 Boney Robert Hi, hello Robert. How are you? Good? How are you? I'm doing so good. Let's see. Oh, I Don't know. Yep. Just working out this keyboard thing. Sorry about that So cryptography 101 with dotnet core. What do you got? Yes? Lots cool stuff. We're gonna talk about hashing symmetric encryption asymmetric encryption digital signatures all sorts cool stuff Great, um, do you want to go ahead and share your script? Oh, well, why don't you introduce yourself first? Sorry, what do you work on? So I work full-time on an e-commerce website and I'm also a Pluralsight author and do a lot of conference speaking and I'd be about it. ASP.net developer. So if we like Robert, there's plenty of content out there to go find There should be cryptography. Cool. Cool. Okay Um, so would you like to go ahead and share your screen and we can dive in? Yes, we know when you can see it. Okay. I'll let you know when we can see that. Let's see We're having some interesting Skype delays. I see that. Let's see Camera He's melting. Yeah, I think he was attempting to share his desktop and Skype might have crashed a bit Just a little bit. We're getting some very interesting melting graphics, though Everyone's saying to switch to teams Okay, we'll go ahead and restart Skype really quick and I'll just entertain and delay which is my main job Happy years here in the studio with me. We'll probably switch off. That's his hand We'll probably switch off throughout our interviews and whatnot. Oh, looks like we have Robert back But naturally as soon as I switch to the screen share It crashes again Okay, just switching back to me on camera, so we're gonna figure out this in a second. Oh, I think I see Robert again Okay, Robert. Can you share your screen? I think I saw it for a sec. Okay, that's me on Robert's screen and now I can Press the live share and it's repeating it because all it sees is him sharing Skype So maybe minimize Skype and then we'll be able to see hey, there we go. Okay. Now we can see your screen Robert Okay. Oh, that was fun That we took them through the the matrix there for a second Okay, let's dive in all right so like so we're gonna talk about cryptography 101 with that net core The principles will talk about cryptography. You can use any platforms They're very familiar algorithms and things that you can take advantage of but we're gonna focus on the implementations in dot-net core So a little bit about myself as said Microsoft MVP part of the ASB insiders Pluralsite author progress developer expert and fiddler. That's my Twitter handle So let's get started so some background cryptography is the science of keeping messages secure Why do you want cryptography? There's really four different things most people think about it for confidentiality So you're trying to protect data from being read. So you just have something you don't want people to see That's what most people think of when they think of cryptography there's also integrity and So integrity is where I want to verify that data has not been modified. So a lot of times you go to download sites You'll see here's the download They'll have integrity with a hash to show you that you can trust that the data is not verified. So we'll talk about that Robert real quick. Could you minimize the Skype at the top of your screen? We just like seeing all of your slides That better Yes Okay, so we've got authentication where you want to identify and validate who a user is and We're also going to have non-repediation. So a sender can't deny later that he sent a given message This is all in the system dot security dot cryptography namespace. That's where all these classes will come from and Most important thing if you get nothing else out of this talk, don't try to write your own cryptography I mean this stuff is well vetted A lot of people have seen it a lot of people use it It's built into the framework for us already take advantage of what's built in don't try to write your own So first thing we'll look at is hashing So the idea of the hash function is you have a one-way function So it's easy to compute in one direction, but significantly harder to reverse So a hash function is going to convert a variable length input into a fixed length It creates what you could call a data fingerprint or a digest and It's okay to see it So if I have data that I don't care that somebody and I don't need to hide it from them It's okay for them to see but I don't want it to be tampered with that's the integrity that we talked about earlier That's where a hash functions useful So as you see on the left-hand side, I've got some basic content And I can run a hash on it and it's going to create this data fingerprint or digest on the right-hand side That's the hash if I make even a single character change to the data that's on the left-hand side I'll get a vastly different hash so the idea is I can use it run a hash against the data See that the hash is match so I can see that things haven't been tampered with So let's take a look at a demo for hash functions. I don't know what's happening there Okay, so the pattern will be very familiar here for all the cryptography that we use in net So I'll spend a little bit of time on this one, but I start with Some initial plain text. So I've just got a string here that stores in this case. This is a simple demonstration of hashing I'm going to use the Shah 512 Class to do the hashes That's part of the Shah 2 family the Shah 1 MD5's all of those are not considered safe anymore. So you should use a Shah 2 functions. I'm going to use Shah 512 And what I'm going to do on this line You'll see is very familiar with all the other cryptography will do I have my string and I need to convert it into a byte array so I can use the cryptographic functions They just all operate on byte arrays So the first thing I'm going to do is I'm going to call the get bytes So I pass get bytes the plain text string. There's lots of different ways I could choose to encode this UTF-8 is a pretty common encoding scheme to take strings So I'm going to convert that do the UTF-8 encoding and then I'm going to simply call the compute hash function And as you can see from the comments, I'm going to get back a byte array here. That's got 512 bits That's just because I use Shah 512 Now I want to display that on the screen. So I'm actually going to use the bit converter class There's lots of different ways to do this. I'll show you later how we can use base 64 encoding There's times where I want to be able to use the hash on a query string and such So I want to use characters that aren't going to conflict with other things on my URL So in this case, I just call the bit converter. I Say I want it to go to string and as you can see up above here It's going to give me back something that looks like this So I'm just going to strip out all the dashes. I just end up with a Basic display. So let's look at what that looks like So you can see here. Here's my initial string and Then what it hashes to here? So in the example if I go back you can see even if I were to go change this if I Uncommented that and had a much larger string the actual hash will be a fixed size It's just based on what the hash is So that's basic hashing if we have some time later We'll talk about where you might want to use some of these techniques Like I said, it's common if you go to download from a given site. They often list their hash So they'll say here's a Shaw 256 etc that way, you know after you downloaded you could run the same algorithm It's going to do a hash even though it's a huge file It'll be a really small Hash and you'll be able to compare and say that's what the site said they had that's what I had after I downloaded it So I know that nobody's tampered with that. So that's a good use of hashing Now we'll get into what most people expect for cryptography and that's encryption and decryption There's gonna be two different kinds so we'll talk about symmetric algorithms first and They're symmetric because the encryption and the decryption are going to use the same secret key So we're going to have a secret to share between the two partners that want to exchange data and we need to keep that Key secret So if we follow along in the diagram on the left hand side, I've got the plain text That's what I want to encrypt I'm going to run my encryption algorithm with a secret key The result is the cipher text. That's just the encrypted stuff. I want to send The person receiving the data will do the decryption and they're going to use the exact same secret key That's why it's called symmetric and if they do that they're going to get back to the original plain text So the primary attack against this as far as if people are going to try to break this They either are going to try to determine what the secret key is and if they couldn't intercept that or otherwise determine what it is They're going to try brute force key search. They're just going to try all the different possible keys So the main problem with us. It's really fast It's used a lot, but the key distribution is difficult So we'll talk later about Situations where I need to share with somebody on the internet that I haven't otherwise come in contact with It's hard to give them the secret key because how would you give it to them? ahead of time in a secure manner So they'll be places for symmetric like we said There's a couple main classes built into net and we're going to focus on the primary one that most people use today is a yes encryption so US government a lot of others. This is just the common Symmetric algorithm that everybody's using In net the symmetric algorithms are called block ciphers So they're going to take my string and break it up into individual blocks and encrypt each block one at a time That's why it's called a block cipher There's a couple different modes that you can use ECB or CBC. I won't get into all the details of these but basically If we use CBC, which we recommend that you use When you encrypt the first block of the data it wants to add more Randomization into the symmetric algorithm so it wants to take some random data from the first block you encrypt It's going to use the result of that as input into the next block that it encrypts So essentially there's a some extra randomness done each time it's encrypting blocks of your original data So the question for that then becomes how do they get random data for the very first block that you're going to use? That uses what's called an initialization vector So the idea with that again is just some random data that's going to be used to seed the first block for your encryption It doesn't need to be a secret So you'll see when we look at the diagram that I'm going to transmit that along with And I'm never going to reuse it. I'm just it's always going to be unique for each set of data That's all that's important So let's take a look at a demo of symmetric algorithms So I've got a web page. We'll look at the page first So I come out here and type in some random plain text I can hit encrypt We'll see that it created the cipher text, but it also gave me the initialization vector So that's what was used to seed the first block of this encryption So I need to send both of these two things. I'm going to send the cipher text and this initialization vector Again now that the cipher text is encrypted. It's safe for me to just send both of these pieces again the IV It's fine if that's visible to people If I hit decrypt we'll see that I get back the original plain text like you'd expect so let's look at how this is implemented So when I do a post I happen to be using razor pages and so again, you can use this console wherever you want I'm going to give sample code at the end that has a lot of examples of practical ways to use cryptography in an ASP.net website So that's why I chose to host it in here But the first thing I'm going to do is I'm going to actually create an AES cipher, so we'll go up and look at what that looks like It's pretty straightforward I just use that class and say create and I listed on the right hand side what some of those defaults will be I'm going to set the padding mode. So for the padding mode. It's fine to use the Default I like to use this padding mode because what it does is you take your original string You're going to break it into blocks that very last block isn't going to magically be the right size You know 128 bits so the algorithm needs to pad out the rest of that block by using this ISO padding mode It's going to put random data and the rest of that block Which again it just helps with cryptography to be able to use more random data when you're doing things So I like to use that for the padding mode I left this in here if you want to test later if you do a padding mode of zero and you use the wrong mode Every time you encrypt the same piece of data It will always end up with the same encrypted cipher text by using these other defaults even if I encrypt the word yes 20 times every time it's going to turn out having something different because of the mode that we're using with CBC Uses that initialization vector to get the original random text to use I'm doing this only for a demo. I'm setting the key Obviously, it's not a good decision to store my key directly in the code We're not going to have a lot of time today to talk about ways to store keys securely but For the demo code to be able to give it to you I wanted you to be able to see you can just generate some random bits and that's what I did to create that key So now what I have I've got the actual AES cipher As we saw before when I did the cipher it created some Initialization data it created that first block of random data to use for encryption I wanted to be able to show that on the page And so I did a conversion to base 64 it so that when I displayed it back in the web page You would actually see it in a visible form because it started as a byte array To do the actual encryption I create an encryptor I again do the UTF-8 encoding that I did before that takes my plain text string and converts it into a byte array and Then I call this transform final block Which does the actual encryption and Then I chose in this case again to use base 64 encoding so that I could display it on the screen as a string Decryption is similar. I create the same cipher I do kind of the reverse and then here I'm doing the create decryptor So again, the main point is just you look very quickly This is a well-established algorithm that lots of people use that's highly secure And it really doesn't take much net code at all to be able to take advantage of it correctly to do my encryption So that is symmetric Talk about asymmetric So the idea with asymmetric is you're going to the two partners are going to create their own public private key pair And they're not the same. That's why they call it asymmetric So in this case if I want to send to someone else, I'm going to get their public key I'll take the plain text. I'm going to use the encryption using their public key Once I do that I've got cipher text and the advantage of asymmetric is because I use their public key The only thing that can decrypt this now is their private key So obviously the receiver is going to hold on to their private key make sure nobody learns that But they're free to give out their public key wherever they want. You'll see it on people's blogs You'll see the email signatures Anybody then can take that public key do encryption Knowing that only the person who has the private key can do the decryption and get back to where they started Problem with asymmetric so it's great because it's easy to distribute keys Especially with people that you haven't even worked with before So for instance, you came to my blog you'd be able to get my public key We wouldn't need to talk in advance for you to be able to send me things that are encrypted The bad news is it's about a thousand times slower than symmetric algorithms So you'll often see in practice like HTTPS and TLS. They actually use asymmetric To encrypt a session symmetric key. So in other words, they Generate a random symmetric key. They will exchange that symmetric key using asymmetric encryption So that they can safely do that and then they continue Again, some of the very popular classes we'll talk and focus on the RSA class So we'll do a quick demo on that So very similar to what we saw before I'm going to create. I'll show you the page quick. I Can type in some text do an encryption and then I'll do the decrypt get back to where I started So very similar. I'm going to create a cipher like I did before in this case. I just use RSA. I have created a set of Public-private keys that I have stored in this variable so now what I can do is Take the plain text. I'll do my UTF-8 again to do the encoding to get it into a byte array I'll call the encryption method which uses RSA and The public key from that key chain and then I will base 64 it so I can show it on the screen And a similar thing for decryption. So again, you'll see It's very simple to do this. I've got examples in the code for how you can create RSA keys So later on you can see how to create keys for both asymmetric and symmetric by using some of these other classes and Pages, but basically that's how easy it is to do encryption when you're using .net core So talk quickly about digital signatures and this provides both integrity and non-repudiation The idea is I'm going to hash the contents of a message and then I'm going to sign that hash with my private key By default it doesn't provide Confidentiality, but I'm going to show you in the diagram how you can do that as well So if we follow along here, I've got some plain text I'm going to encrypt it using asymmetric just like I did before. I'll use the receiver's public key to do encryption I'll get cipher text. I'll use hashing to compute a hash Once I have the hash, I'll sign it with my private key and That will become my signature. So now when I send the cipher text The person will be able to use the receiver's private key to decrypt it They'll be able to use my public key to prove that I'm the person who signed it So again, they have non-repudiation. We've got integrity and we have confidentiality all in one big Approach here as far as using this in .net core Couple cool things that are coming with .net core 3.0 We now will have authenticated encryption for the first time So we talked about AES encryption before and we've talked about hashing this combines the two of them so that I can Do the encryption send it to you and not only will you know that you can decrypt it But you'll also be able to use the hash to verify that it hasn't been tampered with So there's two new classes that come in .net core 3.0. Like I said, this is the first time we've had access to authenticated encryption So that's cool They've also got an expanded list of cryptographic key formats that we can import and export compared to what we had in the past So in summary Don't write your own encryption Use trusted algorithms and implementations Use hashing when you want to validate integrity of data or to prove that you both know the same secret and Then generally with encryption you want to use symmetric algorithms because they perform so much better Unless you have special needs for asymmetric set things such as digital signatures. You need to do key exchanges, etc And again, know your threats choose the proper countermeasures So you need to know what you're trying to do whether it's confidentiality or non-repediation Will help guide what the right type of algorithm and approach will be When you're doing down at core Some quick resources. I have a Pluralsight course That's an introduction to cryptography and net so it goes through the same contents and a lot more detail with a lot of practical examples using .net framework in that case Here's four very good books that talk about cryptography So if you're interested in how AES actually functions or how rsa works and all the math and and the technical background You can look at those If you want a good background just on the history of different uses of cryptography What people did how it got broken Both of these books are excellent books for that And that's my twitter. That's an email address where you can reach me. That's where I have the slides and the code available And we can either do some questions or I can show a couple examples if we have a little time Okay, thank you so much. So um a bit of can you hear me all right? Actually, oh Sorry, can you hear me all right robert? Okay, we'll see if this works um We need to switch off our mics because there is an echo that we haven't solved yet because Half of the team needs to sleep at some point. Um, that's the fun of doing 24 hour live streams Um, so I will forward you the questions robert and then I will Uh, let's see There we go. Okay, and then I will be able to unmute you and then I'll mute myself So we avoid the echo. Okay So here we go. So in general people really appreciate the advice about not writing your own hash functions Do you have any more to say on that topic? No, I I think like I said, it's nice that we have open source trusted well deployed well tested Hashing and cryptography, you know the encryption asymmetric all of that stuff built into the framework. I just A lot of people have said that they can write their own cryptography And they think that by writing their own algorithm and keeping it secret that they'll be able to do a better job and be Able to encrypt stuff and virtually every time that's been tried That's a lot of times when people go on an audit and and look at specific issues with breaches and such they find that People do things like that Take advantage of the stuff that's built into the framework Just don't try to write your own if you really want to be a cryptographer Go to a place where you have other cryptographers Work together on things like dot net core and have other people that can help review it because it's it's complicated stuff to Create hopefully we've seen that it's easy to use Yes, that would be the power of teamwork I like it a lot. It's always good to have other people checking your work. Okay, so um Normally when one is using encryption or decryption It's ideal not to store the encrypted ciphertext on the database, but just the encrypted hash. No Good example would be if you don't so for example on passwords you traditionally would store hashes You don't need to reverse that data to get their original password You'll take the new password. They type you'll hash it You'll compare it to a hash that works in that situation When you're storing data that you need to be able to get back and retrieve and actually see the value of You're going to have to actually use encryption in which case you'll want to use decryption as well I've got some examples in the sample code you can look at A good example of a public website that needs to take data You could put a public private key Put the public key only on your web server. So if anybody got it who cares Encrypt stuff on the front end using the public key Stored encrypted in the back end and then the only system that needs to decrypt it and use it has the private key But it's fine. I mean you if you need to get the data back You need to be able to decrypt it. So you have to use encryption. It's fine to store that in the database Passwords are an example of I don't really need to back it up and see it I just need to make sure it's the same and that's why they use hashes for that Great. Okay. Sorry. I have to like now type four buttons while we transfer um, so Uh, what was just a general question. What is the best place to store the encryption key? I only caught the very end of that. Sorry I know. Okay. I'm trying to ask again, but I have to switch all of the buttons. Okay. What sorry What is the best place to store the encryption key? That's a long very long answer depending on What you have access to what kind of system you have I tend to like the example I just went through if I've got a public facing web server I generally treat that web server like it's compromisable You know at any time I could have a zero day exploit things like that So I really don't want to have a key stored on that Um machine that's where I think storing the public key makes a lot of sense So if I use asymmetric put a public key on there I can even put that in my code if I want it doesn't matter because if anybody sees that it doesn't help them Only on my internal behind the firewall system What I actually have the private key that could do that decryption There's azure key vault. There's other techniques depending on what your deployment environment is How paranoid you are what your threat models are how people attack you et cetera, but In general, I like doing the public key if it's a website All right. Well, thank you so much for joining us robert. That was very interesting. Um, next up we have john What is john going to be talking about Javier? John is going to be talking about zamaran and modern android applications So we're going to hang up here on robert and we're going to call them right up So stick to and can't we're not going to switch because like we got to take breaks from time to time And we'll go from there. All right. Thanks so much. Thanks so much robert All right