Microsoft's .NET framework has robust support for encryption in the System.Security.Cryptography namespace. Everything you need to perform encryption is available in that class, but it's difficult to understand unless you have a firm grasp of cryptographic theory. Over the last four months, I've struggled with the concepts and theory behind encrypting and decrypting data. I've wrapped all my derived knowledge into a class I call Encryption. This class is heavily documented, string oriented, and most of all, simple! It's ideal for learning more about encryption.

There are three essential cryptographic concepts represented in the Encryption namespace. It's important that every developer understands these concepts before proceeding any further:

Hashes aren't encryption, per se, but they are fundamental to all other encryption operations. A hash is a data fingerprint - a tiny set of bytes that represents the uniqueness of a much larger block of bytes. Like fingerprints, no two should ever be alike, and a matching fingerprint is conclusive proof of identity. A full discussion of hashes is outside the scope of this article, but I highly recommend Steve Friedl's Illustrated Guide to Cryptographic Hashes for more background.

In symmetric encryption, a single key is used for encrypting and decrypting the data. This type of encryption is quite fast, but has a severe problem: in order to share a secret with someone, they have to know your key. This implies a very high level of trust between people sharing secrets; if an unscrupulous person has your key-- or if your key is intercepted by a spy-- they can decrypt all the messages you send using that key!

Asymmetric encryption solves the trust problem inherent in symmetric encryption by using two different keys: a public key for encrypting messages, and a private key for decrypting messages. This makes it possible to communicate in secrecy with people you don't fully trust. If an unscrupulous person has your public key, who cares? The public key is only good for encryption; it's useless for decryption. They can't decrypt any of your messages! However, asymmetric encryption is very slow. It's not recommended for use on more than roughly 1 kilobyte of data.

These three concepts are heavily intertwined and always seen together in modern cryptography. They have different strengths and weaknesses; combining them offers a much higher level of security than can be achieved using a single method alone. For example, when digitally transmitting a check to your bank, all three of these methods are used:

Image reprinted from Entrust's Introduction to Cryptography and Digital Signatures PDF.

In order to open the check, these steps are simply performed in the reverse order by the recipient. Note that if any of these steps were missing, the transaction would have significant weaknesses that could be exploited!

See more here:
.NET Encryption Simplified - CodeProject

One of the biggest challenges when dealing with the security and encryption for a system, is the determination of the correct ciphering paradigm. In .NET, there is a copious amount of libraries available for use in the System.Cryptography namespace. A significant amount of these libraries have been deprecated, usually, due to vulnerabilities being subsequently exposed, so it is very easy to use something that may be as watertight as a sieve.

This is further compounded by the fact that the cryptography APIs are very detailed and low level they are not easy to use for a novice the consequences of setting a single parameter incorrectly results in a security implementation that may as well not exist. Consequently, it is imperative that this subject never be approached in a typical agile/sprint manner security should definitely be approached using a waterfall model. Have no hesitation to advise any manager or architect that your solution will be ready, when it is ready. The agile methodology is typically about adding units of functionality in a YAGNI way, accruing technical debt that can be paid back later, and refactoring applied, this just simply not a correct or acceptable approach when dealing with the security of a system. Do ensure you take the time to do a lot of research, understanding the pitfalls of various implementations is vital to a robust security implementation.

The abundance of so many different types of cryptography, implemented using Symmetric (same key is used to encrypt and decrypt) and Asymmetric (public key and private key used to encrypt and decrypt) algorithms has necessitated that Governments try and standardise implementations across departments, sites and even countries. The AES was released in 2001 as a replacement for the Data Encryption Standard (DES) which had been found to be susceptible to backdoors. This new standard has been widely adopted in commercial environments, as it had a requirement to be able to protect information for a minimum of 20 years or 30 years.

A number of papers were submitted in the application process for the AES by various academic institutions, with the winning cipher named Rijndael (pronounced rain-dahl) a play on the names of the authors of the paper, Joan Daemen and Vincent Rijmen (paper available here). I am sure you will agree that comprehension and implementation of the paper is better suited to domain experts. The algorithm was written by two gifted PhD calibre researchers, so your time as a developer is better suited to try and resolve the domain problems that your business is trying to solve (unless you are a cryptographer of course). You can be sure that researchers at Microsoft have done all the time consuming work of implementing and testing the algorithm, rather than to trying to implement the Rijndael Block Cipher yourself.

To this end, Microsoft have implemented the Rijndael Block Cipher in two in .NET classes which, incidentally, both inherit from the SymmetricAlgorithm abstract base class

Unlike some of the asymmetric implementations by Microsoft, the AES implementation allows you to work at a very high level of abstraction, reducing the amount of parameters you have to configure, hence the scope for error. I have created a class that allows you to encrypt and decrypt strings (your password), and then use this to encrypt a files from anywhere on your machine.

Thus far, the only way this algorithm can be broken is by using a technique known as brute force. This is done by a supercomputer(s) trying every known word in a language, and various password to try and generate the correct password. Typically, these types of programs run over weeks or even months, but can be increased to millennia if the end user chooses a strong password to begin with, which is why having a well defined password policy is vital.

public MainWindow()

{

InitializeComponent();

Continued here:
Encrypting files in C#.NET using the Advanced Encryption ...

Yesterday evening, Apple CEO Tim Cook was honored for corporate leadership during EPICs Champions of Freedom event in Washington. Cook spoke remotely to the assembled audience on guarding customer privacy, ensuring security and protecting their right to encryption.

Like many of you, we at Apple reject the idea that our customers should have to make tradeoffs between privacy and security, Cook opened. We can, and we must provide both in equal measure. We believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it.

This marked the first time that EPIC, a nonprofit research center in Washington focused on emerging privacy and civil liberties issues, has giventhe honor to a person from the business world. The hosts of the event included cryptographer Bruce Schneier, EPIC president Marc Rotenberg, Lobbyist Hilary Rosen and Stanford Lecturer in Law Chip Pitts.

Cook was characteristically passionate about all three topics. A theme that has persisted following hisappearance on Charlie Rose late last year to define how Apple handled encryption, his public letter on Apples new security page in the wake of the celebrity nude hacking incidentsand his speech earlier this year at President Obamas Summit on Cybersecurity at Stanford an event which was notably not attendedby other Silicon Valley CEOs like Facebooks Mark Zuckerberg, Yahoos Marissa Mayer and Googles Larry Page and Eric Schmidt.

Cook lost no time in directing comments at companies (obviously, though not explicitly) like Facebook and Google, which rely on advertising to users based on the data they collect from them for a portion, if not a majority, of their income.

Im speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information, said Cook. Theyre gobbling up everything they can learn about you and trying to monetize it. We think thats wrong. And its not the kind of company that Apple wants to be.

Cook went on to state, as he has before when talking about products like Apple Pay, that Apple doesnt want your data.

We dont think you should ever have to trade it for a service you think is free but actually comes at a very high cost. This is especially true now that were storing data about our health, our finances and our homes on our devices, Cook went on, getting even more explicit when talking about user privacy.

We believe the customer should be in control of their own information. You might like these so-called free services, but we dont think theyre worth having your email, your search history and now even your family photos data mined and sold off for god knows what advertising purpose. And we think some day, customers will see this for what it is.

That, in case you missed it, is an epic subtweet of Googles Photos product, which was just rolled out at I/O.The fact that Photos is free of charge, and Apples products are not likely spurred the talk about very high costs.

Read more:
Apples Tim Cook Delivers Blistering Speech On Encryption ...