Cryptography 101 with .NET Core

Boni Robert hi hello Robert how are you
good how are you I'm doing so good let's
see if oh I don't know yep just working
out this keyboard thing sorry about um
so cryptography 101 with dotnet core
what do you got yes a lot of school
stuff school stuff great um do you want
to go ahead and share your screen oh
well why don't you introduce yourself
first sorry what do you work on so I
work full-time on an e-commerce website
and author and do a lot of conference
speaking and happy about it so if we
like Robert there's plenty of content
out there to go find there should be
cryptography cool cool okay um so would
you like to go ahead and share your
screen and we can dive in yes we know
when you can see it okay I'll let you
know when we can see that let's see
we're having some interesting Skype
delays I see that let's see the camera
he's melting yeah
I think he was attempting to share his
desktop and Skype might have crashed a
bit just a little bit we're getting some
very interesting melting graphics though
everyone's saying to switch to teams
okay we'll go ahead and restart Skype
really quick and I'll just entertain and
delay which is my main job happy years
here in the studio with me we'll
probably switch that's his hand will
probably switch off throughout our
interviews and whatnot Oh looks like we
have Robert back but naturally as soon
as I switch to the screen share uh it
crashes again okay
just switching back to me on camera so
we're gonna figure out this in a second
oh I think I see Robert again okay
Robert can you share your screen I think
I saw it for a sec okay that's me on
Roberts screen and now I can press the
live share and it's repeating it because
all it sees is name sharing Skype and
maybe minimize Skype and then we'll be
able to see hey there we go
okay now we can see your screen Robert
awesome okay whew that was fun I did
that we took them through the matrix
there for a second okay all right 101
with.net core the principles will talk
about cryptography you can use any
platforms they're very familiar
algorithms and things that you can take
advantage of but we're gonna focus on
the implementations and done that core
so a little bit about myself is said
Microsoft MVP part of the ASP insiders
plural site author progress developer
expert in Fiddler that's my Twitter
handle so let's get started so some
background cryptography is the science
of keeping messages secure
why do you want cryptography there's
really four different things most people
think about it for confidentiality so
you're trying to protect data from being
read so you just have something you
don't want people to see that's what
most people think of when they think of
cryptography
there's also integrity and so integrity
is where I want to verify the data top
of your screen we just like seeing all
of your slides better yes okay so we've
got authentication where you want to
identify and validate who a user is and
we're also going to have non-repudiation
so a sender can't deny later that he
sent a given message this is all in the
system dot security dot cryptography
namespace that's where all these classes
will come from and most important thing
if you get nothing else out of this talk
don't try to write your own cryptography
I mean this stuff is well vetted a lot
of people have seen it a lot of people
use it it's built into the framework for
us already take advantage of what's
built in don't try to write your own so
first thing we'll look at is hashing so
the idea with a hash function is you
have a one-way function so it's easy to
compute in one direction but
significantly harder to reverse so hash
functions going to convert a variable
length input into a fixed length it
creates what you could call a data
fingerprint or a digest and it's okay to
see it so if I have data that I don't
care that somebody and I don't need to
hide it from them it's okay for them to
see but I don't want it to be tampered
with
that's the integrity that we talked
about earlier that's where a hash
function is useful so as you see on the
left-hand side I've got some basic
content and I can run a hash on it and
it's going to create this data
fingerprint or digest on the right hand
side that
the hash if I make even a single
character change to the data that's on
the left-hand side I'll get a vastly
different hash so the ideas I can use it
run a hash against the data see that the
hashes match so I can see that things
haven't been tampered with so let's take
a look at a demo for hash functions
don't know what's happening there okay
so the pattern will be very familiar
here for all the cryptography that we
use in dotnet so I'll spend a little bit
of time on this one
but I start with some initial plaintext
so I've just got a string here that
stores in this case this is a simple
demonstration of hashing I'm gonna use
the sha-512 class to do the hashes
that's part of the shot to family the
sha-1 md5 s all of those are not
considered safe anymore so you should
use a sha to functions I'm going to use
sha-512 and what I'm gonna do on this
line you'll see is very familiar with
all the other cryptography will do I
have my string and I need to convert it
into a byte array so I can use the
cryptographic functions they just all
operate on byte arrays so the first
thing I'm gonna do is I'm going to call
the get bytes so I past get bytes the
plaintext string there's lots of
different ways I could choose to encode
this utf-8 is a pretty common encoding
scheme to take strings so I'm going to
convert that do the utf-8 encoding and
then I'm gonna simply call the compute
hash function and as you can see from
the comments I'm gonna get back a byte
array here that's got 512 bits that's
just because I use sha-512 now I want to
display that on the screen so I'm
actually gonna use the bit converter
class there's lots of different ways to
do this I'll show you later how we can
use base64 encoding there's times where
I want to be able to use the hash on a
query string and such so I want to use
characters that aren't going to conflict
with other things on my url so in this
case
I just call the big converter I say I
wanted to go to string and as you can
see up above here it's going to give me
back something that looks like this
so I'm just gonna strip out all the
dashes I just end up with a basic
display so let's look at what that looks
like so you can see here here's my
initial string and then what it hashes
to here so in the example if I go back
you can see even if I were to go change
this if I uncommented that and had a
much larger string the actual hash will
be a fixed size it's just based on what
the hash is so that's basic hashing if
we have some time later we'll talk about
where you might want to use some of
these techniques like I said it's common
if you go to download from a given site
they often list their hash so they'll
say here's a sha-256 etc that way you
know after you download it you could run
the same algorithm it's going to do a
hash even though it's a huge file it'll
be a really small hash and you'll be
able to compare and say that's what the
site said they had that's what I had
after I downloaded it so I know that
nobody's tampered with that so that's a
good use of hashing now we'll get into
what most people expect for cryptography
and that's encryption and decryption
there's gonna be two different kinds so
we'll talk about symmetric algorithms
first and they're symmetric because the
encryption and the decryption are going
to use the same secret key so we're
going to have a secret to share between
the two partners that want to exchange
data and we need to keep that key secret
so if we follow along in the diagram on
the left-hand side I've got the
plaintext that's what I want to encrypt
I'm gonna run my encryption algorithm
with a secret key the result is the
ciphertext that's just the encrypted
stuff I want to send the person
receiving the data will do the
decryption and they're going to use the
exact same secret key that's why it's
called symmetric and if they do that
they're going to get back to the
original plaintext
so the primary attack against this as
far as if people are gonna try to break
this they either are gonna try to
determine what the secret key is and if
they couldn't intercept that or
otherwise determine what it is they're
gonna try brute force key search they're
just going to try all the different
possible keys so the main problem with
this it's really fast it's used a lot
but the key distribution is difficult so
we'll talk later about situations where
I need to share with somebody on the
internet that I haven't otherwise come
in contact with it's hard to give them
the secret key because how would you
give it to them ahead of time in a
secure manner so they'll be places for
symmetric like we said there's a couple
main classes built-in to.net and we're
gonna focus on the primary one that most
people use today is AES encryption so US
government a lot of others this is just
the common symmetric algorithm that
everybody's using in dotnet the
symmetric algorithms are called block
ciphers so they're gonna take my string
and break it up into individual blocks
and encrypt each block one at a time
that's why it's called a block cipher
there's a couple different modes that
you can use ECB or CBC I won't get into
all the details of these but basically
if we use CBC which we recommend that
you use when you encrypt the first block
of the data it wants to add more
randomization into the symmetric
algorithm so it wants to take some
random data from the first block you
encrypt it's going to use the result of
that as input into the next block that
it encrypts so essentially there's a
some extra random that's done each time
it's encrypting blocks of your original
data so the question for that then
becomes how do they get random data for
the very first block that you're going
to use that uses what's called an
initialization vector so the idea with
that again it's just some random data
that's going to be used to seed the
first block for your encryption it
doesn't need to be a secret so you'll
see when we look at the diagram that I'm
going to
transmitted that along with and I'm
never gonna reuse it I'm just it's
always gonna be unique for each set of
data that's all that's important so
let's take a look at a demo of symmetric
algorithms so I've got a web page we'll
look at the page first so I come out
here and type in some random plain text
I can hit n crypt we'll see that it
created the cipher text but it also gave
me the initialization vector so that's
what was used to seed the first block of
this encryption so I need to send both
of these two things I'm going to send
the cipher text and this initialization
vector again now that the cipher text is
encrypted it's safe for me to just send
both of these pieces again the IV it's
fine if that's visible to people if I
hit decrypt we'll see that I get back
the original plaintext like you'd expect
so let's look at how this is implemented
so when I do a post I happen to be using
razor pages and so again you can use
this console wherever you want I'm going
to give sample code at the end that has
a lot of examples of practical ways to
use cryptography in an asp.net website
so that's why I chose to host it in here
but the first thing I'm going to do is
I'm going to actually create an AES
cipher so we'll go up and look at what
that looks like it's pretty
straightforward I just use that class
and say create and I listed on the
right-hand side what some of those
defaults will be I'm gonna set the
padding mode so for the padding mode
it's fine to use the default I like to
use this padding mode because what it
does is you take your original string
you're going to break it into blocks
that very last block isn't gonna
magically be the right size you know 128
bits so the algorithm needs to pad out
the rest of that block by using this
isoh padding mode it's going to put
random data and the rest of that block
which again it just helps with
cryptography to be able to use more ran
data when you're doing things so I like
to use that for the padding mode I left
this in here if you want to test later
if you do a padding mode of zero and you
use the wrong mode every time you
encrypt the same piece of data it will
always end up with the same encrypted
cipher text by using these other
defaults even if I encrypt the word yes
20 times every time it's going to turn
out having something different because
of the mode that we're using with CBC
uses that initialization vector to get
the original random text to use I'm
doing this only for a demo I'm setting
the key so obviously it's not a good
decision to store my key directly in the
code when I could have a lot of time
today to talk about ways to store keys
securely but for the demo code to be
able to give it to you I wanted you to
be able to see you can just generate
some random bits and that's what I did
to create that key so now what I have
I've got the actual AES cipher as we saw
before when I did the cipher it created
some initialization data it created that
first block of random data to use for
encryption I wanted to be able to show
that on the page and so I did a
conversion to base64 it so that when I
displayed it back in the webpage you
would actually see it in a visible form
because it started as a byte array to do
the actual encryption I create an
encrypted then do the utf-8 encoding
that I did before that takes my
plaintext string and converts it into a
byte array and then I call this
transform final block which does the
actual encryption and then I chose in
this case again to use base64 encoding
so that I could display it on the screen
as a string decryption is similar I
create the same cipher I do kind of the
reverse and then here I'm doing the
create decryptor so again the main point
is just you look very quickly this is a
well-established algorithm that lots of
people use that's highly secure and it
really doesn't take much net code at all
to be able to take advantage of it
correctly to do mine
Crypton so that is symmetric talk about
asymmetric so the idea with asymmetric
is you're going to the two partners are
going to create their own public/private
key pair and they're not the same that's
why they call it asymmetric so in this
case if I want to send to someone else
I'm going to get their public key I'll
take the plaintext I'm going to use the
encryption using their public key once I
do that I've got cypher text and the
advantage of asymmetric is because I use
their public key the only thing that can
decrypt this now is their private key so
obviously the receiver is going to hold
on to their private key make sure nobody
learns that but they're free to give out
their public key wherever they want
you'll see it on people's blogs you'll
see it in email signatures anybody then
can take that public key to encryption
knowing that only the person who has the
private key can do the decryption and
get back to where they started problem
with asymmetric so it's great because
it's easy to distribute keys especially
with people that you haven't even worked
with before so for instance you came to
my blog you'd be able to get my public
key we wouldn't need to talk in advance
for you to be able to send me things
that are encrypted the bad news is it's
about a thousand times slower than
symmetric algorithms so you'll often see
in practice like HTTPS and TLS they
actually use a symmetric to encrypt a
session symmetric key so in other words
they generate a random symmetric key
they will exchange that symmetric key
using a symmetric encryption so that
they can safely do that and then they
continue again some of the very popular
classes will talk and focus it on the
RSA class so we'll do a quick demo on
that so very similar to what we saw
before I'm going to create I'll show you
the page quick I can type in some text
do an encryption and then I'll do the
decrypt get back to where I started so
very similar I'm going to create a
cipher like I did before
in this case I just used RSA I have
created a set of public private keys
that I have stored in this variable so
now what I can do is take the plaintext
I'll do my utf-8 again to do the
encoding to get it into a byte array
I'll call the encryption method which
uses RSA and the public key from that
keychain and then I will base64 it so I
can show it on the screen
Mme and a similar thing for decryption
so again you'll see it's very simple to
do this I've got examples in the code
for how you can create RSA keys so later
on you can see how to create keys for
both asymmetric and symmetric by using
some of these other classes and pages
but basically that's how easy it is to
do encryption when you're using dotnet
core so talk quickly about digital
signatures and this provides both
integrity and non-repudiation the idea
is I'm going to hash the contents of a
message and then I'm gonna sign that
hash with my private key by default it
doesn't provide confidentiality but I'm
going to show you in the diagram how you
can do that as well
so if we follow along here I've got some
plain text I'm going to encrypt it using
a symmetric just like I did before
I'll use the receivers public key to do
encryption
I'll get ciphertext I'll use hashing to
compute a hash once I have the hash I'll
sign it with my private key and that
will become my signature so now when I
send the cipher text the person will be
able to use the receivers private key to
decrypt it they'll be able to use my
public key to prove that I'm the person
who signed it so again they have
non-repudiation we've got integrity and
we have confidentiality all in one big
approach here as far as using this in
dotnet core a couple cool things that
are coming with dotnet core 3.0 we now
will have authenticated encryption for
the first time so we talked about AES
encryption before and we've talked about
hashing this combines the two of them so
that I can come do the encryption send
it to you and not only will you know
that you can decrypt it but you'll also
be able to use the hash to verify that
it hasn't been tampered with so there's
two new classes that come in net core 3
oh like you said this is the first time
we've had access to authenticated
encryption so that's cool
they've also got an expanded list of
cryptographic key formats that we can
import an export compared to what we had
in the past
so in summary don't write your own
encryption use trusted algorithms and
implementations use hashing when you
want to validate integrity of data or to
prove that you both know the same secret
and then generally with encryption you
want to use symmetric algorithms because
they perform so much better unless you
have special needs for a symmetric set
things such as digital signatures you
need to do key exchanges etc and again
know your threats choose the proper
countermeasure so you need to know what
you're trying to do whether it's
confidentiality or non-repudiation
will help guide what the right type of
algorithm and approach will be when
you're doing down at core some quick
resources I have a Pluralsight course
that's an introduction to cryptography
and net so it goes through the same
contents and a lot more detail with a
lot of practical examples using done
that framework in that case here's four
very good books that talk about
cryptography so if you're interested in
how AES actually functions or how RSA
works and all the math and and the
technical background you can look at
those if you want to get background just
on the history of different uses of
cryptography what people did how it got
broken both of these books are excellent
books for that and that's my Twitter
that's an email address we can reach me
that's where I have the slides and the
code available and we can either do some
questions or I can show a couple
examples if we have a little time
okay thank you so much so a bit of can
you hear me all right actually
oh sorry can you hear me all right
Robert okay we'll see if this works um
we need to switch off our mics because
there is an echo that we haven't solved
yet because half of the team needs to
sleep at some point that's the fun of
doing 24 hour livestream so I will
forward you the questions Robert and
then I will let's see thank you and hey
there we go okay and then I will be able
to unmute you and then I'll mute myself
so we avoid the echo okay so here we go
so in general people really appreciate
the advice about not writing your own
hash functions do you have any more to
say on that topic no I think like I said
it's nice that we have open-source
trusted well deployed well tested
hashing and cryptography you know the
encryption asymmetric all of that stuff
built into the framework I just a lot of
people have said that they can write
their own cryptography and they think
that by writing their own algorithm and
keeping it secret that they'll be able
to do a better job and be able to
encrypt stuff and virtually every time
that's been tried that's a lot of times
when people go on an audit and and look
at specific issues with breaches and
such they find that people do things
like that
take advantage of the stuff that's built
into the framework just don't try to
write your own if you really want to be
a cryptographer go to a place where you
have other cryptographers work together
on things like dotnet core and have
other people that can help review it
because it's it's complicated stuff to
create hopefully we've seen that it's
easy to use yes that would be the power
of teamwork I like it a lot it's always
good to have other people checking your
work okay so normally when one is using
an encryption or decryption it's ID
not to store the encrypted cipher text
on the database but just the encrypted
hash no good example would be if you
don't so for example on passwords you
traditionally would store hashes you
don't need to reverse that data to get
their original password you'll take the
new password they type you'll hash it
you'll compare it to a hash that works
in that situation when you're storing
data that you need to be able to get
back and retrieve and actually see the
value of you're going to have to
actually use encryption in which case
you'll want to use decryption as well
I've got some examples in the sample
code you can look at a good example of a
public website that needs to take data
you could put a public private key put
the public key only on your web server
so if anybody got it who cares encrypt
stuff on the front end using the public
key stored encrypted in the backend and
then the only system that needs to
decrypt it and use it has the private
key but it's fine
I mean if you need to get the data back
you need to be able to decrypt it so you
have to use encryption it's fine to
store that in the database passwords are
an example of I don't really need to
back it up and see it I just need to
make sure it's the same and that's why
they use hashes for that great ok sorry
I have to like now tight for buttons
while we transfer so when it was just a
general question what is the best place
to store the encryption key very end of
that sorry I know ok I'm trying to ask
again but I have to switch all of the
buttons ok what sorry what is the best
place to store the encryption key that's
a long very long answer depending on
what you have access to what kind of
system you have I tend to like the
example I just went through if I've got
a public-facing web server I generally
treat that web server like it's
compromisable you know at any time I
could have a zero-day exploit things
like that so I really don't want to have
a key stored on that machine that's
where I think storing the public key
makes a lot of sense
so if I use asymmetric put a public key
on there I can even put that in my code
if I want it doesn't matter because if
anybody sees that it doesn't help them
only on my internal behind the firewall
system what I actually have the private
key that could do that decryption
there's as your key vault there's other
techniques depending on what your
deployment environment is how paranoid
you are what your threat models are how
people attack you etc but in general I
like doing the public key if it's a
website all right well thank you so much
for joining us Robert that was very
interesting next up we have John what is
John going to be talking about Xavier
John is gonna be talking about xamarin
and modern Android applications so we're
gonna hang up here on Robert and we're
gonna call him right up so it's stick to
and Kendra now gonna switch because like
we gotta take breaks from Dino dive and
we'll go from there
all right thanks so much thanks so much
Robert all right