Tag Archives: c# on ubuntu

Hashing passwords in .NET Core with tips

Previously I had written a few stuff for .NET framework and how to implement basic security concepts on your applications that are working in .NET environment. In this post I want to walk you to implement the same security concepts in your applications that are based on the .NET Core framework. As always there will be 2 topics that I will be covering in this post of mine, I did so before but since that was for .NET itself, I don’t think that works with .NET Core. Besides, .NET Core is different in this matter as compared to .NET framework, one of the major reasons being that there is no “SHA256Managed” (or any other _Managed types in the framework). So the framework is different in this manner. This post would cover the basic concepts and would help you to understand and get started using the methodologies for security.

Security_original
Figure 1: Data security in your applications is the first step for gaining confidence in clients.

First of all, I would be covering the parts of hashing and I will give you a few of my tips and considerations for hashing the passwords using .NET Core in your applications. Before I start writing the article post, I remember when I was working in Mono Project and the platform was very easy to write for. I was using Xamarin Studio as IDE and the Mono was the runtime being used at that time, in my previous guide although the focus was on the Mono programming on Ubuntu whereas in this post I will covering the concepts of same but with .NET Core. .NET Core is really beautiful, although it is not complete, yet it is very powerful. I am using the following tools at the moment so in case that you want to set up your own programming environment to match mine, you can use them.

  1. IDE: Visual Studio Code.
  2. C# extension: For C# support and debugging
  3. Terminal: Ubuntu provides a native terminal that I am using to execute the command to run the project after I have done working with my source code.

Screenshot (967)
Figure 2: Visual Studio being used for C# programming using .NET Core.

You can download and install these packages on your own system. If you are using Windows, I am unaware as to what Visual Studio Code has to offer, because since the start of Visual Studio Code I have just used it on Ubuntu and on Windows systems my preference is always Visual Studio itself. Also, I am going to use the same project that I had created and I am going to start from there, A Quick Startup Using .NET Core On Linux.

So, let’s get started… 🙂

Hashing passwords

Even before starting to write it, I am considering the thunderstorm of comments that would hit me if I make a small and simple mistake in the points here, such as:

  1. Bad practices of hashing.
  2. Not using the salts.
  3. Bad functions to be used.
  4. Etc.

However, I will break the process down since it is just a small program that does the job and there is no very less exaggeration here. Instead of talking about that, I will walk you through many concepts of hashing and how hackers may try to get the passwords where hashing helps you out.

Until now I have written like 3 to 4 articles about hashing, and I can’t find any difference in any of these codes that I have been writing. The common difference is that there are no extra managed code stuff around. .NET Core removed everything redundant in the code samples. So we are left with the simple ones now that we would be using.

What I did was that I just created a simple minimal block of the SHA256 algorithm that would hash the string text that I am going to pass. I used the following code,

// SHA256 is disposable by inheritance.
using (var sha256 = SHA256.Create()) {
    // Send a sample text to hash.
    var hashedBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes("hello world"));
 
    // Get the hashed string.
    var hash = BitConverter.ToString(hashedBytes).Replace("-", "").ToLower();
 
    // Print the string. 
    Console.WriteLine(hash);
}

This code is a bit different from the one being used in .NET framework. In the case of .NET framework the code starts as:

using (var sha256 = new SHA256Managed()) {
     // Crypto code here...
}

That is the only difference here, rest of the stuff is almost alike. The conversion of bytes into string text is upto you. You can either convert the bytes to hexadecimal strings or you can use the BitConverter helper to convert that to the text that is being represented.

The result of this code is,

Screenshot (968)
Figure 3: Result of the above shown code in C# being executed in Ubuntu terminal on .NET Core runtime. 

There is one another constraint here, “Encoding.UTF8“, if you use another encoding for characters then the chances are your hashed string would be different. You can try out other flavors of the character encodings such as:

  1. ASCII
  2. UTF-8
  3. Unicode (.NET framework takes Unicode encoding as UTF-16 LE)
  4. Rest of the encodings of Unicode etc.

The reason is that they provide a different byte ordering and this hashing function works on the bytes of the data that are passed.

Tips and considerations

There are generally two namespaces rising, one of them is the very old familiar .NET’s namespace, System.Security.Cryptography, whereas another one is Microsoft.AspNet.Cryptography which is a part of ASP.NET Core and are to be released. Anyways, here are a few of the tips that you should consider before handing the passwords.

Passwords are fragile — handle with care

I can’t think of any online service, offline privacy application, API hosts where passwords are not handled with care. If there is, I would still act as I never knew of it. Passwords must always be hashed before saving in the database. Hashing is done because hashing algorithms are created with one thing in mind, that they are hard (if not impossible) to convert back to plain-text passwords. This makes it harder for the hackers to get the passwords back in the real form. To explain this fact, I converted the code into a functional one and printed the hash with a little change in the text.

private static string getHash(string text) {
    // SHA512 is disposable by inheritance.
    using (var sha256 = SHA256.Create()) {
        // Send a sample text to hash.
        var hashedBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(text));
   
        // Get the hashed string.
        return BitConverter.ToString(hashedBytes).Replace("-", "").ToLower();
    }
}

I will execute this function and get the hashed string back for the text that have very less difference in them.

string[] passwords = { "PASSWORD", "P@SSW0RD", "password", "p@ssw0rd" };
 
foreach (var password in passwords) {
    Console.WriteLine($"'{password}': '{getHash(password)}'");
}

Although they seem to look alike but have a look at the avalanche effect that happens due to such small changes. Even have a look at the differences in the capital case and small case.

Screenshot (972)
Figure 4: Password hashes being shown in the terminal. 

This helps in many ways, because it is harder to guess what the possible plain-text alternate would be for this hashed string. Remember the constraints again,

  1. The character encoding is UTF-8; others would provide a different character encoding bytes ordering.
  2. Hash algorithm being used in SHA256, others would produce even different results.

If you don’t hash out the passwords, hackers may try to use most common attacks on your database system to gain privileges of access. A few common type of attacks are:

  1. Brute force attack
  2. Dictionary attack
  3. Rainbow table attack

Rainbow table attack work in a different manner, it tries to convert the hash back to the plain-text based on the database where a password/hash combination is present. Brute force and dictionary attacks use a guessing and commonly used passwords respectively, to gain access. You need to prevent these attacks from happening.

Besides there are cases where your password hashing is useless. Such as when you want to use MD5 hashing algorithms. MD5 algorithms can be easily cracked and the tables for entire password look up are already available and hackers can use those tables to crack your passwords that are hashed using MD5. Even SHA256, SHA512 don’t work as you are going to see in the following section. In such cases you have to add an extra layer of security.

Bonus: how to break it?

Before I continue further, I wanted to share the point of these passwords and their hashes being weaker. There are many hacking tools available, such as reverse look ups. Let us take our first password and see if that can be cracked. I used CrackStation service to crack the password and convert it back to its original text form,

Screenshot (975)
Figure 5: SHA256 based password converted back to its original form. 

See how inefficient even these tricks happen to be. In a later section I will show you how to salt the passwords and what the effect is. Although we had hashed it using SHA256, the reverse lookup table already has that password of ours. Hackers would just try to use that hash and get the real string value in the plain-text to be used for authentication purposes.

Slower algorithms

On networks where hackers are generally going to attack your websites with a script. You should have a hashing algorithm that is (not very) significantly slow. About half a second or 3rd of a second should be enough. The purpose is:

  1. It should add a delay to the attacker if they are trying to run a combination of passwords to gain access.
  2. It should not affect the UX.

There are many algorithms that keep the iterations to a number of 10,000 or so. The namespace that I had talked of, Microsoft.AspNet.Cryptography has the objects that allow you to specify the iteration, salt addition etc.

Remember: For online applications, do not increase the iteration count. You would indirectly cause a bad UX for the users who are waiting for a response.

Add salt to the recipe

I wonder who started the terminology of salt in cryptography. He must have a good taste in computers, I’d say. I did cover most of the parts of adding the salts in the article that I have added in the references section, please refer to that article. However, I would like to share the code that I have used to generate a random salt for the password. Adding the salt would help you randomize the password itself. Suppose, a user had a password of, “helloserver”, another one had the same password too. By default the hash would be alike but if you add a random salt to it, it would randomize the password.

In .NET Core, you can use the “RandomNumberGenerator” to create the salt that can be used for the password.

private static string getSalt() {
    byte[] bytes = new byte[128 / 8];
    using (var keyGenerator = RandomNumberGenerator.Create()) {
        keyGenerator.GetBytes(bytes);
 
        return BitConverter.ToString(bytes).Replace("-", "").ToLower();
    }
}

This would create a few random bytes and then would return them to be used for the passwords.

string[] passwords = { "PASSWORD", "P@SSW0RD", "password", "p@ssw0rd" };
 
foreach (var password in passwords) {
    string salt = getSalt();
    Console.WriteLine($@"{{
       'password': '{password}', 
       'salt': '{salt}',
       'hash': '{getHash(password + salt)}'
       }}"
    );
}

This shows how the passwords with “random salt” differ.

Screenshot (974)
Figure 6: Passwords with their salts being hashed. 

Have a look at the hashes now. The hashes differ from what they were before. Also, notice that the function returns a different salt every time which makes it possible to generate different hashes for even the similar passwords. One of the benefits of this is, that your passwords would be secure from a rainbow table attack.

Test: We saw that unsalted passwords are easy to be reverse looked up. In this, case, we salted the password and we are going to test the last of our password to see if there is a match.

Screenshot (976)
Figure 7: Password not found.

Great, isn’t it? The password was not matched against any case in the password dictionary. This gives us an extra layer of security because hacker won’t be able to convert the password back to their original form by using a reverse look up table.

Using salt: the good way

There is no good way of using the salt, there is no standard to be followed while adding the salt to the password. It is just an extra “random” string to be added to your password strings before their are hashed. There are many common ways, some add salt to the end, some prepend it some do the both.

Do as you please. 🙂 There are however a few tips that you should keep in mind while salting the passwords.

  1. Do not reuse the salts.
  2. Do not try to extract the salts from the passwords or usernames.
  3. Use suitable salt size; 128-bit?
  4. Use random salt.
    • You should consider using a good library for generating the salts.
  5. Store the salts and passwords together. Random salts won’t be created again (in a near future).

References:

  1. Avalanche effect
  2. Hashing Passwords using ASP.NET’s Crypto Class
  3. Guide for building C# apps on Ubuntu: Cryptographic helpers
  4. What are the differences between dictionary attack and brute force attack?

Final words

In this post, I demonstrated the hashing techniques in .NET Core, although the procedure is similar and very much alike. There are a few differences that the objects are not similar. The object instantiation is not similar and in my own opinion, this is also going to change sooner.

I gave you a good overview of password hashing, how to crack them (actually, how an attacker may crack them) and how you can add an extra layer of security. Besides, you should consider adding more security protocols to your own application to secure it from other hacking techniques too.

Advertisements

Guide for building C# apps on Ubuntu: NuGet packages

Introduction and Background

If you have been programming C# applications, then chances are you are pretty much aware of what NuGet packages are. However, if you don’t know what that is, it is an online storage for dynamic-link libraries (.dll) for .NET programs. Most programmers (including me) have contributed toward the total packages currently available on NuGet. NuGet allows developers to reference the libraries from third-party programmers, easily, all by typing a command!

In the previous posts, I had already talked about the basics of Ubuntu programming using Mono, in this short piece I am going to talk about NuGet packages in Mono. NuGet packages are of great use in Visual Studio, you can download the most wanted packages from NuGet to increase the productivity of your application. I have personally used Newtonsoft.Json package many times to introduce data sources in my applications based on JSON files and C# code, a usual example of this can be LoginKeys framework that I wrote for authentication systems. There are many other useful packages that you would like to use while programming, in this post I am going to talk about, methods to include the package in your application development project.

Managing the NuGet packages

In this section, I will demonstrate two things:

  1. How to manage the repositories, from where to fetch from.
  2. How to install the packages and use them.

So that you can have a good understanding of NuGet packages, package management and how to use them in your projects.

Configuring the IDE

First step is to configure the IDE, by default, IDE is configured to capture the packages from NuGet’s current API version, which is, https://www.nuget.org/api/v2/. In future that may change, so that is why you may need to configure the IDE… Just showing, the settings are available under IDE settings.

Screenshot (5864)
Figure 1: NuGet package gallery management.

You can edit this to configure the IDE to capture the packages from the actual location. You can also open these settings from the NuGet package management window itself, by selecting “Configure sources”.

Screenshot (5865)
Figure 2: Options available for currently provided NuGet galleries and option to configure the sources.

This would allow you to alter the sources and other settings, you can also change the names for the galleries. However, that is pretty much simple, and I am sure you can manage to do that all by yourself. Now, let us consider installing and using the packages in our applications.

Installing the packages

Fun part starts! The packages, can be easily installed using the GUI window provided to us by MonoDevelop itself. We can search for the packages, or install the most popular ones that are shown in the listview itself. It is very much simple, to install the package.

I have demonstrated the procedure in the following image:

Screenshot (5867)
Figure 3: NuGet package management window.

Now, what I have done is that I have introduced steps required to install the package. You can follow the same steps to install any package.

  1. Find the package in the list. I have selected, Json.NET package.
  2. If you find yourself confused while selecting a package, you can check for the explanation of the package in the right side, name, version, description and author details are shared here. You can make sure you are selecting the “correct” version of library.
  3. Click on “Add Package” to add it.
  4. This option is not required, and is used to turn on and off beta versions, pre-releases.

Now, once you have clicked on the “Add Package” button, MonoDevelop would take a minute or two and then add the library package to your application. In my system, it took ~5 seconds, so don’t worry it would download and install the packages, in a while. Once that is installed, your references would look like this:

Screenshot (5868)
Figure 4: Newtonsoft.Json package installed to the project.

Json.NET library is the Newtonsoft.Json library, so it gets added to the project under “From Packages” category. This has been added to the project, and you can then get to use it in your project. Before, I do that, let me show you how to search for the project packages in NuGet.

Where on file system are they stored?

This is another interesting thing, in Mono environment, the project packages that are downloaded from the galleries, are stored in the same package directory. For more on package directories, please read my previous post: Guide for building C# apps on Ubuntu: Project files and output. In the directory, a new folder, “packages” would be created and then your newly referenced package will be stored there for later references.

Screenshot (5873)
Figure 5: “packages” folder in the project directory.

You will find the code, and other files all in this folder. This is done so that you can use the package later, the packages in NuGet are online and thus you cannot bear to pay the price of network latencies each time you want to build the project, downloading the assemblies is the easiest method.

Searching for a library

Search bar is also provided in NuGet management window, that you can use to search for the libraries. The list shows only the popular ones, but if you want to search for third-party average project libraries, that are not in the use of people more often, you can use the search box to search for those libraries and window would bring up the matches that it finds on the gallery. You can then select from those results and get what you want to install in your application project. For example, to install LoginKeys package, you can write the keyword in the search box and NuGet package manager would bring the results, so that you can select from the search results.

Screenshot (5869)
Figure 6: LoginKeys package being shown in the search results.

You can see that the GUI window has shown the results, and also, it has provided me with the details so that I can know that I am installing the correct version of library, from the author I trust (do I trust myself? Nah!), then I can follow the same steps and install this package to my project too.

Updating and restoring packages

In Mono, updating and restoring the NuGet packages is also very simple, and takes just a click! Yes, have a look below:

Screenshot (5874)
Figure 7: Options to update or restore the NuGet packages.

These are the options provided, to update or restore the packages, just click on the option and Mono would do it for you! There are many other options also available along with these.

Referencing the package namespace

Once you have added the package to your project, you need to reference it in your source files too, although the assembly is available, but to be able to reference the functions in your source file, you also need to add the using statement in your project. We are having the Newtonsoft.Json package, to be able to consume the library, we would need to reference it and then build the application.

Have a look at the following code:

Screenshot (5871)
Figure 8: Compiler error shown.

The problem, you are right, is raised because we have not yet referenced the namespace to include the object JsonConvert in our project. So, we write the code like this:

using System;
using Newtonsoft.Json; // Adding the reference

namespace NugetPackages
{
    class MainClass
    {
        public static void Main (string[] args)
        {
            /*
             * We do not need to create a new class, instead
             * we can create anonymous types. 
             */
            object anon = new { Name = "Afzaal Ahmad Zeeshan", Age = 20 };

            // Now the function would serialize the anon object
            var serialized = JsonConvert.SerializeObject (anon);

            // We then print the JSON format on screen.
            Console.WriteLine (serialized);
        }
    }
}

This code would compile and execute safely. The output of this code is like this (I think, you already know),

Screenshot (5872)
Figure 9: Result of the above code.

Pretty simple, I don’t need to explain it at all, because Newtonsoft.Json namespace is already very famous and widely used package.

Points of Interest

THis is another post in the series of “Programming C# on Ubuntu” category of articles. In this post, you were taught to use NuGet packages in your Mono projects on Ubuntu. The post was intended for absolute noobs and beginners in Mono programming on Ubuntu, and hopefully, you have been taught to program applications on Ubuntu.

This was somehow a short descriptive post for NuGet packages only. In later post, you will be taught to develop libraries and re-use them in other projects. Stay tuned for the upcoming post. 🙂

Guide for building C# apps on Ubuntu: Cryptographic helpers

Introduction and Background

In the previous posts, I had shown how you can use MonoDevelop IDE of Mono Project to get started programming C# applications on Linux environment and for the operating system I used Linux distro, Ubuntu operating system. However, since all of the topics are covered already and I am just skimming through the snippets and small portions of the data that I can share, this is another post in the series before I continue to write a guide for this, in a compiled form. In this post, I am going to talk about cryptographic support provided in Mono itself, for Ubuntu. However, you can always write your own compiled modules that run the cryptographic services and you can also write your own modules that represent the procedures and steps shown in the certified algorithms for cryptography. But, in this post I will talk about the built-in classes and objects provided to you for these services.

I have also talked about security tweaks a lot before, and I would like you to read my previous posts about security in .NET framework too, A few tips for security in .NET framework. Since this is much more about Ubuntu and C# programming using Mono Project. I recommend that you read the previous posts in this series of articles.

  1. Guide for building C# apps on Ubuntu: MonoProject Introduction
  2. Guide for building C# apps on Ubuntu: Language quickies
  3. Guide for building C# apps on Ubuntu: Project files and output

So basically this is another post in the series of Ubuntu programming using C# language, Mono Project has been a great tool for C# geeks. In this post I am going to talk about the hashing algorithms, and what else Mono Project has for us!

Security APIs in Mono

No wonder Mono is influenced based on .NET’s philosophy and C# language, but still it lacks many things when it comes to the core APIs, such as security API. It does not have a full package of the APIs in it. For example, on .NET framework the support has been increased to SHA256, SHA512 and more, where as on Mono there are not much flavors currently added and you only have to stick to either one of the provided, or you would have to manage the base algorithms and write your own implementation of the algorithms. Which, definitely, would be hard job! Until Mono introduces some new algorithms, let’s stick to the provided ones and learn about them, how to use them and what they can serve us with.

In Mono APIs, you get two namespaces for security algorithms. The algorithms can be for simple encryption and decryption or it may be for the password hashing purposes. Now, these two are different in many ways, however they are categorized under “Cryptography” in computer science.

  1. Encrypting/decrypting: is a process in which you encode the data in such a way, that a special secret key is required to bring the data back in its original form. It is used while securing the data from potential spywares, because each time you have to access the data, you need to pass a special secret key with it.
  2. Hashing: is a process, typically used for passwords, but is not only restricted to passwords. Hashing is a technique, in which data is encrypted, in such a way that it is impossible to be converted back to its original form.

Mono namespaces provide you with objects that allow you to work around with these functions and add a layer of security to your applications. Now, let us first of all, talk about password hashing and then we will get into the encryption and decryption techniques provided in Mono runtimes for developers.

During the article, I will only focus on the objects provided in System.Security.Cryptography, however you can still use Mono.Security.Cryptography, but the recommended one is the native .NET framework’s cryptography namespace.

Hashing the passwords

Hashing the passwords has been widely used in every network based application, or online application. Hashing is a process, that is not just restricted to the passwords, as I have already said, the hashing has been widely used to determine the file consistency. Most of the software packages are introduced with MD5 or SHA hash values, they are used to determine if the file is in its real form or if it has been tampered with on its way to your machine. This ensures that the software package that you are installing is actually the “safe” package and has not been mixed with any malware or spyware content. The code from open source communities, such as Ubuntu, Linux and other open-source projects are widely exposed to such attacks, and if you install such packages they make expose your private data and even ask you for some revenue, that happens in cases of ransomware, Linux.Encoder.1 was one of such viruses, that encrypted the user data and then asked them to pay revenue to get their data back. However, hashing is a very simple task in .NET framework at least.

Usually, there are many algorithms provided in every framework that can be used in your applications, most commonly used are:

  1. MD5
  2. SHA-128
  3. SHA-256
  4. SHA-512
  5. So on…

Now, before I move any further, I should warn that you should never ever use MD5 for hashing the passwords. MD5 algorithm is very weak and a simple rainbow table attack would expose the passwords. In many cases, you should use SHA-128, or SHA-512. But the recommended one is SHA-256, because of the digest that it creates and the security that it has. I would personally recommend that you use SHA-256, if you want to store a small size of digest (hashed password string; in hex), otherwise, my personal advice is to store SHA-512.

The benefit of having SHA-512 over SHA-256, is that you can minimize the chances of collisions  while generating the hashes for the passwords. A collision would typically occur when the hash results are similar for different values. The thing is that the hash function would return a hashed string to a limited size, but it can get an input of any size. Bigger files of larger byte arrays may result in a collision. So, to overcome the collision you may want to generate a hash of bigger size.

Now, talking of hashing the passwords, let me share how to hash the passwords in C#. The procedure is actually similar, if you have a code for .NET on Windows, same would be used on Mono on Ubuntu. Have a look below:

// Function to hash the passwords
public static string HashPassword(string message) {
   // Create a new instance of the SHA-256, 
   // you should use SHA256Managed instead of SHA256 object.
   using (var algo = new SHA256Managed ()) {
       var bytes = System.Text.Encoding.UTF8.GetBytes (message);
       var hashedBytes = algo.ComputeHash (bytes);

       // The hash has been computed, to convert those bytes to string
       // I will use the following code, you may use your own
       // code to convert the byte array to string
       System.Text.StringBuilder builder = new System.Text.StringBuilder ();
       foreach (byte bite in hashedBytes) {
          builder.Append (bite.ToString("x2"));
       }

       // Return it to the caller, to write it.
       return builder.ToString ();
   }
}

So, basically, what I have done is that I have just used that algorithm and I have got what I was expecting from it. Now, the way we call it defines how we use it. In this sample, I will be calling it to write the hash of it, to the screen and nothing else.

Console.WriteLine ("Enter the string to work on:");

// Get the message
string message = Console.ReadLine ();

// Hash the password.
string hashedStr = Crypto.HashPassword (message);
Console.WriteLine ("Hashed string is: " + hashedStr);

Basically, we have already created the function that does the thing for us. So we are only calling it in this code. So, if I run the above code it would be something like this…

Screenshot (5858)
Figure 1: Working of the hashing algorithm on the word, “Afzaal”.

You would store this hashed string in your database when you want to save it. Never save the passwords or sensitive information that you do not want to get back in the actual form, in plain-text form.

Adding some salt to the hash

Now since we are talking about hashing the passwords, it is necessary to add a specific string text to the actual string, which acts as salt to the data. The procedure is very much simple and straightforward, you simply add extra string to the actual string and then find the hash for it. Where you add the salt is your choice, you can append it, prepend it, or insert it at the medians or what-so-ever, that is your choice.

HashPassword (password + salt);             // OK
HashPassword (salt + password);             // OK
HashPassword (salt + password + salt);      // OK

But only thing that you should consider is that you should use the same method to get the hash again, because if you calculate hash differently, their hash value would be different.

2a3a25c485162eb7767a9ce20a52febf
Figure 2: Demonstration of the hashing a string message using salt.

When to use hashing?

You can use the following list items to determine when to use hashing functions on your data.

  1. When you want to secure your data from potential sights.
  2. When your data is valuable only for comparison and not required in its raw form. Passwords are a good example of this type of data.
  3. When you want to check if the file system is tampered with.

References:

If you want to learn more about hashing functions, you should go and read the following links:

  1. Security in .NET Framework
  2. System.Security.Cryptography namespace on MSDN
  3. SHA-2 on Wikipedia

Encryption and decryption of data

Now that we have already talked about the hashing of the passwords and the data, we can now continue to talk about the encryption and decryption of data in Mono using C#. Encryption and decryption techniques are used to hide the data from unwanted users. It can be shared with other users, and they can also view it, but any user who is not required to be using or viewing the information can be removed from the list of viewers.

r4VtMoZ
Image courtesy: This image demonstrates how encryption and decryption is done.

Now we will talk about the coding practices in encryption and decryption. The plain-image, pseudocode and algorithm is very much easy, however, the coding in .NET environment is also very much easy. In the coming sections, you will be shown and taught how to use .NET objects, to perform security restrictions in your applications.

As far as the algorithms are concerned, just like in case of hashing, there are a lot of encryption and decryption algorithms: AES, Rijndael, DES etc. All of them are used, but there are some problems with the later ones and that is why AES algorithm is recommended. However, in my case, I will use Rijndael algorithm, you can change it to AES (and you should change it to AES, I am only using it for demonstration purposes!).

What we do, is that we actually divide the process in a number of steps:

  1. Create the object for algorithm; Rijndael in this case.
  2. Case the memory stream to hold the data.
  3. Create a cryptostream for that memory stream.
  4. Create a stream writer/reader based on encryption or decryption process undergoing.
  5. Return the encrypted or decrypted text.

Each encryption algorithm would require you to pass a special “Key” that would be used for encryption and decryption. The key is the backbone. Without that key, data cannot be converted back to its original form. That is why, keys are kept secretly, in safe places so that potential hackers cannot get to the data. So for demonstration, let’s use the IDE to write some code in it.

1. Encryption function

First of all, let us write a function that encrypts the data as we mentioned in the steps above. A hash function would return an array of bytes, so we would define our custom function to do the same, so that later when working with the values, we can change the data in any form, or save it just the way that it is.

public static byte[] Encrypt(string data) {
    byte[] bytes = null;
 
    // Instantiate the algorithm
    using (var rjndl = new RijndaelManaged ()) {
       // Set up the properties
       rjndl.Key = key;
       rjndl.IV = iv;

       // Create the memory stream
       using (MemoryStream stream = new MemoryStream ()) {
          // Create the crypto stream
          using (CryptoStream cStream = new CryptoStream(stream, rjndl.CreateEncryptor(), CryptoStreamMode.Write)) {
             // Create the stream writer to write the data.
             using (StreamWriter writer = new StreamWriter (cStream)) {
                writer.Write (data);
             }
          }

          // Convert the stream of encrypted text, to array.
          bytes = stream.ToArray ();
      }
   }

   // Return the bytes.
   return bytes;
}

This function is enough,  this would encrypt the data and would provide us with the bytes of the data, in encrypted form. We can then convert those bytes to string, or save then in BLOB format or what-so-ever as required. I will demonstrate the usage in a later section, currently I just want to jump to the decryption part.

2. Decryption function

As name suggests, it is an inverse of the encryption function. The steps required are similar, only that we create a decryptor object for the cryptostream and then start reading the stream in a decryptor object using the same key that was used to encrypt the data in this bytes form. If you use a different key, results are “unknown”.

The following code does the thing for us:

public static string Decrypt (byte[] data) {
    string message = null;

    // Instantiate the algorithm
    using (var rjndl = new RijndaelManaged ()) {
        // Set up the properties
        rjndl.Key = key;
        rjndl.IV = iv;

        // Create the memory stream with the bytes of data
        using (MemoryStream stream = new MemoryStream (data)) {

            // Create the stream with the decryptors
            using (CryptoStream cStream = new CryptoStream (stream, rjndl.CreateDecryptor (), CryptoStreamMode.Read)) {

               // Create a stream reader for the crypto stream
               using (StreamReader reader = new StreamReader (cStream)) {
                   // Read the data to the end.
                   message = reader.ReadToEnd ();
               }
           }
       }
   }

   // Return the message.
   return message;
}

We now have the counterpart of our encryption/decryption algorithm or service (call it what you like!). Now that we have both of our functions ready, we can now test the function and see if it works in our cases for encryption and decryption.

I am going to enter my name, and then I will get the encrypted text plus the decryption function would be executed to get the data back.

Following is the main function,

Console.WriteLine ("Enter the string to work on:");

// Get the message
string message = Console.ReadLine ();
Crypto.Setup (); // Look at the code block below!

// Run the logic
var encrypted = Crypto.Encrypt (message);
var decrypted = Crypto.Decrypt (encrypted);

string encryptedStr = null;
StringBuilder strBuilder = new StringBuilder ();
foreach (var b in encrypted) {
   strBuilder.Append (b.ToString("x2"));
}

encryptedStr = strBuilder.ToString ();

Console.WriteLine ("Original text was '" + message + "', it was encrypted to: \n" + encryptedStr);
Console.WriteLine ("Decrypted text is: " + decrypted);

The output of this program was,

Screenshot (5859)
Figure 4: Encryption and decryption function on “Afzaal Ahmad Zeeshan” string.

Pretty simple, right? 🙂 So, finally we have encrypted and decrypted the text in Ubuntu using Mono Project…

Tips:

  1. Consider changing the Rijndael to AES.
  2. Keep a strong key, use the provided functions to generate a “strong” random key.
  3. Decrypt when needed.
Using Rijndael or AES?

Rijndael and AES can be confusing somehow. Don’t worry, I was also confused as to which is better and which is not. The thing is, Rijndael algorithm was developed along with numerous other algorithms, to come on top as “best algorithm for encryption and decryption“. Rijndael won, and was selected as AES algorithm.

Does that make sense? It should… If that doesn’t, read this blog post.

Points of Interest

This is another post in the series of “Programming C# on Ubuntu” articles. In this, I have talked about cryptographic programming in Mono Project on Ubuntu. The services are similar to what we have in .NET framework on Windows operating system. However, there are some other namespaces provided by Mono itself, but still, .NET namespaces rule them out. The services that you can find in .NET are amazing, and C# language itself is just perfect language to be used for any project! I am writing this guide, to share the beauty of C# on cross-platform environments too, for those who are unaware of this currently.

In this post, you were given a few tips and you were shown how to perform cryptographic functions on your data, including hashing the passwords, encrypting and decrypting the data on your machine. Cryptography can greatly influence your application’s performance, and your users would like the privacy and other services that you have for them, such as encryption and decryption of the data, using which they can save their data from unwanted users, and yes, hackers!

In later post, I will talk about NuGet package managements, and then I will head over to writing a guide, in the form of a book itself. See you in the later posts. 🙂

Guide for building C# apps on Ubuntu: Project files and output

Introduction and Background

In the previous posts for the series I talked about the IDE itself, I talked about the tools provided in the MonoDevelop and the Mono Project for C# developers that would help them do their jobs quickly. You may want to read those posts first and then continue to read this post, or the either way as I have tried to abstract the posts enough.

  1. Guide for building C# apps on Ubuntu: MonoProject Introduction
  2. Guide for building C# apps on Ubuntu: Language quickies

Later, you can continue to read this post. This post has a primary focus on the project files, compiled assemblies and the executable files generated after the build process. So, although this would be a very short guide, I would try to explain every aspect of it. You can however, do let me know if you find something missing here.

I assume that you already have an idea of C# project files, typically they are:

  1. One solution file (.sln)
  2. A folder for the project itself.
  3. Properties files
  4. Binary and object files folder.

You will find this template for a project of C# everywhere, from Console to any graphical application that you may be using. The template is chosen to make sure you can always skim through the file system and find the required item there. So now let’s talk about these items in detail…

Project files and output locations

If you have ever programmed in C# on Windows, using Visual Studio you may know the common folders and locations for the project and the generated binaries. For each of the project that you create, Visual Studio creates a quite similar project directory and puts the source code, project settings files, and others in that directory.

MonoDevelop does the same for you! MonoDevelop would ask for a location to create the directory for the project and would then use that location to create new files, and to place the compiled executables. We are going to talk about a few of these locations and the files generated there.

1. Project directory itself…

First of all, let us talk about the project directory that gets created. This location is chosen by you, you are given full permissions to chose a location to select the directory at. You can enter the location and then MonoProject would use the same location to perform the actions, like creating and adding new files, resources and source files, also the same location is used to generate and place the binaries and object code files. So, this directory is used throughout the project life, chose it wisely.

So, for example, when we created the project (in the previous sections), we entered the following location to be selected as the project directory.

Screenshot (5241)
Figure 1: Creating the project and entering the location for the project directory. 

Have a look at the “Location” field in the above window. We can change it from here, we can also browse for a new location and well, you get the idea that we can create the directory anywhere that we find it helpful and easy to be found!

Remember: Projects is also a manual location in Ubuntu, by default the home folder for users do not contain a folder named Projects.

Once we create the project, the files are generated at that location and the project window opens. However, we are only interested in viewing the directory itself and not the project code. The files that are generated here, are very much similar to Visual Studio’s files, it also contains the solution file, Solution files typically hold the information for the project, files and other settings and configurations that you make in the project; like architecture support. Only these files are provided along with the templates because IDEs use a special project file to determine the configuration and the files for the project.

By default, the directory has 1 sub-directory and 2 files:

Screenshot (5708)
Figure 1: Root level of the project, one folder and solution and preferences files in the directory.

As already discussed, the directory is used to hold the files and references for the projects and also holds the generated binaries and executable files. However, before diving any deeper. Let us talk about the files that we can see right here. These files contain the settings for the project and for the user sessions.

Solution file

First of all, let us talk about the solution file itself. The solution file is basically the settings and overall configurations that you make to the project itself. The project is what you create when you start Mono and go ahead creating something. Things that you create in a project are files, resources and source code files etc.

We can open the file up in the text editor, the code in this file is simply commands and settings that would train the environment to set up the configuration for build and a few others, like the name of the project (obviously!)

This file contains the information about:

  1. Project itself.
    • Name
    • Package identifier. Sometimes a GUID.
  2. Build configurations.
    • They are written in the global scope for the environment.
    • Active build configurations for debug and release mode.
    • Extra configurations.
    • CPU architectures used.
  3. Project details file name and other minimal files used for project management.

So, this file is created and is maintained throughout the project. You can also start the project by double-clicking the file for C# project in the same directory (make sure you do not open it in text editor itself). For more on Solution files please refer MSDN, as they describe the file in a much better way: Solution (.Sln) File.

User preferences

Ever wondered how does your IDE know where to start and which line you were previously working on? This file holds the information for that, this file holds the information for currently active file, currently active line and even the column where your cursor was!

So, basically this file holds the information for your currently active session and when you reload the IDE and the same project, your IDE would know where to get you started from. This saves a lot of time of developers as the source code file and the line is already active, they can just continue to work from where they left it.

This file also keeps a hold of your breakpoints. So, everything and every change that you make in the files (not the project!) is saved here. This file is checked against when a new instance is starting so that your sessions are started without any trouble.

This ends here. I think the purpose of these files is pretty much clear. The next step is to go inside the folder and look there… Next I will simply just talk about the files, and the output folders where you would find your assemblies being generated.

2. Inside the project directory

Inside the project directory, the required files for the project building procedure are available. The source files, project building libraries, executables and other binaries are all managed and collected to be placed here. Each new file that you create is created here, and the project knows which files you currently hold and which files that you have removed. So overall the directory is just to hold the files for the project. This directory is used as the location for the files and resources when the build process starts.

Screenshot (5710)
Figure 2: Inside the project directory.

Now these are the entire files required to run our sample project! The project files, solution files and user preferences are all found here and… Well, there is another a simple Program.cs file found too. All of these files are used to generate the assemblies (which are later placed in the bin folder, displayed above). Technically, if either one of these files are missing (the ones that are required at the compile-time), your project cannot compile. You will get errors and you would either have to create a new project, or edit the profile itself to make sure that the errors are minimized. So it is recommended that you do not tamper with these files and let the IDE do what it is intended to do.

Properties

This is another folder in the project itself and well technically it contains the properties for your project. The properties are of the assembly, the information about the assembly, versioning etc are found here. Currently, this folder contains just one file, “AssemblyInfo.cs”.

Screenshot (5835)
Figure 3: Properties folder.

This file is used when referencing the assemblies in the projects. You can get more information from MSDN or any other resource that talks about Assembly Information in C# applications.

bin and obj folders

These folders are used when IDE has finished building a project. They are used to maintain the executables for the project. However, they are not required to be there. Your IDE would itself create these folders when you run the build process, if you have deleted them before.

Just for the sake of demonstration, please see the following image, the executable can be found in the following folder:

Screenshot (5836)
Figure 4: Debug executable found in the bin folder.

This “.exe” file can be used to execute the code that we just wrote in the application. But remember, if you previously deleted the folders, you still need to build the project again to find the executables here. Otherwise, the folder would be empty.

Points of interest

This is another post in the series of Programming C# on Ubuntu. In this post, I have talked about the overview of the project file and directory structure. Where are your executables placed, what files are provided in the templates and which are optional locations.

This was just an introductory post and that is why is much concise. In upcoming post, I will talk about cryptographic services provided by MonoDevelop for C# programming on Ubuntu. So, stay tuned for the next publication.