tags:

views:

614

answers:

4
+1  Q: 

Recommended .NET encryption library

After reading (yet another) post by Jeff more or less concluding that us mortal developers shouldn't be getting too involved with encryption, I'm left wondering what library I should be using. The only two libraries I've found that seem legitimate are entlib's and bouncycastle, but they don't seem much more of an abstraction than the .NET crypto APIs to me.

I guess what I'm wondering is if there is a "jQuery of crypto libraries" that is simple, widely-trusted, open and well documented.

+3  A: 

Bouncy Castle seems to be pretty widely respected

Jon Galloway  2009-07-24 21:54:49
+6  A: 

The Bouncy Castle library is indeed a well respected, and mature encryption library, but what's wrong with using many of the fantastic encryption functions that are built right into the .NET framework?

System.Security.Cryptography Namespace

In my experience, these implementations are rock-solid, provide numerous options (for example: you've usually got a Crypto API, CNG and Managed implementations of each algorithm to choose from) , and you're not going to "get it wrong", since you're only using the implementation. If you're slightly worried that you might use them incorrectly, you can always follow MSDN's own example code.

CraigTP  2009-07-24 22:07:33
I think the article (and their predecessors) I linked to gives compelling enough reasons as to why the majority of us developers should probably not get too carried away using that namespace. So I guess that's all to say I'm just going off what sounds like good advice.http://www.codinghorror.com/blog/archives/001275.html
jayrdub  2009-07-24 22:16:49
You link to an example rijndael implementation, but that puts a decision on me to decide between all the different algorithms. I would prefer an abstraction that gave me methods like EncryptStringForBrowser() (an example given by Jeff) so that an expert can decide to use rijndael or aes under the hood.
jayrdub  2009-07-24 22:26:17
@jayrdub - I see what you're saying about abstraction, but I don't think a complete full layer of extra code (as per a 3rd party lib like BC) is necessary. You don't want to implement it yourself for good reason, and you don't want to "misuse" the implementation and weaken security. All good things, but I think this can easily be achieved with the framework's built-in classes and the example code on MSDN. The example there gives a "encryptStringToBytes" style function that makes it a "no-brainer" to use for strings without weakening security.
CraigTP  2009-07-25 07:51:18
(continued).. As for the onus being on yourself to decide which algorithm to choose, well, Rijndael is the Advanced Encryption Standard and is pretty solid, and choosing between the CryptoAPI/CNG/Managed implementations should be largely a matter of speed, performance, availability of the CNG libs etc. rather than security since they are all the same algorithm. I do agree with you regarding a certain level of abstraction to prevent us mere mortals from screwing it up, but at the same time, *too much* abstraction (using something without knowing *at all* what it's doing) can be a bad thing!
CraigTP  2009-07-25 07:56:51
+2  A: 

You have completely misunderstood the maxim "do not implement encryption routines yourself". What this means is: do not roll your own RSA/DSA/whatever encryption algorithm. It doesn't mean that you shouldn't use one written by someone who knows what they are doing. In fact, if anything, adding more layers between you and the trusted algorithm is going to hurt you, and not the reverse.

Jon Grant  2009-07-25 22:48:29
I agree with that.
Sam Saffron  2009-07-25 22:53:54
It also means "don't make up your own algorithm". The approach of "I can't see how I'd break it so I can't see how anybody else would" does not give you security.
Steve Gilham  2009-07-25 22:55:31
I don't disagree, I'm just trying to get a grasp on whether or not there is some awesome library out there that I've missed out on because of the way Jeff discusses trying to avoid using .NET's API in favor of "a proven, domain-expert-tested set of code that thousands if not millions of developers already rely on". I'm getting the feeling there isn't (besides maybe the two I mentioned).
jayrdub  2009-07-27 05:20:14
A: 

EntLib Cryptography block works well for most of encryption/hashing needs.

dipbhi  2009-07-26 00:39:47

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?