Click here to Skip to main content
11,412,302 members (62,222 online)
Click here to Skip to main content

Data Encryption/Decryption using RijndaelManaged and PasswordDeriveBytes Classes

, 18 Jun 2006 CPOL
Rate this:
Please Sign up or sign in to vote.
A C# class for Ecrypting/Decrypting using .NET classes like RijndaelManaged and PasswordDeriveBytes

Introduction

This article gives an insight into Symmetric Encryption and how it can be implemented in .NET. In the sample explained below, we are using the Rijindal symmetric encryption algorithm, which is available in System.Security.Cryptography namespace. It also illustrates the making of secret key using the PasswordDeriveBytes class. I have also provided a simple class which hosts the function for encryption and decryption.

Why We Use Cryptography??

As everyone knows, cryptography is used to preserve some data so that it is not modified or readable to others. There are two types of cryptographic algorithms available: symmetric and asymmetric encryption.

Symmetric (or Private-key) Encryption

Symmetric (or private-key) encryption uses a single key for both encryption and decryption. A compromised key can lead to complete failure of the security of a system. With symmetric algorithms, the security of the key is inversely proportional to the number of people who have the key.

Asymmetric (or Public-key) Encryption

With asymmetric (or public-key) encryption, there are two mathematically related but independent keys, a public key and a private key. Information encrypted with the private key can only be decrypted with the corresponding public key, and information encrypted with the public key can only be decrypted with the corresponding private key.

How Symmetric Algorithms Work ??

Symmetric algorithms of the type discussed in this article are block ciphers. They break cleartext up into blocks of a fixed size (in the case of the Rijndael algorithm, 16, 24, or 32 bytes) and perform iterative rearrangement and substitution on successive blocks. Rijndael is used for the CryptoUtility because it offers the greatest key length of the algorithms available natively from .NET—256 bits.

Options for Symmetric Algorithms

Symmetric algorithms offer a number of options to control their operation. In most cases, you don't have to set these specifically as the chosen defaults are the most secure. However, it helps to understand what they're doing. The options for symmetric algorithms include the following:

Mode sets the cipher mode. For Rijndael, this is either Cipher Block Chaining (CBC) or Electronic Code Book (CB):

  • CBC, the .NET default, is the most secure cipher mode. CBC performs an XOR operation on each block of cleartext with the previous cipher block before enciphering it. It also requires an Initialization Vector (IV), a random block of the same length as the algorithm's block size. The IV is used as a stand-in to perform Cipher Block Chaining on the first block of cleartext, since at that point there is no previous block. The IV ensures that repetition in the first block of cleartext does not result in similar repetition of the first block of ciphertext when the same key is used.
  • ECB, the less-secure option, has each block enciphered independently. Repetition in the clear text may produce patterns in the cipher text, thereby weakening security.

Creating Strong Keys

Predictable cryptographic keys, like predictable passwords, badly compromise the security of your application. Don't generate these keys by hand—humans are poor random number generators. Using the System.Random pseudo-random number generator is also not sufficient since its random sequences are deterministic and repeatable (hence the name "pseudo-random").

In the example, we will be creating a cryptographic key from a password which is a string. Starting with a plain-text, easily memorized passphrase, you can use the PasswordDeriveBytes class to generate a cryptographic key. This method is mainly useful when a user will input a passphrase, which will immediately perform encryption or decryption and then be discarded.

Another option is the use of RNGCryptoServiceProvider to generate strong keys. It generates cryptographically strong random numbers and is suitable for key and salt/IV generation. Though RNGCyptoServiceProvider is technically a pseudo-random generator, it is NIST-certified as cryptographically strong.

Creating Strong Salt

Salt provides additional entropy (degree of disorder) to the cryptographic algorithm.

NB: In real case, never hard-code a password within your source code. This is because Hard coded passwords can be retrieved from an assembly using the MSIL Disassembler (Ildasm.exe) tool, a hex editor, or by simply opening up the assembly in a text editor like notepad.exe.

The following code snippet illustrates the creation of encrypter/decrypter:

//Rinjindael object creation
RijndaelManaged RijndaelCipher = new RijndaelManaged();
byte[] PlainText = System.Text.Encoding.Unicode.GetBytes(InputText);

//Salt is created for additional degree of disorder in encrypted key
byte[] Salt = Encoding.ASCII.GetBytes(Password.Length.ToString());

//This class uses an extension of the PBKDF1 algorithm defined 
//in the PKCS#5 v2.0 standard to derive bytes suitable 
//for use as key material from a password. 
//The standard is documented in IETF RRC 2898.
PasswordDeriveBytes SecretKey = new PasswordDeriveBytes(Password, Salt);

//Creates a symmetric encryptor object. 
ICryptoTransform Encryptor = 
      RijndaelCipher.CreateEncryptor(SecretKey.GetBytes(32),...

Please download the source file to see the full implementation.

History

  • 19th June, 2006: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Nidheesh T Mani
Architect
India India
I'm working as a Technology Architect for a US based multinational company.I'm also a TOGAF certified enterprise architect working with microsoft technologies..

Comments and Discussions

 
GeneralMy vote of 5 PinmemberCuteD34th27-Jun-13 22:10 
GeneralVery good PinmemberMember 794342014-Aug-12 19:22 
GeneralMy vote of 5 PinmemberRazorSharp129612-Aug-12 16:52 
GeneralMy vote of 5 PinmemberWESTSEYI27-Jan-12 18:36 
GeneralMy vote of 3 Pinmemberbharath kumar.M15-Jul-10 6:36 
GeneralMy vote of 1 PinmemberParesh Gheewala14-Jan-09 23:12 
GeneralRe: My vote of 1 PinmemberPaul Coldrey18-Mar-09 13:56 
GeneralLength not valid for a Base-64 char matrix. Pinmemberrafayahoo.es25-Jul-07 5:35 
AnswerRe: Length not valid for a Base-64 char matrix. Pinmembersan_sani425-Jun-09 7:15 
QuestionMSIL Encryption PinmemberHimmett18-Jul-07 11:36 
GeneralThank you Pinmemberk_hammami200514-Mar-07 6:31 
GeneralSalt length for Rfc2898DeriveBytes class PinmemberMichael Freidgeim9-Jan-07 17:58 
QuestionSame string for Password and Salt PinmemberMichael Freidgeim9-Jan-07 14:15 
AnswerRe: Same string for Password and Salt PinmemberEnnis Ray Lynch, Jr.9-Jan-07 14:38 
QuestionLength of the data to decrypt is invalid. PinmemberBeetle5419-Sep-06 17:21 
GeneralDownload Broken PinmemberMx226-Jun-06 4:10 
QuestionSource Link? Pinmemberfwsouthern19-Jun-06 16:57 
AnswerRe: Source Link? PinmemberNidheesh T Mani4-Jul-06 2:17 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.150414.5 | Last Updated 19 Jun 2006
Article Copyright 2006 by Nidheesh T Mani
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid