How to store the asymmetric keys in the Windows key store with C#

Introduction

In this post we briefly looked through asymmetric encryption in .NET. This encryption type requires two keys as opposed to symmetric encryption where the same key is used for encryption and decryption. In asymmetric encryption we have a public and a private key. The public key can be distributed so that other people can encrypt their messages to us. Then we use our private key to decrypt the ciphertext and read the original message. Therefore we don’t have to worry about the public key getting into the wrong hands. On the other hand asymmetric encryption is significantly slower than symmetric encryption due to the higher mathematical complexity.

In the post referenced above we saw how to store the asymmetric key-pair in an XML string. You can save this string in a file or database for later retrieval. There’s at least one more option for storage which is the cryptographic key store on Windows. We’ll go through how to use it in this post.

Read more of this post

Overview of asymmetric encryption in .NET

Introduction

Asymmetric encryption is based on a pair of cryptographic keys. One of the keys is public, i.e. anyone can have access to it. The other key is private which should be kept secret. The keys are complementary which means that they go hand in hand, they are not independent of each other. If a value is calculated as the public key then the private key cannot be calculated independently otherwise the encryption process will fail. Normally the public key is used to encrypt a message and the private key is there for the decryption process but they can be used in the opposite direction as well. Asymmetric algorithms are also called Public Key Cryptography.

The most important advantage of asymmetric over symmetric encryption is that we don’t need to worry about distributing the public key. The key used in symmetric encryption must be known to all parties taking part in the encryption/decryption process which increases the chances of the key landing in the wrong hands. With asymmetric encryption we only need to worry about storing the private key, the public key can be freely distributed. For a hacker it is not practical to attempt to calculate the private key based on the public key, that is close to impossible to achieve.

However, asymmetric encryption is a very complex mathematical process which is a lot slower than symmetric encryption. Also, storing the private key can still be problematic.

Read more of this post

Overview of symmetric encryption in .NET

Introduction

A symmetric encryption algorithm is one where the cryptographic key is the same for both encryption and decryption and is shared among the parties involved in the process.

Ideally only a small group of reliable people should have access to this key. Attackers decipher an encrypted message rather than trying to defeat the algorithm itself. The key can vary in size so the attacker will need to know this first. Once they know this then they will try combinations of possible key characters.

A clear disadvantage with this approach is that distributing and storing keys in a safe and reliable manner is difficult. On the other hand symmetric algorithms are fast.

In this short overview we’ll look at the symmetric encryption algorithms currently supported in .NET.

Read more of this post

Hashing passwords with a password based key derivation function in .NET

In this post we saw a basic hashing technique using a password and a salt. We added an extra random set of bytes to the password and hashed the combined byte array instead of just the password bytes. We can store the salt along with the hash in our database. The main purpose of adding a salt to the password is to increase its entropy which more or less means randomness.

Hashing the password with an extra salt like that may still not be as secure as we think it is. The processing power of today’s fast computers and the increasing size of available rainbow tables keep pushing the limits of what’s available to crack with brute force attacks. One way to increase the difficulty of cracking a password is to keep hashing its hash in an iterative manner. Password-based key derivation functions help us achieve that and we’ll see an example of their usage in this post.

Read more of this post

How to hash passwords with a salt in .NET

In this post we learnt about using hashing in .NET. We also saw one of its basic functions in the same post which is message verification. In this post we saw how hashing coupled with a random key can be used for message authentication.

We also mentioned another common usage of hashing which is password storage. A password should never be stored as clear text in your system. Instead we save its hash value and when a user enters a password in a login field then we compare the hashed values instead of the plain string passwords. However, a simple one-way hash is generally still not good enough.

Read more of this post

Using HMACs to authenticate a hash in .NET

In this post we learnt about using hashing in .NET. Hashes provide a one-way encryption of a message where the hash value ideally cannot be “unhashed”, i.e. we cannot build the original string from it. A hash or message digest helps us verify whether the message has been tampered with by a third party after it was sent to us.

We can take a step further and add an extra layer of security on our hashes. After all a message and its hash could originate from anyone. How can we verify the authenticity of the message as well? That’s where Hashed Message Authentication Codes, also called HashMACs or HMACs enter the picture.

Read more of this post

Generate truly random cryptographic keys using a random number generator in .NET

The well-known System.Random class lets us generate random numbers quickly. However, the values provided by System.Random are not truly random. Instead, they are pseudo-random. The return values should only be used in case true randomness is not that important, such as in the classic number-guessing game. In case you need a random value to be used in cryptography such as a cryptographic key in symmetric and asymmetric encryption then System.Random is not an acceptable option.

Read more of this post

How to calculate the message digest in Java

A message digest is an important concept in cryptography. A digest is an array of bytes created by a hashing formula. It is used to make sure that some digital information has not been tampered with. In a sense it is a footprint of an object, such as a file. If someone modifies the file then the footprint also changes. Then we know that the file has been changed. Another word for a message digest is checksum. There are various hashing algorithms to perform the calculation. SHA-256 and MD5 are the most common ones.

For an example you can check out the Apacha log4j2 download page here. You’ll see a column called “checksum” for various files. If you click on one of those you’ll see the MD5 hash of the file in a relatively human readable form, such as “31826c19fff94790957d798cb1caf29a”.

Java and other popular programming languages have built-in classes to construct a message digest. Let’s see an example from Java.

Say we have a file called data.txt in the C:\Tmp folder. Data.txt contains a single line “Hello world”. The following code snippet will build the message digest of the file:

try
{
    FileInputStream inputStream = new FileInputStream(new File("c:\\Tmp\\data.txt"));
    MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
    try (DigestInputStream digestInputStream = new DigestInputStream(inputStream, sha256))
    {
        while (digestInputStream.read() != -1)
        {
            //do nothing, let the digest stream go through the file input stream
        }
    }
    byte[] checksum = sha256.digest();

    System.out.println(DatatypeConverter.printBase64Binary(checksum));
    System.out.println(DatatypeConverter.printHexBinary(checksum));

}
catch (NoSuchAlgorithmException | IOException exception)
{
    System.err.println(exception.getMessage());
}

We ask the SHA-256 hashing algorithm to hash the file using DigestInputStream. We let the digest input stream read in the byte content of the file. We finally print the digest in two different forms: a base 64 and a hexadecimal string. My data.txt file gives the following checksums:

ZOyIygCyaOW6GjVnihtTFtIS9PNmskdyMlNKiuyjfzw=
64EC88CA00B268E5BA1A35678A1B5316D212F4F366B2477232534A8AECA37F3C

We can also look at the MD5 checksum like on the references Apache download page. Just replace the “SHA-256” string with “MD5”. The same sample file yields the following values:

PiWWCnnbxptnTNTsZ6csYg==
3E25960A79DBC69B674CD4EC67A72C62

View all posts related to Java here.

How to convert a plain string into a secure string with C#

A SecureString is a confidential piece of information that is erased from memory when not in use anymore. You can use this object if you need to pass around things like passwords and PIN codes that should be protected while in use.

Read more of this post

Using client certificates in .NET part 9: working with client certificates in OWIN/Katana III

Introduction

In the previous post we added a couple of components necessary to add client certificate authentication into the OWIN middleware chain. We haven’t yet put the elements to work though. That is the main topic of this post which will finish this series. We’ll also run a couple of tests.

Have the demo application open in Visual Studio in administrator mode.

Read more of this post

Elliot Balynn's Blog

A directory of wonderful thoughts

Software Engineering

Web development

Disparate Opinions

Various tidbits

chsakell's Blog

WEB APPLICATION DEVELOPMENT TUTORIALS WITH OPEN-SOURCE PROJECTS

Once Upon a Camayoc

Bite-size insight on Cyber Security for the not too technical.

%d bloggers like this: