-
Notifications
You must be signed in to change notification settings - Fork 2
Encryption
Devlord.Utilities includes a port of an unmaintained open-source library called Encryptamajig as well as a few other
encryption tools.
The Crypt class includes a tool for creating a new key which you can store as a byte array in your source code in
order to prevent the encryption key from being exposed in a stack dump.
[Fact]
public void MakeNewKeyAsString()
{
var key = Crypt.MakeKey();
var builder = new StringBuilder("var newKey = new byte[]");
builder.AppendLine("{");
int lastIndex = key.Length - 1;
for (int i = 0; i < key.Length; i++)
{
builder.Append(" " + key[i]);
if (i == lastIndex)
{
builder.Append(',');
}
builder.AppendLine();
}
builder.AppendLine("};");
// This should print out a code snippet that you can copy and paste into your
// own code if you need to. Don't store it in a public repository, though!
Debug.Write(key.ToString());
}We're using a wrapper around the AES algorithm, not rolling our own encryption. The original developer made a good list outlining the benefits of using this tool.
When you look at encryption examples online many are verbose, misleading, outdated, or flat out insecure. By creating this project I hope to provide a single resource that myself and others can use to incorporate encryption into their .NET projects.
My goal is to make sure this project uses an up-to-date encryption algorithm and forces appropriate usage of that algorithm.
- Use of the ECB cipher mode. Simply put, ECB is unsecure. If you don't believe me, look at the images in this Wikipedia article on the various cipher modes.
- Use of older or less secure algorithms. (Right now this is more of an assumption, I will try and cite specific algorithms to avoid and update this readme)
- Incorrect usage of encryption algorithms and block cipher modes.
- Guess work. Which algorithm do I use, how do I use it, what size should my key be, what size should my IV be, do I need a salt, etc.
- Use of the Rijndael algorithm. While Rijndael is a good algorithm, it's the predecessor to AES. So why not use AES? Read these articles if you more reasons or if you don't believe me: The Differences Between Rijndael and AES and the MSDN documentation for Rijndael.
The AesEncryptamajig class provides 2 methods: 1 for encrypting and 1 for decrypting. You call both methods with your plain text key, and the data that you want to encrypt/decrypt. After encrypting data for the first time using this library, the salt will be prepended to the ciphertext. When you decrypt the data using this library, the salt is extracted, and the IV (Initialization Vector) is recreated. This way, you don't have to worry about storing the Salt/IV separately.
Make sure you are storing your key someplace safe. If you're writing a web application, you can store the Key in the Web.Config, but make sure you encrypt the Web.Config.