Cryptography is a fundamental aspect of modern software development, ensuring data confidentiality, integrity, and authentication. This article explores key cryptographic concepts, secure coding practices, and common vulnerabilities that developers must address to build secure applications.
1. Symmetric Encryption in C#
Understanding Symmetric Encryption
Symmetric encryption uses the same key for both encryption and decryption. It is efficient for encrypting large amounts of data but requires secure key management to prevent unauthorized access.
Implementing Symmetric Encryption in C#
C# provides the System.Security.Cryptography namespace, which includes the Aes class for secure encryption. Below is an example of AES encryption:
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
class Program
{
static void Main()
{
string plaintext = "Sensitive Data";
byte[] key = GenerateRandomKey();
byte[] iv = GenerateRandomIV();
byte[] encrypted = Encrypt(plaintext, key, iv);
string decrypted = Decrypt(encrypted, key, iv);
Console.WriteLine($"Encrypted: {Convert.ToBase64String(encrypted)}");
Console.WriteLine($"Decrypted: {decrypted}");
}
static byte[] Encrypt(string plainText, byte[] key, byte[] iv)
{
using (Aes aes = Aes.Create())
{
aes.Key = key;
aes.IV = iv;
using (ICryptoTransform encryptor = aes.CreateEncryptor(aes.Key, aes.IV))
using (MemoryStream ms = new MemoryStream())
using (CryptoStream cs = new CryptoStream(ms, encryptor, CryptoStreamMode.Write))
{
byte[] plainBytes = Encoding.UTF8.GetBytes(plainText);
cs.Write(plainBytes, 0, plainBytes.Length);
cs.FlushFinalBlock();
return ms.ToArray();
}
}
}
static string Decrypt(byte[] cipherText, byte[] key, byte[] iv)
{
using (Aes aes = Aes.Create())
{
aes.Key = key;
aes.IV = iv;
using (ICryptoTransform decryptor = aes.CreateDecryptor(aes.Key, aes.IV))
using (MemoryStream ms = new MemoryStream(cipherText))
using (CryptoStream cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read))
using (StreamReader sr = new StreamReader(cs))
{
return sr.ReadToEnd();
}
}
}
static byte[] GenerateRandomKey() => Aes.Create().Key;
static byte[] GenerateRandomIV() => Aes.Create().IV;
}
Best Practices for Symmetric Encryption
- Use AES with a key size of at least 256 bits.
- Store keys securely (e.g., Azure Key Vault, AWS KMS).
- Use a unique IV for each encryption operation.
2. Password Hashing: Is Just Hashing Enough?
Storing passwords using simple hashing (e.g., SHA-256) is not sufficient, as attackers can use rainbow tables and brute-force attacks. Instead, developers should use adaptive hash functions like bcrypt, PBKDF2, or Argon2, which introduce computational cost to slow down attacks.
Using Adaptive Hash Functions in C#
The following example demonstrates password hashing with PBKDF2:
using System;
using System.Security.Cryptography;
class Program
{
static void Main()
{
string password = "SecurePassword123";
byte[] salt = GenerateSalt();
byte[] hash = HashPassword(password, salt);
Console.WriteLine($"Salt: {Convert.ToBase64String(salt)}");
Console.WriteLine($"Hash: {Convert.ToBase64String(hash)}");
}
static byte[] GenerateSalt()
{
byte[] salt = new byte[16];
using (var rng = RandomNumberGenerator.Create())
rng.GetBytes(salt);
return salt;
}
static byte[] HashPassword(string password, byte[] salt)
{
using (var pbkdf2 = new Rfc2898DeriveBytes(password, salt, 100000, HashAlgorithmName.SHA256))
return pbkdf2.GetBytes(32);
}
}
Best Practices for Password Hashing
- Always use a unique, randomly generated salt per user.
- Choose a computationally expensive algorithm (e.g., bcrypt, PBKDF2, Argon2).
- Set a high iteration count (e.g., 100,000+ for PBKDF2).
3. Insecure Direct Object Reference (IDOR) and Horizontal Authorization
Understanding IDOR
IDOR occurs when attackers manipulate object references in requests (e.g., user IDs in URLs) to access unauthorized resources.
Example of an IDOR vulnerability
// Vulnerable endpoint
public IActionResult GetUserProfile(int userId)
{
var user = db.Users.Find(userId);
return user != null ? Ok(user) : NotFound();
}
An attacker could modify the userId parameter to access another user’s profile.
Preventing IDOR: Implementing Horizontal Authorization
To prevent IDOR, enforce authorization checks:
public IActionResult GetUserProfile(int userId)
{
var currentUser = GetCurrentUser(); // Retrieve authenticated user
if (currentUser.Id != userId)
return Forbid(); // Prevent unauthorized access
var user = db.Users.Find(userId);
return user != null ? Ok(user) : NotFound();
}
Best Practices for Preventing IDOR
- Never rely solely on user input for object references.
- Always check authorization before returning sensitive data.
- Use access control lists (ACLs) or role-based access control (RBAC).
4. Unsafe Reflection and ReDoS (Regular Expression Denial of Service)
Unsafe Reflection
Reflection can be dangerous if user input determines which classes or methods are instantiated/executed.
Example of an unsafe reflection vulnerability
public object CreateInstance(string className)
{
Type type = Type.GetType(className);
return Activator.CreateInstance(type);
}
If an attacker provides System.IO.File as className, they could manipulate files on the system.
Secure Alternative
public object CreateInstanceSecure(string className)
{
var allowedTypes = new Dictionary<string, Type>
{
{ "SafeClass", typeof(SafeClass) }
};
return allowedTypes.TryGetValue(className, out Type type) ? Activator.CreateInstance(type) : null;
}
Regular Expression Denial of Service (ReDoS)
Poorly crafted regex patterns can lead to excessive backtracking, causing performance issues.
Vulnerable regex pattern
Regex regex = new Regex(@"(a+)+"); // Catastrophic backtracking
regex.IsMatch("aaaaaaaaaaaaaaaaaaaaa!");
Secure Regex Practice
- Use timeouts when evaluating regex:
Regex regex = new Regex(@"^(a|b)+$", RegexOptions.Compiled, TimeSpan.FromMilliseconds(500));
- Avoid nested quantifiers like
(a+)+.
5. Cross-Site Request Forgery (CSRF) Protection
Understanding CSRF
CSRF attacks trick authenticated users into making unintended requests.
Preventing CSRF with Tokens in C#
ASP.NET Core includes built-in CSRF protection using anti-forgery tokens:
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult TransferFunds(decimal amount)
{
// Process the transaction securely
}
Best Practices for CSRF Prevention
- Use anti-forgery tokens (
@Html.AntiForgeryToken()in Razor). - Enforce same-site cookies (
SameSite=Strict). - Use CORS policies to restrict cross-origin requests.
Developers must implement secure cryptographic practices to protect sensitive data and prevent common security vulnerabilities. By using strong encryption, proper password hashing, authorization controls, and CSRF protections, you can build secure applications that resist attacks.