more overloads that operate with byte arrays as well. The CryptoHelper class provides methods for encryption and decryption, hashing operations, digital signature and verification, and random number generation. In the following table we have a brief summary of each class (this was extracted from the Reference help included in the download).
|
Class |
Description |
|
Provides static methods that supply helper utilities for manipulating cryptographic primitives access. This class cannot be inherited.
|
|
|
This class implement access to DPAPI library.
|
|
|
Encrypts memory to protect sensitive information. (Only works in Windows XP and Windows 2003 or better)
|
|
|
This class provide access to a feture provided by Windows XP and Windows Server 2003 called "Stored User Names and Passwords" to associate a set of credentials with a single Windows user account, storing those credentials using the Data Protection API (DPAPI) (See ProtectedData class). This class cannot be inherited.
|
|
|
Helper common methods.
|
|
|
WinAccessHelper |
Provides static methods that supply helper methods for windows accounts authentication and authorization.
|
|
CryptographicPermission |
This class is the custom permission implementation used to authorize cryptographic operations with restricted access.
|
|
CryptographicPermissionAttribute |
Allows security actions for CryptographicPermission to be applied to code using declarative security.
|
Making it “industry strength”
It’s important to note that these classes are intended to be a shippable piece of code as well as easy to use and understand. Let’s see what features have this samples that makes them a “plug ‘n play” code. Here is a list of things that are already done for you inside each public method.
· Parameter Checking and Error handling
o Parameters are test for validity (null testing and range depending each case)
o Try/finally blocks are used to release resource if something goes wrong.
· Random salt and IV generation and storage
o When deriving a key from a given password (see DerivedKey internal class), a random salt is created in order to mitigate dictionary attacks against the derived key.
o The salt generated for the derived key from the user provided password is stored together with the encrypted data (the salt is not a secret) in order to later retrieval and use for decryption.
Code Access Security Note
The sample library (Cryptography.dll) provided is strong named and allow to be called from partially trusted callers. To call this library from partially trusted callers follow this steps:
Intranet:
OutputPath = \\MACHINENAME\C$\...\bin\Debug\
Internet:
OutputPath = \\127.0.0.1\C$\...\bin\Debug\
(Complete the “...” with the rest of the path where your project resides.)
For further info about running partially trusted code, see:
If you need a better support for X509 Certificates you can found it in this two excellent free libraries. The Security Library from Mentalis (source code included) or with the WSE 2.0 that you can download it from here (sorry, no source code).
There is a sample application “TestX509Certificates” that use the WSE 2.0 in order to show how to sign data with a X509Certificate class.
Further Additional Info :
Here are some useful links and my recommended books.
- Code Access Security
http://msdn.microsoft.com/msdnmag/issues/01/02/CAS/default.aspx
- Strong Names:
(Protecting the private key) http://msdn.microsoft.com/netframework/?pull=/library/en-us/dnnetsec/html/strongNames.asp
http://msdn.microsoft.com/netframework/?pull=/library/en-us/dnnetsec/html/strongNames.asp
- APTCA: