Designing for Simplified Cryptography Functionality
Cryptography in applications can be implemented in many ways. Typically, developers must duplicate code to perform common tasks. To meet the needs of their organization, they may have to familiarize themselves with many different ways of implementing cryptography. The Cryptography Application Block is designed to simplify and abstract the implementation of cryptography in applications.
Design Implications
Ensuring that the Cryptography Application Block simplifies the task of accessing cryptography functionality resulted in the following design decisions:
- It should expose only a small number of methods that a developer would need to understand.
- It should accept and return data using consistent data types.
- It should support common algorithms.
The following subtopics describe these decisions.
Small Number of Methods
The Cryptography Application Block supports a small number of methods that simplify the most common cryptography tasks. It provides a non-static CryptographyManager facade that defines the set of methods the block supports. These methods include the following:
- CreateHash
- CompareHash
- EncryptSymmetric
- DecryptSymmetric
Consistent Data Types
Each public method has two overloads. One overload accepts parameters of type string; the other overload accepts parameters of type byte array. For example, the following code shows the two overloads for the CreateHash method
public byte[] CreateHash(string hashInstance, byte[] plainText)
public string CreateHash(string hashInstance, string plaintext)
'Usage
Public Function CreateHash(ByVal hashInstance As String, ByVal plainText As Byte()) As Byte()
Public Function CreateHash(ByVal hashInstance As String, ByVal plainText As String) As String
Common Algorithms
The Cryptography Application Block includes two implementations of symmetric providers. The DpapiSymmetricCryptoProvider uses DPAPI to provide cryptography services. Developers can use the SymmetricAlgorithmProvider to select and configure symmetric algorithms included with the .NET Framework.
The Cryptography Application Block includes two implementations of hash providers. The KeyedHashAlgorithmProvider allows developers to configure hash algorithms included with the .NET Framework that require a generated key. The HashAlgorithmProvider allows developers to configure hash algorithms that do not require a generated key. Both providers allow the developer to ensure that a random string (known as a salt value) is generated and pre-pended to the plaintext before hashing. Consider using salt values for storing passwords, because they dramatically slow dictionary attacks as each entry in the dictionary must be hashed with each salt value.
Note
SHA256Managed is the recommended hash algorithm; the SHA1Managed algorithm is still acceptable but not encouraged. The MD4 and MD5 algorithms are not recommended. For symmetric encryption, AES (such as Rijndael) is currently recommended; DES is no longer recommended.