Skip to main content

.NET Encryption and Decryption

Introduction

Encryption is a fundamental concept in application security that converts sensitive information into an unreadable format (ciphertext) that can only be decoded back to its original form (plaintext) using specific keys or passwords. In today's digital landscape, where data breaches are increasingly common, implementing proper encryption in your .NET applications is essential for protecting sensitive data.

This guide will walk you through the basics of encryption and decryption in .NET, covering both symmetric and asymmetric encryption techniques with practical code examples that you can apply to your projects.

Understanding Encryption Fundamentals

Before diving into code, let's understand some key concepts:

  1. Symmetric Encryption: Uses the same key for both encryption and decryption
  2. Asymmetric Encryption: Uses a pair of keys (public and private) where data encrypted with the public key can only be decrypted with the private key
  3. Hashing: One-way transformation of data that cannot be reversed (not technically encryption)
  4. Salt: Random data added to the input before hashing to prevent dictionary attacks

Symmetric Encryption in .NET

Symmetric encryption is faster than asymmetric encryption and is ideal for encrypting large amounts of data. .NET provides several algorithms for symmetric encryption through the System.Security.Cryptography namespace.

Using AES (Advanced Encryption Standard)

AES is one of the most secure and widely used symmetric encryption algorithms. Here's how to implement it in .NET:

csharp
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

public class AesEncryptionExample
{
    // Encrypt a string using AES
    public static (string cipherText, byte[] key, byte[] iv) EncryptString(string plainText)
    {
        // Check arguments
        if (plainText == null || plainText.Length <= 0)
            throw new ArgumentNullException(nameof(plainText));

        byte[] encrypted;
        byte[] key;
        byte[] iv;

        // Create an Aes object with the specified key and IV
        using (Aes aesAlg = Aes.Create())
        {
            // Save the key and IV for decryption
            key = aesAlg.Key;
            iv = aesAlg.IV;

            // Create an encryptor to perform the stream transform
            ICryptoTransform encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV);

            // Create the streams used for encryption
            using (MemoryStream msEncrypt = new MemoryStream())
            {
                using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
                {
                    using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
                    {
                        // Write all data to the stream
                        swEncrypt.Write(plainText);
                    }
                    encrypted = msEncrypt.ToArray();
                }
            }
        }

        // Return the encrypted bytes as a Base64 string along with the key and IV
        return (Convert.ToBase64String(encrypted), key, iv);
    }

    // Decrypt a string using AES
    public static string DecryptString(string cipherText, byte[] key, byte[] iv)
    {
        // Check arguments
        if (cipherText == null || cipherText.Length <= 0)
            throw new ArgumentNullException(nameof(cipherText));
        if (key == null || key.Length <= 0)
            throw new ArgumentNullException(nameof(key));
        if (iv == null || iv.Length <= 0)
            throw new ArgumentNullException(nameof(iv));

        // Declare the string used to hold the decrypted text
        string plaintext;

        // Convert the cipherText from Base64 to bytes
        byte[] cipherBytes = Convert.FromBase64String(cipherText);

        // Create an Aes object with the specified key and IV
        using (Aes aesAlg = Aes.Create())
        {
            aesAlg.Key = key;
            aesAlg.IV = iv;

            // Create a decryptor to perform the stream transform
            ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);

            // Create the streams used for decryption
            using (MemoryStream msDecrypt = new MemoryStream(cipherBytes))
            {
                using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                {
                    using (StreamReader srDecrypt = new StreamReader(csDecrypt))
                    {
                        // Read the decrypted bytes from the decrypting stream
                        plaintext = srDecrypt.ReadToEnd();
                    }
                }
            }
        }

        return plaintext;
    }
}

Example Usage:

csharp
// Example of using the AES encryption class
string originalText = "Sensitive data that needs encryption";
Console.WriteLine($"Original Text: {originalText}");

// Encrypt the text
var (encryptedText, key, iv) = AesEncryptionExample.EncryptString(originalText);
Console.WriteLine($"Encrypted Text: {encryptedText}");

// Decrypt the text
string decryptedText = AesEncryptionExample.DecryptString(encryptedText, key, iv);
Console.WriteLine($"Decrypted Text: {decryptedText}");

Output:

Original Text: Sensitive data that needs encryption
Encrypted Text: A6nB3Cp7D8eF0gH2iJ4kL5mN6oP7qR8sT9uV0wX1yZ2...
Decrypted Text: Sensitive data that needs encryption

Asymmetric Encryption in .NET

Asymmetric encryption uses a pair of keys: a public key for encryption and a private key for decryption. It's generally slower than symmetric encryption but offers additional security benefits and is often used for securely exchanging symmetric keys.

Using RSA

Here's how to implement RSA encryption in .NET:

csharp
using System;
using System.Security.Cryptography;
using System.Text;

public class RsaEncryptionExample
{
    // Generate a new RSA key pair
    public static RSA GenerateKeyPair()
    {
        return RSA.Create(2048); // 2048-bit key
    }

    // Export public key to XML format
    public static string ExportPublicKey(RSA rsa)
    {
        return rsa.ToXmlString(false);
    }

    // Export private key to XML format
    public static string ExportPrivateKey(RSA rsa)
    {
        return rsa.ToXmlString(true);
    }

    // Import key from XML format
    public static RSA ImportKey(string keyXml)
    {
        RSA rsa = RSA.Create();
        rsa.FromXmlString(keyXml);
        return rsa;
    }

    // Encrypt data using RSA
    public static byte[] Encrypt(string plainText, string publicKeyXml)
    {
        // Convert the text into bytes
        byte[] dataToEncrypt = Encoding.UTF8.GetBytes(plainText);

        // Create a new RSA using the provided public key
        using (RSA rsa = ImportKey(publicKeyXml))
        {
            // Encrypt the data
            return rsa.Encrypt(dataToEncrypt, RSAEncryptionPadding.OaepSHA256);
        }
    }

    // Decrypt data using RSA
    public static string Decrypt(byte[] cipherText, string privateKeyXml)
    {
        // Create a new RSA using the provided private key
        using (RSA rsa = ImportKey(privateKeyXml))
        {
            // Decrypt the data
            byte[] decryptedData = rsa.Decrypt(cipherText, RSAEncryptionPadding.OaepSHA256);
            
            // Convert bytes back to string
            return Encoding.UTF8.GetString(decryptedData);
        }
    }
}

Example Usage:

csharp
// Generate new key pair
using (RSA rsa = RsaEncryptionExample.GenerateKeyPair())
{
    // Export the keys
    string publicKey = RsaEncryptionExample.ExportPublicKey(rsa);
    string privateKey = RsaEncryptionExample.ExportPrivateKey(rsa);

    // The original message
    string originalMessage = "This is a secret message";
    Console.WriteLine($"Original Message: {originalMessage}");

    // Encrypt using the public key
    byte[] encryptedData = RsaEncryptionExample.Encrypt(originalMessage, publicKey);
    Console.WriteLine($"Encrypted (Base64): {Convert.ToBase64String(encryptedData)}");

    // Decrypt using the private key
    string decryptedMessage = RsaEncryptionExample.Decrypt(encryptedData, privateKey);
    Console.WriteLine($"Decrypted Message: {decryptedMessage}");
}

Output:

Original Message: This is a secret message
Encrypted (Base64): Ab3dE4fG5hI6jK7lM8nO9pQ0rS1tU2vW3xY4...
Decrypted Message: This is a secret message

Password Hashing in .NET

While not technically encryption (since it's one-way), password hashing is a critical security concept every developer should understand. Modern .NET applications should use the Microsoft.AspNetCore.Cryptography.KeyDerivation namespace for password hashing.

csharp
using System;
using System.Security.Cryptography;
using Microsoft.AspNetCore.Cryptography.KeyDerivation;

public class PasswordHashingExample
{
    public static (string hashedPassword, byte[] salt) HashPassword(string password)
    {
        // Generate a random salt
        byte[] salt = new byte[16];
        using (var rng = RandomNumberGenerator.Create())
        {
            rng.GetBytes(salt);
        }

        // Derive a 256-bit subkey (use HMACSHA256 with 100,000 iterations)
        string hashed = Convert.ToBase64String(KeyDerivation.Pbkdf2(
            password: password,
            salt: salt,
            prf: KeyDerivationPrf.HMACSHA256,
            iterationCount: 100000,
            numBytesRequested: 32));

        return (hashed, salt);
    }

    public static bool VerifyPassword(string enteredPassword, string storedHash, byte[] storedSalt)
    {
        // Hash the input password with the stored salt
        string hashedInput = Convert.ToBase64String(KeyDerivation.Pbkdf2(
            password: enteredPassword,
            salt: storedSalt,
            prf: KeyDerivationPrf.HMACSHA256,
            iterationCount: 100000,
            numBytesRequested: 32));

        // Compare the computed hash with the stored hash
        return hashedInput == storedHash;
    }
}

Example Usage:

csharp
// Original password
string originalPassword = "MySecurePassword123";

// Hash the password (this would typically be stored in a database)
var (hashedPassword, salt) = PasswordHashingExample.HashPassword(originalPassword);
Console.WriteLine($"Hashed Password: {hashedPassword}");
Console.WriteLine($"Salt (Base64): {Convert.ToBase64String(salt)}");

// Later, when a user tries to log in:
string attemptPassword1 = "MySecurePassword123"; // Correct password
string attemptPassword2 = "WrongPassword"; // Wrong password

bool isValid1 = PasswordHashingExample.VerifyPassword(attemptPassword1, hashedPassword, salt);
bool isValid2 = PasswordHashingExample.VerifyPassword(attemptPassword2, hashedPassword, salt);

Console.WriteLine($"Attempt 1 valid: {isValid1}"); // Should be true
Console.WriteLine($"Attempt 2 valid: {isValid2}"); // Should be false

Output:

Hashed Password: gNAyKdDnjsB5U3bFIPx6z9CFcIhP0siBzlJ3a2JZ3cM=
Salt (Base64): nHxPv8yQcH6bRzJ9VMLkOw==
Attempt 1 valid: True
Attempt 2 valid: False

Real-World Application: Secure Configuration

A practical application of encryption is securing application configuration settings. Here's an example of how to protect sensitive configuration values in your .NET application:

csharp
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using System.Xml;

public class SecureConfiguration
{
    private readonly string _configPath;
    private readonly string _keyPath;
    private readonly byte[] _entropy;

    public SecureConfiguration(string configPath, string keyPath)
    {
        _configPath = configPath;
        _keyPath = keyPath;
        // Create entropy value for additional security
        _entropy = Encoding.UTF8.GetBytes("ApplicationSpecificEntropy");
        
        // Create key directory if it doesn't exist
        Directory.CreateDirectory(Path.GetDirectoryName(keyPath));
    }

    // Save a sensitive configuration setting
    public void SaveSetting(string settingName, string settingValue)
    {
        // Protect the data
        byte[] protectedData = ProtectData(Encoding.UTF8.GetBytes(settingValue));
        
        // Create XML document
        XmlDocument doc = LoadOrCreateConfigFile();
        
        // Check if setting already exists
        XmlNode settingNode = doc.SelectSingleNode($"//setting[@name='{settingName}']");
        
        if (settingNode == null)
        {
            // Create new setting
            XmlElement element = doc.CreateElement("setting");
            element.SetAttribute("name", settingName);
            element.SetAttribute("value", Convert.ToBase64String(protectedData));
            doc.DocumentElement.AppendChild(element);
        }
        else
        {
            // Update existing setting
            settingNode.Attributes["value"].Value = Convert.ToBase64String(protectedData);
        }
        
        // Save changes
        doc.Save(_configPath);
    }

    // Get a sensitive configuration setting
    public string GetSetting(string settingName)
    {
        if (!File.Exists(_configPath))
        {
            throw new FileNotFoundException("Configuration file not found.", _configPath);
        }
        
        // Load XML document
        XmlDocument doc = new XmlDocument();
        doc.Load(_configPath);
        
        // Find setting
        XmlNode settingNode = doc.SelectSingleNode($"//setting[@name='{settingName}']");
        
        if (settingNode == null)
        {
            throw new ArgumentException($"Setting '{settingName}' not found.");
        }
        
        // Get protected data
        byte[] protectedData = Convert.FromBase64String(settingNode.Attributes["value"].Value);
        
        // Unprotect the data
        byte[] unprotectedData = UnprotectData(protectedData);
        
        // Return as string
        return Encoding.UTF8.GetString(unprotectedData);
    }

    private byte[] ProtectData(byte[] data)
    {
        return ProtectedData.Protect(data, _entropy, DataProtectionScope.CurrentUser);
    }

    private byte[] UnprotectData(byte[] data)
    {
        return ProtectedData.Unprotect(data, _entropy, DataProtectionScope.CurrentUser);
    }

    private XmlDocument LoadOrCreateConfigFile()
    {
        XmlDocument doc = new XmlDocument();
        
        if (File.Exists(_configPath))
        {
            doc.Load(_configPath);
        }
        else
        {
            // Create new config file
            XmlDeclaration declaration = doc.CreateXmlDeclaration("1.0", "utf-8", null);
            doc.AppendChild(declaration);
            
            XmlElement root = doc.CreateElement("configuration");
            doc.AppendChild(root);
        }
        
        return doc;
    }
}

Example Usage:

csharp
// Create a secure configuration instance
var config = new SecureConfiguration("config.xml", "keys.dat");

// Save sensitive settings
config.SaveSetting("DatabaseConnectionString", "Server=myserver;Database=mydb;User Id=myuser;Password=mypassword;");
config.SaveSetting("ApiKey", "sk_test_abcdefghijklmnopqrstuvwxyz123456");

// Later, retrieve the settings when needed
string connectionString = config.GetSetting("DatabaseConnectionString");
string apiKey = config.GetSetting("ApiKey");

Console.WriteLine("Retrieved connection string: " + connectionString);
Console.WriteLine("Retrieved API key: " + apiKey);

Best Practices for Encryption in .NET

  1. Never Store Encryption Keys in Source Code: Use secure storage like Azure Key Vault or environment variables.

  2. Use Strong Algorithms: Prefer AES-256 for symmetric encryption and RSA-2048 or higher for asymmetric encryption.

  3. Secure Key Management: Consider how you will manage and rotate encryption keys.

  4. Avoid Custom Encryption: Don't invent your own encryption algorithms. Use established libraries.

  5. Encrypt Data in Transit and at Rest: Ensure data is protected both when stored and when being transmitted.

  6. Use HTTPS: Always use HTTPS for web applications to encrypt data in transit.

  7. Implement Proper Error Handling: Don't reveal sensitive information in error messages.

  8. Consider Data Protection API: For simpler scenarios, consider using the Data Protection API built into ASP.NET Core.

csharp
// Example of using Data Protection API in ASP.NET Core
public class DataProtectionExample
{
    private readonly IDataProtector _protector;

    public DataProtectionExample(IDataProtectionProvider dataProtectionProvider)
    {
        _protector = dataProtectionProvider.CreateProtector("MyApp.DataProtection");
    }

    public string ProtectData(string input)
    {
        return _protector.Protect(input);
    }

    public string UnprotectData(string protectedInput)
    {
        return _protector.Unprotect(protectedInput);
    }
}

Summary

Encryption and decryption are essential security tools in a developer's toolkit. In this guide, we've covered:

  • Symmetric encryption using AES for secure data storage
  • Asymmetric encryption using RSA for secure key exchange
  • Password hashing for secure credential storage
  • A practical example of securing application configuration
  • Best practices for implementing encryption in .NET applications

By implementing these techniques correctly, you can significantly improve the security of your .NET applications and protect sensitive user data from potential breaches.

Additional Resources

  1. Microsoft Documentation on System.Security.Cryptography
  2. ASP.NET Core Data Protection
  3. OWASP Cryptographic Storage Cheat Sheet
  4. Azure Key Vault Documentation

Exercises

  1. Create a console application that encrypts and decrypts a text file using AES encryption.
  2. Implement a secure password manager that stores encrypted passwords.
  3. Extend the SecureConfiguration example to include key rotation functionality.
  4. Create a web API that securely exchanges data with a client using asymmetric encryption.
  5. Research and implement envelope encryption (using a combination of symmetric and asymmetric techniques).

If you spot any mistakes on this website, please let me know at [email protected]. I’d greatly appreciate your feedback! :)