With so much resting on digital security in our modern world, it’s a wonder that such a small percentage of Web sites use encryption. Perhaps the complexity and lack of application support make it difficult, but security is all about protecting data, and you cannot protect data without cryptography. Fortunately, ASP.NET provides an impressive set of cryptography-related classes to protect even the most sensitive data. Best of all, ASP.NET makes it easy to implement cryptography throughout your application.
But cryptography is about more than just ensuring the confidentiality of your data. In fact, cryptography plays many roles in data security, such as:
Ensuring data integrity
Guaranteeing privacy
Authenticating senders and recipients
Preventing repudiation
Data integrity involves proving that data has remained unmodified since a certain point in time. Privacy and confidentiality prevent others from accessing your data without your permission. Authentication is proving that the data came from the stated source and that it is accessible to only the stated recipient. Finally, repudiation is denying an action or ownership of data. Cryptography forces a user to acknowledge an action or concede ownership of data.
As you read this chapter, you will find concepts sometimes unique to the science of cryptography. Although a full discussion of the workings of cryptography is beyond the scope of this book, it is important to understand some of these concepts:
Plaintext The original unmodified, unprotected data., also known as cleartext.
Ciphertext The plaintext transformed in such a manner that it is not usable without a proper key.
Encryption The process of transforming plaintext into ciphertext.
Decryption The process of transforming ciphertext into plaintext.
Cipher The algorithm or process used to encrypt sensitive data.
Key The secret used to encrypt and decrypt sensitive data.
Keyspace The set of all possible keys available to a specific cipher.
Pseudorandom-number generators (PRNGs) Because computers cannot be truly random, we depend on pseudorandom-number generators to closely simulate true randomness. Random numbers play an important role in cryptography.
Although cryptography is an important element of data security, it is not impervious to attack. In fact, there are a number of ways to attack a cryptographic system, such as:
Brute force Guessing a key by trying all possible keys. The success of a brute-force attack depends on the speed of current computing technology and the time allocated for such an attack.
User weaknesses Humans are vulnerable to social engineering, physical threats, and blackmail, and they make poor security choices.
Cryptanalysis Many people study cryptographic algorithms to find flaws within such code.
Side-channel leakage Sometimes it is possible to discover a cryptographic key or find flaws in a cipher by measuring and analyzing timing, power consumption and dissipation, electromagnetic radiation, heat radiation, or other side channels.
Physical attack An attacker may gain physical access to your computer and discover your private key or install a key logger or other monitoring device to discover your password.
Poor implementation Many developers do not understand how to properly implement cryptography in their applications and so can inadvertently introduce weaknesses.