Encryption API for C#2 recommendations?

views:

answers:

Encryption API for C#2 recommendations?

We need a paid for supported Encryption / Decryption API for a project - AES >256?

I dont want the developers coding their own encryption / decryption even using the built in stuff. To many chances to go wrong.

Links to sites much valued.

UPDATE Due to the fact as many have said - Its hard to understand if you are not familar with encryption, and get a small thing wrong and its busted...

I have seen answers and will be getting our own encryption/decryption from the builtin - but all the team will need to peer review.

For information BlowFish.Net is good, and performs faster than the builtin crypto routines, which when you start to look at encrypting/decrpyting data into a database can have some massive perf issues ...

http://www.codinghorror.com/blog/archives/001268.html

+4 A:

"even using the built in stuff"

The reason that it's built in is so that people have tested, reliable algorithms available to use that implement standards, not black box third party APIs that might not. What are the "chances to go wrong"?

Maybe you need to switch to Java, you can always opt to use third party JSSE providers there if you're paranoid about the built-in provider.

JeeBee 2009-08-14 11:43:22

I suppose the 'chances to go wrong' can lie in the wrongful use of the encryption algorithms; which is quite possible if the guy is not competent in that field. But agreed; built in is certainly the approach.

Noon Silk 2009-08-14 12:23:57

I thought whether it would be because of things like "using a salt", and how to do that. But in that case, the question is more like "Where can I get a User Account API for XYZ". I think that developers should be driven to improve themselves, and if that means learning the basics of security (although any decent university course will have done that) then so be it.

JeeBee 2009-08-14 12:33:53

Its clearly tagged a C# question. hence the -1, there are other peer reviewed implementations too.

2009-08-17 10:27:20

+3 A:

Bouncy Castle is a well respected and well developed .NET encryption library that is usually recommend for these sorts of questions. But what's wrong with using the System.Security.Cryptography Namespace? - it is extremely secure, very fast and doesn't require any external libraries. Here's an example of how to implement it.

Oh, and "using the built in stuff" will mean it is less likely to go wrong. Your developers won't be coding their own classes, just using the interfaces available which are easy to use and have been very rigorously tested.. Also, the "built in stuff" will be well supported by Microsoft, so if you want to upgrade to C# 4.0 (or C# 5.0 in the future?) you probably won't need to change your code at all.

Callum Rogers 2009-08-14 11:44:56

+1 for this thanks. and reasoned answer - please note the update

2009-08-17 10:27:56

Use the builtin 'stuff'. But make sure you use it in the correct mode.

Noon Silk 2009-08-14 11:45:40

+1 Thanks silky - this is the major area of concearn - crypto is hard - and if your not used to this, a small area can bite you

2009-08-17 10:28:46

+1 A:

If you were to use a 3rd party library you would most likely still run into the same issues, which basically boil down to not understanding the pitfalls of encryption.

Without a decent understanding you'll most probably make mistakes with key management, or using bad initialisation vectors or keys. These are issues you'll need to understand to tackle regardless of whether you use the inbuilt libraries (which are fine), or a 3rd party library.

If its something you feel worried about enough, the best recommendation is probably to bring in someone, or better yet - train up people to understand encryption.

PaulG 2009-08-14 11:52:20

+1 thanks Paul - we will get the team together to build one and move from their.

2009-08-17 10:29:23

ansaurus

tags:

views:

answers:

Encryption API for C#2 recommendations?

related questions