Cryptography in .NET

This article gives a brief overview of Cryptography and the Cryptography support provided by the .NET Framework. I begin by introducing Cryptography and then proceed to examine the various types of it. In particular, I review and analyze the various cryptography algorithms and objects supported by .NET. I conclude after proposing and briefly discussing the algorithmic technique that would work best for you.


I remember as kids, we would often play a game called 'jumble the word', where in we would replace an alphabet of a word with another. This way, A would be replaced with C; B with D and so on. Only someone who could understand this algorithm( in this case shift by 2), could decipher these messages and tell the word. Well in fact, this is 'Cryptography'. Surprisingly, we often use cryptography without consciously knowing it. For example, you may've tried to pass on a secret message to your friend using signals that only the two of you understood, or scribbled some text whose meaning was known only to you. We have all done that. we begin.

Cryptography is the science of scrambling meaningful characters into non-meaningful characters so that people who do not have access to the data cannot read it. The science of cryptography has been around for many years, even long before computers. Cryptography, over the ages, has been an art practiced by many who have devised different techniques to meet some of the information security requirements. The last twenty years have been a period of transition as the discipline moved from an art to a science. With the advent of computers, however, the science was able to produce almost unbreakable codes.

Well, Cryptography has been considered as one of the most complex aspect used by a developer. Using cryptographic algorithms and techniques is not considered a child's play, as it requires a high level of mathematical knowledge. Fortunately, with Microsoft .NET, newly created classes wrap up these sophisticated algorithms into fairly easy-to-use properties and methods. This article gives you an overview of the cryptography support that is provided by the .NET Framework.

However lets first look into a few jargons to make you familiar with cryptography :

  • Data that can be read and understood without any special measures is called 'plaintext' or 'cleartext'.
  • The method of disguising plaintext in such a way as to hide its meaning is called 'Encryption'.
  • Encrypting plaintext results in unreadable chunks of data called 'Ciphertext'. You use encryption to make sure that information is hidden from anyone for whom it is not intended, even those who can see the encrypted data.
  • The process of reverting ciphertext to its original plaintext is called 'Decryption'.
  • And finally 'key' is a string of bits used for encrypting and decrypting information to be transmitted. It is a randomly generated set of numbers/ characters that is used to encrypt/decrypt information.

Types of Cryptography

After getting familiar with the terminology, let's delve into the types of Cryptography. There are two types of cryptography: private-key encryption and public-key encryption

Private key Encryption

Private Key encryption, also referred to as conventional or symmetric or single-key encryption was the only available option prior to the advent of Public Key encryption in 1976. This form of encryption was used by emperors like Julius Caesar and other military organizations to convey secret messages. This key requires all communicating parties, to share a common key. With private-key encryption, you encrypt a secret message using a key that only you know. To decrypt the message, you need to use the same key. Private-key cryptography is effective only if the key can be kept secret. Despite the potential weakness of private-key encryption, it is very easy to implement and computationally doesn't consume excessive resources.

Lets see an example - Imagine Julius is trying to send a secret message to his army chief, using a private key. In order for his chief to decrypt the secret message, he must know the private key. So Julius needs to send the key to him. But if the secrecy of his key is known to his opponents somehow , the message remains no longer secure. Moreover, if the Chief tells his subordinate about the private key, he can then also decrypt the message.

Public-key encryption

Public key encryption algorithms are based on the premise that each sender and recipient has a private key, known only to him/her and a public key, which can be known by anyone. Each encryption/decryption process requires at least one public key and one private key. Each is related to the other mathematically, such that messages encrypted with the public key can only be decrypted with the corresponding private key.

Lets see an example - Before Julius sends a message to his chief, he needs to generate the key pair containing the private key and the public key. The chief then freely distributes the public key to his subordinates but keeps the private key to himself. When Julius wants to send a message to his chief, he uses his public key to encrypt the message and then send it to him. Upon receiving the encrypted message, the Chief proceeds to decrypt it with his private key. In this case, he's the only one who can decrypt the message, since the key pair works in such a way that only messages encrypted with the public key can be decrypted with the private key. Also, there's no need to exchange secret keys, thus eliminating the risk of compromising the secrecy of the key.
The reverse can happen as well. Suppose the Chief sends a message encrypted with his private key to Julius. To decrypt the message, Julius need his public key. But what's the point of that? The public key isn't a secret-everyone knows it. However, using this method guarantees that the message hasn't been tampered with and is indeed from his chief and not his opponents. If the message had been modified, Julius wouldn't be able to decrypt it.

I wish he was here to read all this!!!

.NET and Cryptography

.NET provides a set of cryptographic objects, supporting well-known algorithms and common uses including hashing, encryption, and generating digital signatures. These objects are designed in a manner that facilitates the incorporation of these basic capabilities into more complex operations, such as signing and encrypting a document. Cryptographic objects are used by .NET to support internal services, but are also available to developers who need cryptographic support. The .NET Framework provides implementations of many such standard cryptographic algorithms and objects. Similar to the ready availability of simple authentication features within the .NET Framework, cryptographic primitives are also easily accessible to developers via stream-based managed code libraries for encryption, digital signatures, hashing, and random number generation. The System.Security.Cryptography namespace in the .NET Framework provides these cryptographic services. The Algorithm support includes:

RSA and DSA public key (asymmetric) encryption -

Asymmetric algorithms operate on fixed buffers. They use a public-key algorithm for encryption/decryption. An example for asymmetric algorithms is the RSA algorithm which is so named after its three inventors Rivest, Shamir, and Adleman. It is a popular public-key algorithm - the de facto standard - for digital signatures and can be used for encryption as well. The DSA_CSP is an implementation of the digital signature algorithm (DSA). This is a public-key algorithm. It can be used to create and verify a digital signature.

DES, TripleDES, and RC2 private key (symmetric) encryption -

Symmetric algorithms are used to modify variable length buffers and perform one operation for periodical data input. They use a single secret key to encrypt and decrypt data.The Data Encryption Standard (DES) is a world-wide standard for data encryption, which was published in the early 1970s. It is the most popular encryption algorithm. It is implemented by the DES_CSP class. This class represents a stream where you pour in data that is encrypted/decrypted using a single key. The Triple DES encryption algorithm operates on a block of data three times using one key. RC2 stands for Rivest Cipher or "Ron's Code", which is the name of its inventor. RC2 is a symmetric encryption algorithm and works with a variable key-size. it is a block cipher, like many other .NET cryptography algorithms, that operates on groups of bits in contrast to stream cipher algorithms.

MD5 and SHA1 hashing -

MD5 - Message Digest 5-is a one-way hash algorithm. Given variable length data as input it always produces a 128-bit hash value. The Secure Hash Algorithm (SHA) also is a one-way hash algorithm that produces a 160-bit hash value, which is longer than the MD5 produced hash value.

(You must have observed the word CSP. Well CSP is a Cryptographic Service Provider. It is the entity that performs the cryptographic computations. The CSP classes are derived from the corresponding base classes and implement a solution for a specific algorithm. For example, the DESCryptoServiceProvider class is derived from the DES class and implements the digital encryption standard. You can use the provided classes or implement your own solution. )

So many algorithms!! I am confused.

Here is a general guideline to help you decide when to use which method

Symmetric, or secret key, algorithms are extremely fast and are well suited for encrypting large streams of data. These algorithms, both encrypt and decrypt data. While these are fairly secure, they do have the potential to be broken given enough time, as someone could do a search on every known key value combination. Since each of these algorithms uses a fixed key length or ASCII characters, it is feasible that a computer program could try every possible combination of keys and eventually stumble onto the right one. A common use of these types of algorithms is for storing and retrieving connection strings to databases.

Asymmetric, or public key, algorithms are not as fast as symmetric, but are much harder codes to break. These algorithms rely on two keys, one is Private and the other is Public. The public key is used to encrypt a message. The Private key is the only one that can decrypt the message. The public and private keys are mathematically linked and thus both are needed for this cryptographic exchange to occur successfully. Asymmetric algorithms are not well suited to large amounts of data due to performance. One common use of asymmetric algorithms is to encrypt and transfer to another party a symmetric key and initialization vector. The symmetric algorithm is then used for all messages being sent back and forth.

Hash values are used when you do not wish to ever recover the original value and you especially wish for no one else to discover the original value as well. Hashes will take any arbitrary string length and hash it to a fixed set of bytes. This operation is one-way, and thus is typically used for small amounts of data, like a password. If a user inputs a user password into a secure entry screen, the program can hash this value and store the hashed value into a database. Even if the database were compromised, no one would be able to read the password since it was hashed. When the user then logs into the system to gain entry, the password typed in is hashed using the same algorithm, and if the two hashed values match, then the system knows the input value was the same as the saved value from before.

Everyone Loves an Example

Everyone needs and loves a good example. After having read about the various algorithms available, lets see an example of encrypting and decrypting files using the System.Security.Cryptography namespace. I have used the Rijndael Managed encryption method. The Rijndael Managed class accesses the managed version of the Rijndael algorithm. This class cannot be inherited. The Rijndael class represents the base class from which all implementations of the Rijndael symmetric encryption algorithm must inherit.

The hierarchy is as follows :


To compile the following, cut and paste the code into a file, and run it in your VS.NET

// Encrypting and decrypting files using the Rijndael Managed encryption method.
using System;
using System.IO;
using System.Security.Cryptography;
class CryptoEx
public static void Main(string[] args)
if (args.Length!=1)
Console.WriteLine("FileName Not Entered. Specify a filename to encrypt.");
string file = args[0];
string tempfile = Path.GetTempFileName(); 
// Open the file to read
FileStream fsIn = File.Open(file,FileMode.Open,FileAccess.Read);
FileStream fsOut = File.Open(tempfile, FileMode.Open,FileAccess.Write);
SymmetricAlgorithm symm =
new RijndaelManaged(); //creating an instance
ICryptoTransform transform = symm.CreateEncryptor(); //and calling the CreateEncryptor method which //creates a symmetric encryptor object.
CryptoStream cstream = new CryptoStream(fsOut,transform,CryptoStreamMode.Write);
BinaryReader br =
new BinaryReader(fsIn);
Console.WriteLine("Created Encrypted File {0}", tempfile);
fsIn = File.Open(tempfile,FileMode.Open,FileAccess.Read);
transform = symm.CreateDecryptor();
cstream =
new CryptoStream(fsIn,transform,CryptoStreamMode.Read);
StreamReader sr =
new StreamReader(cstream);
Console.WriteLine("Decrypted the File: " + sr.ReadToEnd());

Summary :

We saw that the .NET Framework supports encryption by means of cryptographic streaming objects based on the primitives. It also supports digital signatures, message authentication codes (MACs)/keyed hash, pseudo-random number generators (PRNGs), and authentication mechanisms. New or pre-standard primitives as SHA-256 or XMLDSIG are already supported. The ready availability of such libraries is hopefully going to drive more widespread reliance on Cryptography to fortify the security of everyday applications. Based on our own experiences, we can confidently state that well-implemented cryptography dramatically increases the security of many aspects of a given application.