In this article I will explain the classes and code necessary to put encryption to work in your applications. I will also explain the basic principles of operation of these classes and point out several pitfalls to avoid.
In today's hostile, interconnected computing environment, we often find the need to protect data while it is stored on a physical medium or transmitted over a network. To achieve this goal, we turn to cryptography. While the field of cryptography entails much more, in this article we will focus on encryption; specifically the ciphers available in the .NET Framework Class Library (FCL) and how to correctly utilize them.
There exists a group of developers who approach the subject of cryptography with a cavalier attitude, who think they can wave the wand of cryptography at their applications and make them secure. This group of developers mistakenly believes that applying cryptography is fool-proof and rests secure in the fact that their applications utilize "128-bit encryption" or comply with some other such buzzword. I hope that this article will awaken this group to the many pitfalls and subtleties that can silently render your crypto system easily attackable.
While the application of encryption technologies to applications is a subject that must be approached with a modicum of care and understanding, the FCL has made excellent cryptographic technologies more accessible than ever, though there are still a number of principles that must be adhered to and pitfalls to be avoided.
Why use the FCL classes? Can't I just "roll my own"?
Although there are several reasons why you shouldn't do this, I'll just state the primary reason: You'll get it wrong. While the application of standard, public, seasoned algorithms is relatively simple and accessible to the common developer, the design of the cryptographic algorithms themselves is extraordinarily difficult and is best left to the elite of the field. While the output of your cipher may look completely secure to you, a skilled cryptanalyst can likely easily find many weaknesses, such as simple algebraic relationships between input, output and key. The tiniest weakness can reveal information about the plaintext or, worse yet, the key. Unless you happen to be an elite cryptographer, stick with standard, public, seasoned algorithms and proven implementations.
This article was originally published at DotNetDevs.com