Hashing & Encryption Because Our Curriculum Ignores It
We're covering some security topics in the ITPro class tonight; since we only have a few hours for the session, certain things have been left out of the curriculum -- it's impossible to give everything it's due. While I'm on the topic, I didn't choose the curriculum! None-the-less, cryptography is one topic that many students ask about, so perhaps I can address the questions before they're asked . . .
First, Hashing and Encrypting are different. A hash is a one-way distillation of the content that can be used for equality checks; it's likened to a fingerprint. Fingerprints can be used to identify content (and compare one fingerprint to another), but you cannot reconstitute the entire content based on the fingerprint. Hashing is a one-way trip. See the .Net docs on FormsAuthentication.HashPasswordForStoringInConfigFile for a very easy example.
Encrypting can be a round-trip, provided you've got the same security key etc. Folks are usually just interested in the code, and basic/easy examples of encrypting/decrypting are harder to come by, so I'll stop beating around the bush and deliver the code for a quick Console application:
string strVar = getEncryptedText( "Colorado Avalanche", "test1234", "12345678" ) ;
Console.WriteLine( strVar ) ;
Console.ReadLine() ;
Console.WriteLine( getDecryptedText( strVar, "test1234", "12345678" ) ) ;
Console.ReadLine() ;
The above doesn't tell you anything besides demonstrating a sample usage of the following getEncryptedText and getDecryptedText:
private static string getEncryptedText( string strPlainText, string strKey, string strIV )
{
byte[] arrBytes = Encoding.Default.GetBytes( strPlainText ) ;
MemoryStream mem = new MemoryStream() ;
SymmetricAlgorithm symAlg = SymmetricAlgorithm.Create( "RC2" ) ;
symAlg.Key = Encoding.Default.GetBytes( strKey ) ;
symAlg.IV = Encoding.Default.GetBytes( strIV ) ;
ICryptoTransform icrypto = symAlg.CreateEncryptor() ;
CryptoStream cryptStream = new CryptoStream( mem, icrypto, CryptoStreamMode.Write ) ;
cryptStream.Write( arrBytes, 0, arrBytes.Length ) ;
cryptStream.Close() ;
byte[] arrBytes= mem.ToArray() ;
return Encoding.Default.GetString( arrBytes ) ;
}
private static string getDecryptedText( string strCryptoText, string strKey, string strIV )
{
byte[] arrBytes = Encoding.Default.GetBytes( strCryptoText ) ;
MemoryStream mem = new MemoryStream() ;
SymmetricAlgorithm symAlg = SymmetricAlgorithm.Create( "RC2" ) ;
symAlg.Key = Encoding.Default.GetBytes( strKey ) ;
symAlg.IV = Encoding.Default.GetBytes( strIV ) ;
ICryptoTransform icrypto = symAlg.CreateDecryptor() ;
CryptoStream strm = new CryptoStream( mem, icrypto, CryptoStreamMode.Write ) ;
strm.Write( arrBytes, 0, arrBytes.Length ) ;
strm.Close() ;
return Encoding.Default.GetString( mem.ToArray() ) ;
}
These two functions accept a key and IV (Initialization Vector) to encrypt and decrypt the text . . . so you're burden now becomes how to secure the Key (as I understand it, IV is not necessary to keep secret). For details on keeping your keys safe, check out this section from Keith Brown's online book.
If you're looking for a good general source on .Net security, check out O'Reilly's Programming .Net Security. My code above draws on their summary treatment of CryptoStreams and the various .Net implementations of algorithms like RC2 and SHA1, etc.
Happy Secure .Netting!