HomeBlogsMicrosoft .NetCryptography in ASP.net

Cryptography in ASP.net

With the growing of web applications, especially in ecommerce, securing information transferred over the internet has been more and more important. Cryptography has been usedwidely to protect sensitive data, including authentication information, encrypting secret data and to guarantee receiver the original of the data being transferred.

Cryptography is usually implementedin three ways:

  • Secret Key (symmetric) Cryptography (SKC): A secret key will be used for both encrypting and decrypting the data.
  • Public Key (asymmetric) Cryptography (PKC): A secret key will be used for encrypting; another key will be used for decrypting the data.
  • Hash functions: Using mathematically functions to hash the data into ciphertext.

Asp.net application is no exceptional. Cryptography has been used in different ways to ensure the security of asp.net applications.

  • Asp.net web forms use ViewState to preserve server control’s states when sending web pages to client browsers. If the ViewState of a web page can be opened and read from client machine, a hacker can get the sensitive information, and enter malicious code that attacks the application. For those reason, the ViewState is hashed to ensure the data can not be tampered with.
  • Asp.net use web.config to store configuration information of web applications, which could be database connection information or even administrator’s username and password. It will be a serious problem if hackers can by some ways get access to the file and get this information. Fortunately, from Asp.net 1.1, these data can be encrypted aspnet_setreg utility, which actually use Win32 API function CryptProtectData to encrypt the data.
  • It is normal that asp.net web applications store authentication information in authorized cookies. If the data can be changed, hackers then can change the identification name or role information and get access to protected parts or functions of a website without proper authentication. That is why information in authorized cookie has been encrypted using DES algorithm.

Cryptographic classes are available in .net framework when ever you need to protect your data. “SHA1” and “MD5” is two one-way hash algorithms, which can be used to ensure user’s passwords can not be read, even by the website administrators. For other cases, symmetric algorithms are required most commonly, and can be easily applied using CryptoStream class.

Tags:

RSS