Security Terms For Wireless and Fixed Networks and the .NET 2.0 Framework Cryptography APIs
                    Part I : Terms, Technologies and Use
                   Part II:  Brief Overview of the System.Security.Cryptography Namespace

Part I Terms, Technologies and Use
Securing software, communications and wireless deployments are some of the areas where one is exposed to various types of encryption/decryption technologies. Point to note, the government classifies advanced types of encryption as munitions and prohibits export to certain countries making it a federal offense. In order to understand the various Framework 2.0 APIs and how to use them it is important to understand the strengths of them and where and when to apply them. But first we start with the definition of some ciphers followed up by various encryption technologies.

Block Cipher
A symmetric key cipher operates on fixed-length groups of bits in blocks. For example a file may be processed into a sequence of blocks of 128 bits of length. So the encryption is performed on an entire sixteen byte quantity all at once. Due to the bit packing/shifting operations block ciphers are slower than stream ciphers.

Stream Cipher
A symmetric key cipher encrypts operates on single digits one at a time, or a byte at time. Stream ciphers are faster than block ciphers.

DES Encryption (1976)
Adopted by the NIST (National Institute of Technologies and Standards) in 1976. DES stands for data encryption standard. It encrypts/decrypts in 64 bit blocks. Each 8 bit word uses one bit as a parity bit so the total length or “strength” is only 56 bits. DES is a special type of block cipher called a product cipher. It applies an algorithm 16 times on an input string to produce cipher text of the same length.  A key can typically be broken or “cracked” within 24 hours.

Triple DES Encryption (1977)
Shortly after the DES emerged, TDES was adopted. Triple DES applies 3 different keys making a total of three DES passes. Due to this triple encoding/decoding process the processing time is higher with TDES but also more secure. Again one bit is used as a parity bit so the effective total length or “strength” is 168 bits. Typically but not always the middle step applies decryption instead of encryption.  TDES is also known as TDEA (Triple Data Encryption Algorithm). Triple DES is not exportable. It is being superseded by the next best thing AES.

AES or RjinDael (1997)
Six times faster than TDES, AES stands for advanced encryption standard. AES is a block cipher and is also known as the RijnDael  algorithm.  It was created by two Belgians aptly named and Vincent Rijmen and Joan Daemen.  AES uses four step process and key lengths may be in the length of 128, 192 or 256.  Triple DES is not exportable. AES is considered “uncrackable” . It is considered stronger than DES, TDES, RC4 or TKIP.

RC2 (1987)
Developed by the folks at RSA Security, RC2 is a 64 bit block cipher with a variable key size. It is exportable with the 40 bit key implementation.

RC4 (1987)
RC4 (RSA) is used in several security protocols such as BitTorrent, CipherSabre, MPPE(Microsoft Point to Point), WEP, Secure Shell (Optional), SSL (Optional), TKIP, TLS, WEP, and WPA. RSA a firm launched by the following three: Ron Rivent, Adi Shamir, and Leonard Adleman. RC4 is a stream cipher. Key lengths are 64, 128 or 256 bits. RC4 works by XORing the key on the data stream. Note: WEP is a weak implementation of RC4, whereas TKIP is a stronger version is still used in wireless lan security instead of WEP.  Generally though RC4 is not considered a “safe” technology anymore.

RC5 (1994)
RC5 (RSA) is a block cipher which has a variable key size ranging from 0 to 2040 bits. RC% works using modular addition and applying XOR operations. It is a “strong” encryption technology and takes hundreds to several thousand days to “crack” with automated programs.  Citrix uses RC5 in some of its products.

MD5 (1991)
A cryptographic hash function, another RSA invention which uses a 128 bit hash value. The general recommendation is to use SHA instead.

SHA (1993)
Secure Hash Algorithm are a related set of cryptographic hash functions which range in a variety of bit lengths. Typically the greater the bit length the stronger the algorithm.

DSA (1993)
Digital Signature Algorithm is a standard developed for the signing of digital signatures. It consists of a key generation, signing and verification.

HMAC  (1996)
Key-Hashed Message Authentication Code. Which uses a cryptographic hand function along with a secret key.  Any iterative hash functions can be used so we end up with various forms of HMAC such as
HMACMD5, HMACRIPEMD160, HMACSHA1, HMACSHA256, HMACSHA384, HMACSHA512. The strength of the cryptography depends of the length of the key and the robustness of the hash function.

PGP (1991)
Pretty Good Privacy is an algorithm and software developed by Phil Zimmerman which uses both a public key and symmetric key to encrypt and decode data for secure transmissions. PGP can be used to secure confidential email data between people on the internet. It is very strong and secure. Zimmerman was subject to a grand jury investigation and government investigation  some folks did a public post of his algorithm on Usenet. Since it was published on the internet and open to the world, they could not prosecute Zimmerman. Similarly the Federal Goverment could not sue MIT who had published the PGP algorithm in books.

A software package providing cryptographic functions, to be used with Microsoft’s CryptoAPI. CSP implements encoding and decoding functions which used for strong authentication of the user or applications such as secure email.

Initialization Vectors
IVs have lot to do with the “strength” of cryptography. For example a weakness of WEP is that the IVs can sometimes start at a fixed value. i.e. such as zero or one so it is easy for a hacker to deduce the a pattern of encryption.  IVs are used in both cipher and stream ciphers. You need to understand IVs in order to use some of the APIs. In WEP the IV is a 3 byte length value. IVs are either as long as the block of data you are encrypting or as long as the key you are using to encrypt data. For example encrypting a file of variable length the block size could be 64 with an IV or 64 bytes and a key of 64 bytes.  IVs may be passed along to the peer process by adding them onto the cipher text, or they may be generated or negotiated at a startup point in the data communications process. IVs are used in the internal key generation process for stream ciphers. For Block cipher IVs are passed to the peer by either concatenating them onto the cipher text or XORing them into the cipher text.

You need to create a strong key in order to provide adequate security. A pseudo random number generator will not provide adequate strength. You can use the RNGCryptoServiceProvider API to generate strong keys.  Note: where IVs are required you can use the same API to generate an IV as well if so desired.

SideBar – Cryptographic Technologies in Network and Wireless Mediums

One of the first technologies used with 802.11 for security purposes. WEP can typically be “cracked” within anywhere from three to twenty some hours. The greater the number of transmissions the quicker the network can be compromised.  WEP uses the RC4 algorithm. Due to the fact that there is no key management WEP can be quickly exploited.

WPA and WPA2
Answers to the WEP problems, WPA uses RC4 but has better key management either by generating a unique key per user or by using “pass phrase” keys pre-assigned to each user. WPA2 takes WPA uses a MIC (message integrity code) to prevent replay attacks which are were one of WEPs weaknesses.  WPA2 further enhances WPA by replacing MIC with CCMP and RC4 with AES.  CCMP is an 802.11i standard (counter mode with cipher block chaining message authentication code).

Cisco Leap
Lightweight Extensible Authentication Protocol was developed by Cisco to use WEP authentication via dynamic  WEP key and mutual authentication between devices and a Radius Server. Radius servers are implemented in software or as network appliances. They authenticate and authorize devices/users access onto a network.

TKIP uses a per packet key mixing scheme along MIC and RC4 to greatly enhance the problems in WEP. TKIP is used along as part of WSA.

Secure Socket Layer and Transport Layer Security are both methods of securing communications on the internet such as email  TLS is a later implementation of SSL. SSL uses public key encryption,  and symmetric ciphers to secure the communications. (see PGP later on)

Microsoft’s Point to Point Tunneling Protocol is a networking technology which supports multi-protocol virtual private networks (VPN) allowing secure network access to private networks.

Part II – The System.Security.Cryptography Namespace 

Rather then painfully detail each class. We will briefly describe each one and the appropriate security technology it utilizes and what the class accomplishes. There are roughly 17 groups. The HMAC group contains six separate classes to perform unique message based authentication.

Represents the base class for the Data Encryption Standard algorithm from which all implementations must derive.

Defines a wrapper object to access the cryptographic service provider version of the DES algorithm.

Example using DES

       FileStream filein = new FileStream(“input.dat”, FileMode.Open, FileAccess.Read);
       FileStream fileout = new FileStream(“output.dat”, FileMode.Create, FileAccess.Write);

       RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider ();
       byte[] Key = new byte[64];
       rng.GetBytes(Key) ;
       byte[] IV = new byte[64];
       rng.GetBytes(IV) ;

       DES des = new DesCryptoServiceProvider();
       CryptoStream cs = new CryptoStream(fileout, des.CreateEncryptor( Key, IV), CryptoStreamMode.Write);

       byte[] chunk = new byte[64];
       int LengthToEncrypt = filein.Length;
       int LengthRead = 0;
       int BytesRead;
       // note you may wish to write out the IV and KEY here or write it out to the file the receiving side will
       // need to know them to decode the file. The IV and Key may be passed via another mechanism, which
       // would be safer! Note each side may share the key and IV published on a secure calendar code book
       // basis. Or you may even transmit the decoding  program on another medium or scheduled basis.

       while (LengthRead < LengthToEncrypt)
              BytesRead = filein.Read(chunk, 0, 64);
              cs.Write(chunk, 0, BytesRead);
              LengthRead += BytesRead;


DSA class and DSACryptoServiceProvider class
Base Class and corresponding wrapper object to access the cryptographic service provider implementation of the DSA algorithm.

SHA1 class and SHA1CryptoServiceProvider class
SHA1 Class computes the class for SHA1 input data
SHA1CryptoServiceProvider used to access the cryptographic service provider implementation of the SHA1 algorithm.

TripleDES and TripleDESCryptoServiceProvider class
MD5 class and MD5CryptoServiceProvider class
RSA class and RSACryptoServiceProvider class
RC2 class and RC2CryptoServiceProvider class (weak)
RijndaelManaged class and RijndaelManagedTransform class (AES)
The above classes allow you to define and implement their corresponding CSPs.

AssymetricAlgorithm class
Base class used to implement for example the RSA CSPs.

HashAlgorithm class
The base class from which all implementations of cryptographic hash algorithms must derive from.

ProtectedData class and ProtectedMemory class
Wrapper classes for unmanaged memory (protect and unprotect)

CspParameters class
Contains Parameters used when working with CSPs.

CryptoAPITransform class
Used to apply cryotpgraphic transforms on data be it DES, RSA etc…

RandomNumberGenerator class
Abstract class to create RNG implementations for keys and IVs.

CryptoStream class
Defines a class used to link data streams to cryptographic transforms.

CryptoConfig class
To access the cryptographic configuration information (static values).

Hash-based Message Authentication Code (HMAC)
HMACMD5 class
HMACSHA1 class
HMACSHA256 class
HMACSHA384 class
HMACSHA512 class

The 256, 384 and 512 classes specify the length of bit sizes when applying the HMAC. The HMASHA1 operates at 160 bits.

There may be several reasons to use “weaker” cryptographic algorithms. You may need to receive and decrypt data from legacy programs, or perhaps just simply apply them on data which need not be secure for that long a time period. For example cookie data in a browser. Think about the geographic region of the deployment site. If you are exporting your software to certain countries make sure that the encryption technology is legally exportable to that region.

Processing speed is another reason to use slightly “weaker” cryptography. Stream ciphers are quicker then block ciphers. If speed is not an issue you can make data even more secure by applying several cryptographs for example RC2 and then DES. The receiver would apply DES and then RC2.  The strongest cryptographs are the latest such as AES (Rijndael), HMACSHA and RC5. Newer ones will continually be brought to market.

This brief could be embellished with more examples but serves as a basic introduction on cryptographic technologies to approach the APIs in the .NET 2.0 Framework.


        Security Terms For Wireless and Fixed Networks and the .NET 2.0 Framework Cryptography APIs             Device Programming


Feedback/Contact .                          

Copyright 2006 3zwireless Ltd, This page last updated on 07/2006