What is the strongest encryption available in .Net 3.5

Question

I am storing files in S3 and want to encrypt the data to the maximum. I am using ThreeSharp S3 library and it uses DESCryptoServiceProvider to encrypt the data. How strong is DESCryptoServiceProvider compared to other encryption available in .Net?

I have also seen services like Mozy.com that use 448-bit Blowfish encryption. I have done some research and found some free libraries that offer Blowfish. But nothing that tells why Blowfish is better than what .Net provides.

I need to know what is the strongest encryption possible in .Net 3.5. I would also like any suggestions on other libraries that might not be in .Net that would offer higher encryptions.

Answer 1

DES is obsolete. Its 56 bit key basically can be brute forced by a laptop computing power in a matter of hours. The best symmetric key encryption that .Net ships with out of the box is AES 256 (http://msdn.microsoft.com/en-us/library/system.security.cryptography.aescryptoserviceprovider.aspx). A comparison of Blowfish and AES (aka. Rijndael) is beyond the scope of this discussion, but AES is the adopted NIST standard and the way to go for the foreseeable future. See http://en.wikipedia.org/wiki/Advanced_Encryption_Standard for more details.

Answer 2

DES is nominally 64 bit but actually 56 bit encryption, due to the use of parity bits in the key. However, it is an old federal standard that despite its age has never been broken except by brute force. Generally, you would stick with the standardised encryption algorithms for interoperability, and also because having had more scrutiny than the others if they were going to be broken they probably would already have been. So for strong encryption provided by .NET, you'd be best off going for either 3DES (168 bit effectively) or AES (up to 256 bit) - the latter is implemented under its original name of Rijndael, as .NET first published this library before the AES selection process had formally ended.

In encryption, you need strong enough encryption, not the strongest available. Either of these will do the trick unless you are trying to protect information from people with the same level of resources as the NSA...

Answer 3

DES is insecure. Use AES. AES is approved by the NSA for all of its top-secret operations.

Answer 4

I'm talking a long time ago now (VB6 days) but I used to use some modules that worked with PGP from within VB, this worked excellently and given PGP's reputation I would, if I had the choice (ie the modules/new .net libraries still exist), choose it over any of the Builtin CLR encryption for security reasons.

Although If there are no recent .net libraries for PGP then the 256 bit AES is probably your best bet.

EDIT: Something probably worth noting with AES is that the NSA required that all newer encryption algorithms created contain a back door access system for them to use on encrypted data should they require access (terrorists encrypted data etc) Phil Zimmermann (the original author of PGP) point blank refused to do this. While i have no idea which encryption algoriths contain the back door (AES was introduced to .Net well after this argument took place so there is a high probability it does have a back door) it's safe to say PGP doesn't!

http://www.philzimmermann.com/EN/faq/faq.html

Quote from some security website

"Phil Zimmermann, the anti-government creator of PGP says that copies of its encryption software which were sold before Fall 2001, when he left NAI, are solid, but future versions may be tainted"

So may not be spot on for the latest versions but i'm happy to use a pre 2001 version (7.0.3 is the last version that Zimmermann would vouch for) :-)

EDIT2: http://www.codeproject.com/KB/security/gnupgdotnet.aspx this looks like it may help.

HTH

OneSHOT

Answer 5

Use System.Security.Cryptography.RijndaelManaged 256-bit key. Nothing's going to break that and if there was a cryptographic revolution that could all of a sudden break that, there are probably more important targets than the data you're protecting; banks, international corporations, governments.

Answer 6

Blowfish is an older cipher than Rijndael. Blowfish is old enough to have been studied in depth, and there have been no effective attacks on it, so it's probably secure enough.

However, the guys who designed Blowfish don't recommend using it anymore. Since I'm no cyrptography guru, I'd defer to their judgment on this one. Instead, they recommend Blowfish's successor Twofish, which was one of the AES finalists.