C# How do I do encryption?

Question

I'm not asking for a tutorial with code, I'm trying to do the research, but I want to make sure I'm asking the right questions.

What's the best form of encryption I can use out of the box with .NET?
Public/Private key, where do I store these things securely?
What tools should I have in order to do this properly?

I started off with an AESCryptoServiceProvider, encrypted a string I passed in, I was happy. Tested that if I called it twice it would come out with the same value. Then realized I hadn't provided any form of key, so a second run of the app yielded different results. So I began reading up, seeing RSA Public/Private keys etc. etc. And just want make sure I'm going down the right path with the reading I'm doing. There's tons of examples out there, few mention where you put these keys or where you even get them from.

I don't want to mark this as answered just yet, I still have some questions. What tools should I have / use to generate keys? — tbddeveloper, Mar 16 '11 at 12:44
I've updated my answer with key generation, I'm sorry, but I didn't read your comment. — Aidiakapi, Mar 17 '11 at 11:16

Aidiakapi · Accepted Answer · 2011-03-17T11:15:37.103

2

There's a lot of cryptological functions in System.Security.Cryptography.

They have hashes, crypts, streams, and a lot more.

The RSA provider is a good one. And about storing the constants securely. I can only suggest storing them crypted in the solution. You shouldn't be able to read them from the source, so there needs to be some kind of security after the assembly has build. Maybe obfuscation, maybe something else. About the generating of the key, do not use your own system, or any development system I guess.

EDIT:
To generate keys you better use either user input, for example, just create a little application, that calculated the time it takes to type a certain piece of text, per letter.

Or use a HRNG/TRNG, Hardware Random Number Generator (uses input from the actual world, retrieved through sensors). Or True Random Number Generator, basically also HRNG, but mostly with other forms of input, very advanced.
RANDOM.ORG should be able to help you out.

If it's not that extreme important, just go smack your head against your keyboard, and see the results :).

edited Mar 17 '11 at 11:15

answered Mar 13 '11 at 16:03

Aidiakapi

6,034
4
33
62

Is it acceptable to store them unencrypted in a file outside of the application but in a path that no user of that system should reach? I noticed someone using the MSEnterprise library recently and they have a tool for generating keys and it seems like they store them in there. – tbddeveloper Mar 13 '11 at 16:16
Well, when it comes to security, it's not a matter if a system is crackable, or cheatable, because it is. The only thing that really matters, is what audience you have, and how much effort you want to put in securing. For a little tool of mine, I just stored something with an MD5 checksum of some pieces of data, if the checksum was wrong it wouldn't run. So everybody could easily crack it, but since there's no interest in doing so, it's enough. If security is very important, you might want to store the key there, and use for example an encryption for it, and add or scatter a hash through it. – Aidiakapi Mar 13 '11 at 16:24
What use would random.org be? You can't use it for crypto since you get the random number from an untrusted source. – CodesInChaos Mar 17 '11 at 11:28
@CodeInChaos First of all, I doubt RANDOM.ORG is an untrusted source, second of all, it creates almost true random numbers (random doesn't exist), third of all, even if they keep track of it, no normal person has access to it, and they wouldn't know what you use it for. Fourth of all, if you're suspicious about it, you can always add another random number from either another site, or a pseudo random number from a seed you just bash in with you head. So honestly, it's more secure then any PRNG. – Aidiakapi Mar 17 '11 at 11:32
Thanks for the addition, that helped a lot. – tbddeveloper Mar 17 '11 at 11:39
I believe a typical PRNG seeded with local entropy sources is more secure than using any such service. – CodesInChaos Mar 17 '11 at 11:40
Yep, could be, but getting good sources isn't so secure, next to that, it's a university project, they mostly are kinda reliable. – Aidiakapi Mar 17 '11 at 12:24

score 2 · Answer 2 · edited May 23 '17 at 12:12

2

Go for AES. Stack Overflow already has a wonderful implementation of AES Algorithm as an answer.

edited May 23 '17 at 12:12

Community

1
1

answered Mar 13 '11 at 16:08

naveen

53,448
46
161
251

score 0 · Answer 3 · answered Feb 19 '15 at 19:29

Regarding "Public/Private key, where do I store these things securely?", I recommend that you do not re-invent the wheel. Microsoft has already spent a great deal of effort to build, and is actively maintaining and (hopefully) improving, infrastructure to store private keys: https://msdn.microsoft.com/en-us/library/windows/desktop/bb204778%28v=vs.85%29.aspx. You can use the native key storage.

C# How do I do encryption?

3 Answers3