The Developer’s Guide to Cryptography: Why ASP.NET Core 2 Gets It Right

Last time, we discussed what AES encryption looks like in Node.js. Now, to get a flavor of what other languages and frameworks do for AES encryption, we’ll take a look at ASP.NET Core 2.

I am excited with what ASP.NET Core and .NET Core in general do for C# and other Microsoft technologies. ASP.NET Core runs on Windows, MacOS, and Linux, bringing C# to a wider audience then ever before.

Another reason to like ASP.NET Core is how it handles encryption within the framework. Frankly, this will end up being a short post, and that is a good thing.

Encryption With ASP.NET Core Data Protection API

When I was doing my research on this topic, I was expecting a series of calls to several classes and methods in order to generate keys and then encrypt the data. I was pleased to find that this is not the way it works.

Instead, there exists a Data Protection API designed to make encryption simple for developers. It starts with the IDataProtector interface. This interface defines methods called Protect and Unprotect. Another interface, IDataProtectionProvider defines a CreateProtector method that returns an instance of IDataProtector.

One of the great additions of ASP.NET Core is built-in dependency injection (DI). A developer can use this DI to inject an instance of IDataProtectorProvider and then use it to create an instance of IDataProtector. It looks like this:

AES_net_idataprotector

To encrypt data, call the Protect method and pass in the data you need to encrypt. Unprotect will decrypt the data for use.

AES_net_protectdata

And that is it. Call Protect to encrypt, and Unprotect to decrypt.

What ASP.NET Core does right

Throughout this discussion, I didn’t mention any algorithms or extra steps to make sure your implementation is as secure as it should be. There is a good reason for this. ASP.NET Core follows a core principle of good security (and other) API engineering: Make it easy for developers to do the right thing, and hard to do the wrong thing.

Make it easy for developers to do the right thing, and hard to do the wrong thing.

How does ASP.NET Core’s Data Protection API do this? First, its API is simple and easy to use. All that is needed is to inject an IDataProtector instance and call a method.

Second, the default algorithm is AES256. It also uses HMACSHA256 to ensure authenticity (HMACs are a topic for another post). Strong encryption by default eliminates any decisions and room for error.

Third, developers don’t manage keys. The API does that for them. Keys are generated when the API is called. They are stored safely. The keys are rotated automatically every 90 days. Key management is a place where developers can go wrong, so it’s nice to see an API that helps manage that by default.

Lessons from the Core

We’ve learned how to encrypt data with ASP.NET Core. You can learn more about the Data Protection API on Microsoft’s documentation site. It is definitely worth a read.

Developers and security practitioners alike can take a lesson from this API. Developers that are creating APIs for other developers to consume can take the lesson in encapsulation. There are no leaky abstractions with the Data Protection API. The methods simply do what they tell you they do and handle all of the details themselves.

Security practitioners should take to heart the lesson of making security easy. Many developers genuinely want to do the right thing and simply don’t have the knowledge and training to do it. It is our job as security guides to make security easy for developers.

If you make it easy, they will come.

Leave a Reply