Mixing asymmetric and symmetric encryption, HMAC hash verification and digital signatures in .NET

November 24, 2016 Leave a comment

Introduction

In this post we built a test application where we mixed asymmetric and symmetric encryption with HMAC hash verification. The message sender gets the asymmetric public key of the receiver and uses it to encrypt a symmetric public key. The message is encrypted with a one-time symmetric public key. The symmetric key is also used to calculate the HMAC of the cipher text. The receiver decrypts the symmetric key with her asymmetric private key and calculates the HMAC. If the hashes match then it’s safe to assume that the message hasn’t been tampered with on its way to the sender.

The communication flow is quite secure but we can tighten security even more. In this post we learnt about digital signatures. A digital signature is used to sign the hash of a message with the sender’s private key. The public key that matches the private signature key is sent along all other information to the sender. The sender can then check the validity of the signature using the provided public key. The trust is based on the fact that the public and private keys go hand in hand, therefore signature verification doesn’t need the private key.

The goal of this post is to extend the demo application with digital signatures. The sender will sign the message and the receiver will verify the validity of the signature.

Read more of this post

Filed under .NET, Security Tagged with , , , ,

How to calculate the message digest in Java

November 19, 2016 Leave a comment

A message digest is an important concept in cryptography. A digest is an array of bytes created by a hashing formula. It is used to make sure that some digital information has not been tampered with. In a sense it is a footprint of an object, such as a file. If someone modifies the file then the footprint also changes. Then we know that the file has been changed. Another word for a message digest is checksum. There are various hashing algorithms to perform the calculation. SHA-256 and MD5 are the most common ones.

For an example you can check out the Apacha log4j2 download page here. You’ll see a column called “checksum” for various files. If you click on one of those you’ll see the MD5 hash of the file in a relatively human readable form, such as “31826c19fff94790957d798cb1caf29a”.

Java and other popular programming languages have built-in classes to construct a message digest. Let’s see an example from Java.

Read more of this post

Filed under Java, Security Tagged with ,

An overview of digital signatures in .NET

November 17, 2016 Leave a comment

Introduction

A digital signature in software has about the same role as a real signature on a document. It proves that a certain person has signed the document thereby authenticating it. A signature increases security around a document for both parties involved, i.e. the one who signed the document – the signee – and the one that uses the document afterwards. The one who signed can claim that the document belongs to them, i.e. it originates from them and cannot be used by another person. If you sign a bank loan request then you should receive the loan and not someone else. Also, the party that takes the document for further processing can be sure that it really originates from the person who signed it. The signee cannot claim that the signature belongs to some other person and they have nothing to do with the document. This latter is called non-repudiation. The signee cannot deny that the document originates from him or her.

Digital signatures in software are used to enhance messaging security. The receiver must be able to know for sure that the message originated with one specific sender and that the sender cannot claim that it was someone else who sent the message. While it is quite possible to copy someone’s signature on a paper document it is much harder to forge a strong digital signature.

In this post we’ll review how digital signatures are implemented in .NET

Read more of this post

Filed under .NET, Security Tagged with , , ,

Mixing asymmetric and symmetric encryption with HMAC hash verification .NET

November 15, 2016 2 Comments

Introduction

In this post we looked at how to combine symmetric and asymmetric encryption in the same project to increase messaging security. Symmetric encrypt is quick but has the problem of distributing the public key. Asymmetric encryption solves the public key distribution issue but is in turn a lot slower. We can combine the two techniques where a one-time symmetric public key, also called a session key, is encrypted with the asymmetric public key so that it can be decrypted by the receiver who has access to the asymmetric private key.

The solution is OK so far, it is very difficult to find the right keys involved. Still we can do better and add some message verification. We want to be sure that the message hasn’t been tampered with on its way to us. The sender can hash the encrypted message and send it along with the other necessary properties to the receiver. The receiver can compute the hash on their side and verify whether the two are equal. We looked at a couple of hashing techniques in this post but those do not involve any cryptographic key. That means that an attacker can change the message, recalculate the hash and attach it to the message. The password-salted hash algorithm HMAC sounds like a better option. We looked at HMACs in .NET in this post and we’ll reuse what we learnt there.

The goal of this post is to build upon the mixed encryption demo solution we built previously and add HMAC hashing to the picture.

Read more of this post

Filed under .NET, Security Tagged with , ,

Waiting for background tasks to finish using the CountDownLatch class in Java

November 5, 2016 Leave a comment

Imagine the situation where you execute a number of long running methods. Also, let’s say that the very last time consuming process depends on the previous processes, let’s call them prerequisites. The dependence is “sequential” meaning that the final stage should only run if the prerequisites have completed and returned. The first implementation may very well be sequential where the long running methods are called one after the other and each of them blocks the main thread.

However, in case the prerequisites can be executed independently then there’s a much better solution: we can execute them in parallel instead. Independence in this case means that prerequisite A doesn’t need any return value from prerequisite B in which case parallel execution of A and B is not an option.

In this post we’ll examine this situation and see how to implement it in Java using the CountDownLatch class.

Read more of this post

Filed under Async/Parallelism, Java Tagged with , , ,

Mixing asymmetric and symmetric encryption in .NET part II

November 3, 2016 2 Comments

Introduction

In the previous post we started working on a mixed encryption demo project. The goal is to show how the benefits of symmetric and asymmetric encryption can be used in a single encryption-decryption flow. Symmetric encryption is fast but key distribution is problematic. Asymmetric encryption solves the key distribution problem but is on the other hand slow. Fortunately we can use both at the same time for increased security.

Previously we built the encryption service components: the interfaces and their implementations. Now it’s time to connect them.

Read more of this post

Filed under .NET, Security Tagged with , ,

Mixing asymmetric and symmetric encryption in .NET part I

November 2, 2016 1 Comment

Introduction

In this post we briefly went through symmetric encryption in .NET. We know that symmetric encryption requires a single cryptographic key for both encryption and decryption. The AES standard is the most widely used symmetric encryption and generally it’s very difficult to guess the right key for an attacker. Symmetric encryption is fast but key distribution is problematic since all parties involved in the encryption process must have access to it. If it is compromised then it can be difficult to revoke it and let all legitimate parties that things have gone wrong.

This post on the other hand discussed asymmetric encryption. With asymmetric encryption we don’t have a single key but a key-pair: a public and a private key that belong together. This means that they depend on each other. However, the private key cannot be derived from the public key. The public key can be distributed to anyone who wants to send us an encrypted message. We then decrypt the cipher text with our private key. The private key must stay with us. It can be stored as an XML string in a file or a database. Alternatively we can store it in the Windows key store. The most common implementation is the RSA standard. Therefore asymmetric encryption solves the key distribution problem. On the other hand asymmetric encryption is slow as it involves some very complex mathematical computations. Therefore it is not really a good option if long strings need to be encrypted or if data encryption is heavily used by an application even for short strings.

This is where mixed or hybrid encryption enters the picture which brings together the best of both worlds: the speed of symmetric encryption and increased security of asymmetric encryption. This is the topic of the present and the next post.

Read more of this post

Filed under .NET, Security Tagged with , ,

How to store the asymmetric keys in the Windows key store with C#

October 26, 2016 6 Comments

Introduction

In this post we briefly looked through asymmetric encryption in .NET. This encryption type requires two keys as opposed to symmetric encryption where the same key is used for encryption and decryption. In asymmetric encryption we have a public and a private key. The public key can be distributed so that other people can encrypt their messages to us. Then we use our private key to decrypt the ciphertext and read the original message. Therefore we don’t have to worry about the public key getting into the wrong hands. On the other hand asymmetric encryption is significantly slower than symmetric encryption due to the higher mathematical complexity.

In the post referenced above we saw how to store the asymmetric key-pair in an XML string. You can save this string in a file or database for later retrieval. There’s at least one more option for storage which is the cryptographic key store on Windows. We’ll go through how to use it in this post.

Read more of this post

Filed under .NET, Security Tagged with , ,

Overview of asymmetric encryption in .NET

October 25, 2016 1 Comment

Introduction

Asymmetric encryption is based on a pair of cryptographic keys. One of the keys is public, i.e. anyone can have access to it. The other key is private which should be kept secret. The keys are complementary which means that they go hand in hand, they are not independent of each other. If a value is calculated as the public key then the private key cannot be calculated independently otherwise the encryption process will fail. Normally the public key is used to encrypt a message and the private key is there for the decryption process but they can be used in the opposite direction as well. Asymmetric algorithms are also called Public Key Cryptography.

The most important advantage of asymmetric over symmetric encryption is that we don’t need to worry about distributing the public key. The key used in symmetric encryption must be known to all parties taking part in the encryption/decryption process which increases the chances of the key landing in the wrong hands. With asymmetric encryption we only need to worry about storing the private key, the public key can be freely distributed. For a hacker it is not practical to attempt to calculate the private key based on the public key, that is close to impossible to achieve.

However, asymmetric encryption is a very complex mathematical process which is a lot slower than symmetric encryption. Also, storing the private key can still be problematic.

Read more of this post

Filed under .NET, Security Tagged with , ,

Overview of symmetric encryption in .NET

October 21, 2016 3 Comments

Introduction

A symmetric encryption algorithm is one where the cryptographic key is the same for both encryption and decryption and is shared among the parties involved in the process.

Ideally only a small group of reliable people should have access to this key. Attackers decipher an encrypted message rather than trying to defeat the algorithm itself. The key can vary in size so the attacker will need to know this first. Once they know this then they will try combinations of possible key characters.

A clear disadvantage with this approach is that distributing and storing keys in a safe and reliable manner is difficult. On the other hand symmetric algorithms are fast.

In this short overview we’ll look at the symmetric encryption algorithms currently supported in .NET.

Read more of this post

Filed under .NET, Security Tagged with , ,

Older posts

Newer posts

Elliot Balynn's Blog

A directory of wonderful thoughts

Software Engineering

Web development

Disparate Opinions

Various tidbits

chsakell's Blog

WEB APPLICATION DEVELOPMENT TUTORIALS WITH OPEN-SOURCE PROJECTS

Once Upon a Camayoc

Bite-size insight on Cyber Security for the not too technical.

%d bloggers like this: