Designing for Simplified Cryptography Functionality
| Retired Content |
|---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
| The latest Enterprise Library information can be found at the Enterprise Library site. |
Cryptography in applications can be implemented in many ways. Typically, developers must duplicate code to perform common tasks. To meet the needs of their organization, they may have to familiarize themselves with many different ways of implementing cryptography. The Cryptography Application Block is designed to simplify and abstract the implementation of cryptography in applications.
Design Implications
Ensuring that the application block simplifies the task of accessing cryptography functionality resulted in the following design decisions:
- It should expose only a small number of methods that a developer would need to understand.
- It should accept and return data using consistent data types.
- It should support common algorithms.
The following subtopics describe these decisions.
Small Number of Methods
The application block supports a small number of methods that simplify the most common cryptography tasks. It provides a Cryptographer class and the corresponding non-static CryptographyManager façade (for use with the Unity Application Block) that define the set of static methods the application block supports. These methods include the following:
- CreateHash
- CompareHash
- EncryptSymmetric
- DecryptSymmetric
Consistent Data Types
Each public method has two overloads. One overload accepts parameters as type string; the other overload accepts the parameters as a byte array. For example, the following code shows the two overloads for the CreateHash method
public static byte[] CreateHash(string hashInstance, byte[] plainText)
public static string CreateHash(string hashInstance, string plaintext)
'Usage
Public Shared Function CreateHash(ByVal hashInstance As String, ByVal plainText As Byte()) As Byte()
Public Shared Function CreateHash(ByVal hashInstance As String, ByVal plainText As String) As String
Common Algorithms
The Cryptography Application Block includes two implementations of symmetric providers. The DpapiSymmetricCryptoProvider uses DPAPI to provide cryptography services. Developers can use the SymmetricAlgorithmProvider to select and configure symmetric algorithms included with the .NET Framework.
The Cryptography Application Block includes two implementations of hash providers. The KeyedHashAlgorithmProvider allows developers to configure hash algorithms included with the .NET Framework that require a generated key. The HashAlgorithmProvider allows developers to configure hash algorithms that do not require a generated key. Both providers allow the developer to ensure that a random string (known as a salt value) is generated and pre-pended to the plaintext before hashing. Consider using salt values for storing passwords, because they dramatically slow dictionary attacks as each entry in the dictionary must be hashed with each salt value.
Note
SHA256Managed is the recommended hash algorithm; the SHA1Managed algorithm is still acceptable but not encouraged. The MD4 and MD5 algorithms are not recommended. For symmetric encryption, AES (such as Rijndael) is currently recommended; DES is no longer recommended.