Security in the .NET Framework WHAT YOU WILL LEARN IN THIS CHAPTER Concepts and defi nitions ➤ Permissions ➤ Roles ➤ Principals ➤ Code access permissions ➤ Role - based permissions ➤ Identity permissions ➤ User Access Control (UAC) ➤ E n c r y p t i o n ➤ H a s h i n g ➤ Symmetric Key Encryption ➤ Asymmetric Key Encryption ➤ Digital Signatures ➤ X.509 Certifi cates ➤ S S L ➤ This chapter covers the basics of security and cryptography. It begins with a brief discussion of the .NET Framework ’ s security architecture, because this affects all the solutions you may choose to implement. The .NET Framework provides you with best practices, tools, and core functionality with regard to security. You have the System.Security.Permissions namespace, which enables you to control code access permissions along with role - based and identity permissions. Through your code, you can control access to objects programmatically, as well as receive information on the current permissions of objects. This security framework will assist you in determining whether you have permissions to run your code, instead of getting halfway through execution and having to deal with permission - based exceptions. 32 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 1022 ❘ CHAPTER 32 sECuRity iN tHE .NEt FRamEwoRk Cryptography is the cornerstone of the .NET Web Services security model, so the second half of this chapter discusses the basis of cryptography and how to implement it. Specifi cally, it covers the following: Hash algorithms ➤ S H A ➤ MD5 ➤ Secret key encryption ➤ Public key cryptography standard ➤ Digital signatures ➤ Certifi cation ➤ Secure Sockets Layer communications ➤ Let ’ s begin by looking at some security concepts and defi nitions. As always, the code for this chapter is available for download from www.wrox.com , which you may want in order to follow along. SECURITY CONCEPTS AND DEFINITIONS Table 32 - 1 describes the different types of security presented in this chapter and how they relate to real - world scenarios. SECURITY TYPE RELATED CONCEPT IN SECURITY .PERMISSIONS NAMESPACE P U R P O S E NTFS N o n e Allows for detailed fi le system rights, e.g., locking down of specifi c fi les Cryptographic Strong name and assembly, generation, SignCode.exe utility Use of public key infrastructure and certifi cates Programmatic Groups and permission sets For use in pieces of code that are being called into. Provides extra security to prevent users of calling code from violating security measures implemented by the programs that are not provided for on a machine level. User Access Control Users run without administrative permission Provided by the operating system to help users protect their system from unexpected changes that might occur when logged in using the machine ’ s administrator account. TABLE 321: Types of Security There are many approaches to providing security on the machines where your shared code is hosted. If multiple shared code applications are on one machine, each piece of shared code can be called from many front - end applications. Each piece of shared code will have its own security requirements for accessing environment variables — such as the registry, the fi le system, and other items — on the machine that it is running on. From an NTFS perspective, the administrator of your server can only lock down those items on the machine that are not required to be accessed from any piece of shared code running on it. Therefore, some applications need additional security built-in to prevent any calling code from doing things it is not supposed to do. One of the more signifi cant changes to security in .NET 4 is the removal of Code Access Security policies. Similar to the old Permview.exe , CasPol.exe is now an obsolete utility, and as such coverage of this topic has been omitted. Additionally, the PermCalc.exe tool has also been made obsolete with .NET 4. Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com To limit your Internet applications’ access to the local file system, you create a permission set that limits that access and associates the Internet application group with this permission set. By default, the .NET environment provides one code group named All Code that is associated with the FullTrust permission set. A permission set is a combination of security configurations. This set defines what each authorized user has access to and what that user can do on that machine — for instance, whether the user can read environment variables or the file system, or execute other code. Security that is used within the programming environment also makes use of permission sets. Through code you can control access to files in a file system, environment variables, file dialogs, isolated storage, reflections, registry, sockets, and UI. Isolated storage and virtual file systems are new operating system–level storage locations that can be used by programs and are governed by the machine security policies. These file systems keep a machine safe from file system intrusion by designating a regulated area for file storage. The main access to these items is controlled through code access permissions. Although many methods that we use in Visual Basic provide an identifiable return value, the only time we get a return value from security methods is when the method fails. When a security method succeeds, it does not provide a return value. If it fails, then it returns an exception object reflecting the specific error that occurred. PERMISSIONS IN THE SYSTEM.SECURITY.PERMISSIONS NAMESPACE The System.Security.Permissions namespace is the namespace used in code to establish and use permissions associated with objects, including the file system, environment variables, and the registry. The namespace controls access to both operating system–level objects as well as code objects. In order to use this namespace in your project, you need to import it. Using this namespace gives you access to the CodeAccessPermission and PrincipalPermission classes for using role-based permissions and information supplied by identity permissions. CodeAccessPermission controls access to the operating system–level objects. Role-based permissions and identity permissions grant access to objects based on the identity of the user of the program that is running (the user context). Table 32-2 lists the members of the System.Security.Permissions namespace that apply to Windows application programming. While there is a description accompanying each member, those classes that end with Attribute, such as EnvironmentPermissionAttribute, are classes that enable you to modify the security level at which your code is allowed to interact with each respective object. These objects create a declarative model for setting security that can be leveraged across multiple different implementation models. The default environment will provide a given level of access. It is not possible to grant access beyond this level via code access security; however, when working with these classes you can specify exactly what should or should not be available in a given situation. Additionally, these classes have been marked to prevent inheritance. It really wouldn’t be a very secure system if you could inherit from one of these classes. Code could be written to override the associated security methods and grant unlimited permissions. Table 32-2 also deals with security in regard to software publishers. A software publisher is a specific entity that is using a digital signature to identify itself in a Web-based scenario. CLASS DESCRIPTION CodeAccessSecurityAttribute Base class for code access security attribute classes DataProtectionPermission Controls access to the data protection APIs , T DataProtectionPermissionAttribute Allows declarative control of DataProtectionPermssion via code EnvironmentPermission Controls the capability to see and modify system and user environment variables TABLE 322: Members of System.Security.Permissions continues Permissions in the System.Security.Permissions Namespace ❘ 1023 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 1024 ❘ CHAPTER 32 sECuRity iN tHE .NEt FRamEwoRk CLASS DESCRIPTION EnvironmentPermissionAttribute Allows security actions for environment variables to be added via code FileDialogPermission Controls the capability to open files via a file dialog FileDialogPermissionAttribute Allows security actions to be added for file dialogs via code FileIOPermission Controls the capability to read and write files in the file system FileIOPermissionAttribute Allows security actions to be added for file access attempts via code GacIdentityPermission Defines the identity permissions for files that come from the global assembly cache (GAC) GacIdentityPermissionAttribute Allows security actions to be added for files that originate from the GAC HostProtectionAttribute Allows for the use of security actions to determine host protection requirements IsolatedStorageFilePermission Controls access to a private virtual file system within the isolated storage area of an application IsolatedStorageFilePermissionAttribute Allows security actions to be added for private virtual file systems via code IsolatedStoragePermission Controls access to the isolated storage area of an application IsolatedStoragePermissionAttribute Allows security actions to be added for the isolated storage area of an application KeyContainerPermission Controls access to key containers KeyContainerPermissionAccessEntry Defines the access rights for particular key containers KeyContainerPermissionAccess EntryCollection Represents a collection of KeyContainerPermission-AccessEntry objects KeyContainerPermissionAccess EntryEnumerator Represents the enumerators for the objects contained in the KeyContainerPermissionAccessEntryCollection object KeyContainerPermissionAttribute Allows security actions to be added for key containers MediaPermission The permission set associated with the capability to access audio, video, and images. WPF leverages this capability. MediaPermissionAttribute Allows code to set permissions related to the MediaPermission set PermissionSetAttribute Allows security actions to be added for a permission set PrincipalPermission Controls the capability to verify the active principal PrincipalPermissionAttribute Allows verification of a specific user. Security principals are a user and role combination used to establish security identity. PublisherIdentityPermission Allows access based on the identity of a software publisher PublisherIdentityPermissionAttribute Allows security to be defined for a software publisher TABLE 322 (continued) Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com CLASS DESCRIPTION ReflectionPermission Controls access to nonpublic members of a given type ReflectionPermissionAttribute Allows security to be defined for public and nonpublic members of a given type RegistryPermission Controls access to registry keys and values RegistryPermissionAttribute Allows security to be defined for the registry ResourcePermissionBase Controls the capability to work with the code access security permissions ResourcePermissionBaseEntry Allows you to define the smallest part of a code access security permission set SecurityAttribute Controls which security attributes are representing code; used to control security when creating an assembly SecurityPermission This collection is used in code to specify a set of permissions for which access will be defined. SecurityPermissionAttribute Allows security actions for the security permission flags StorePermission Controls access to stores that contain X.509 certificates StorePermissionAttribute Allows security actions to be added for access stores that contain X.509 certificates StrongNameIdentityPermission Defines the permission level for creating strong names StrongNameIdentityPermissionAttribute Allows security to be defined on the StrongNameIdentityPermission set StrongNamePublicKeyBlob The public key information associated with a strong name TypeDescriptorPermission Permission set that controls partial-trust access to the TypeDescriptor class TypeDescriptorPermissionAttribute Allows security to be defined on the TypeDescriptorPermission set UIPermission Controls access to user interfaces and use of the Windows clipboard UIPermissionAttribute Allows security actions to be added for UI interfaces and the use of the clipboard UrlIdentityPermission Permission set associated with the identity and related permissions for the URL from which code originates UrlIdentityPermissionAttribute Allows security to be defined on the UrlIdentityPermission set WebBrowserPermission Controls the capability to create the WebBrowser control WebBrowserPermissionAttribute Allows security to be defined on the WebBrowser Permission set ZoneIdentityPermission Defines the identity permission for the zone from which code originates ZoneIdentityPermissionAttribute Allows security to be defined on the ZoneIdentity Permission set Permissions in the System.Security.Permissions Namespace ❘ 1025 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 1026 ❘ CHAPTER 32 sECuRity iN tHE .NEt FRamEwoRk Code Access Permissions Code access permissions are controlled through the CodeAccessPermission class within the System.Security namespace The code access permissions are used extensively by the common language runtime (CLR) to manage and secure the operating environment. The code access permissions grant and deny access to portions of the operating system such as the file system, but although your code can request permission changes, there is a key limit. Code using this API can request to reduce the rights of the user currently executing the code, but the API will not grant rights that a user does not have within his or her current context or based on those available from the CLR. When code is downloaded from a website,and the user then attempts to run the code; the CLR can choose to limit the rights of that code given that it shouldn’t by default be trusted. For example, requesting access to the system registry will be denied if the operating system does not trust that code. Thus, the primary use of code access security by application developers is to limit the permissions already available to a user given the current context of what the user is doing. Code access security leverages many of the same core security methods used across the various security categories, many of which are described in Table 32-3. METHOD DESCRIPTION Assert Sets the permission to full access so that the specific resource can be accessed even if the caller hasn’t been granted permission to access the resource Copy Copies a permission object Demand Returns an exception unless all callers in the call chain have been granted the permission to access the resource in a given manner Deny In prior versions of .NET you would use this to explicitly deny access. This will still work, but it’s becoming obsolete and should be avoided. Equals Determines whether a given object is the same instance of the current object FromXml Establishes a permission set given a specific XML encoding. This parameter that this method takes is an XML encoding. Intersect Returns the permissions that two permission objects have in common IsSubsetOf Returns a result indicating whether the current permission object is a subset of a specified permission PermitOnly Specifies that only those rights within this permission set can be accessed even if the user of the assembly has been granted additional permission to the underlying objects. This is one of the more common permission levels when working with custom permission sets. RevertAll Reverses all previous assert, deny, or permit-only methods RevertAssert Reverses all previous assert methods RevertDeny Reverses all previous deny methods RevertPermitOnly Reverses all previous permit-only methods Union Creates a permission that is the union of two permission objects TABLE 323: Methods of CodeAccessPermission Identity Permissions Identity permissions are pieces of information, also called evidence, by which an assembly can be identified. Examples of the evidence would be the strong name of the assembly or the digital signature associated with the assembly. Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Identity permissions are granted by the runtime based on information received from the trusted host, or the operating system ’ s loader. Therefore, they are permissions that you don ’ t specifi cally request. Identity permissions provide additional information to be used by the runtime. The identity information can take the form of a trusted host ’ s URL or can be supplied via a digital signature, the application directory, or the strong name of the assembly. Identity permissions are similar to code access permissions discussed in the preceding section. They derive from the same base class as the code access permissions. Role - Based Permissions Role - based permissions are permissions granted based on the user and the role that code is being called with. Users are authenticated within the operating system platform and hold a Security Identifi er (SID) that is associated within a security context. The SID is associated with one or more roles or group memberships that are established within a security context. .NET supports those users and roles associated within a security context and has support for generic and custom users and roles through the concept of principals. A principal is an object that holds the current caller ’ s credentials. This includes the identity of the user. Principals come in two types: Windows principals and non - Windows principals. Windows - based principal objects are objects that store the Windows SID information regarding the current user context associated with the code that is calling into the module role - based permissions that are being used. Non - Windows principals are principal objects that are created programmatically via a custom login methodology and which are made available to the current thread. Role - based permissions are not set against objects within your environment like code access permissions. They are checked within the context of the current user and user ’ s role. The concepts of principals and the PrincipalPermission class are used to establish and check permissions. If a programmer passes the user and role information during a call as captured from a custom login, then the PrincipalPermission class can be used to verify this information as well. The PrincipalPermission class does not grant access to objects, but has methods that determine whether a caller has been given permissions according to the current permission object through the Demand method. If a security exception is generated, then the user does not have suffi cient permission. As an example of how you might use these methods, the following code snippet captures the current Windows principal information and displays it on the screen in a text box. It is included as part of the ProVB_Security project, which has the same basic structure as the ProVB_VS2010 project introduced in Chapter 1. Each element of the principal information could be used in a program to validate against, and thus restrict, code execution based on the values in the principal information. This example inserts an Imports System.Security.Principal line at the top of Form1.vb so you can directly reference identity and principal objects without full namespace qualifi ers: Imports System.Security.Principal ' < PrincipalPermissionAttribute(SecurityAction.Demand, Name:="WSheldon", Role:="Users") > _ Private Sub DisplayPrincipalIdentity() ' The attribute above can be used to check security declaratively ' similar to how you would check using WPF or Silverlight. ' The code below uses imperative commands to get security information. Dim objIdentity As WindowsIdentity = WindowsIdentity.GetCurrent() TextBox1.Text = "User Name: " & objIdentity.Name & Environment.NewLine TextBox1.Text & = "Is Guest: " & objIdentity.IsGuest.ToString() & Environment.NewLine A strong name is a combination of the name of a program, its version number, and its associated cryptographic key and digital signature fi les. Permissions in the System.Security.Permissions Namespace ❘ 1027 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 1028 ❘ CHAPTER 32 sECuRity iN tHE .NEt FRamEwoRk TextBox1.Text & = "Is Authenticated: " & objIdentity.IsAuthenticated.ToString() & Environment.NewLine Dim objPrincipal As New Security.Principal.WindowsPrincipal(objIdentity) ' Determine if the user is part of an authorized group. TextBox1.Text & = "Is in Role Users? " & objPrincipal.IsInRole("Users") & Environment.NewLine TextBox1.Text & = "Is in Role Administrators? " & objPrincipal.IsInRole("Administrators") End Sub Code snippet from Form1.vb This code illustrates a few of the properties that could be used to validate against when a caller wants to run your code. The attribute at the top of this is commented out at this point by design. It represents a declarative security check similar to what you would use from the XAML in a WPF or Silverlight project. First, however, lets examine this code being run, as shown in Figure 32 - 1. It starts by retrieving the user name of the currently authenticated Windows principal. Pay attention to the fact that this is a fully qualifi ed username with the machine name included. It then uses the identity checks to see if the current identity is the Guest account, and ensures that the user was authenticated. At this point the snippet creates a new WindowsPrincipal based on the current user ’ s identity. This object allows you to query to see if the current user is in a role. In this case, my account is in the role of a user as a member of the Users security group, but is not in the role of an administrator even though it is part of the Administrators group. Roles are typically defi ned via security groups, but I was careful to not say that this method allowed you to determine if a user were in a given group. That ’ s because under Windows Vista and Windows 7, the operating system keeps a user from running in the Administrator role even if they are part of the Administrators group. Thus, the check for whether the code is running in the role Administrators returns false — even though my WSheldon account is in fact a member of the Administrators group on this machine. Only if the user chooses to have their permission elevated will this query return true. FIGURE 32  1 The issue of permission elevation in relation to User Access Control (UAC) and the fact that the WSheldon account is in fact an Administrator on the system is discussed later in this chapter. However, now uncomment the attribute line that precedes this method. Notice that it is making a Demand security query and passing a user name, and a role name as part of this name. Because these are named optional parameters, the code could in theory only check for a role, which is a much more usable check in a real - world application. However, in this case only use a name and do not include the machine as part of the full user name. As a result, when ButtonTest is clicked this declarative check fails and the error shown in Figure 32 - 2 is displayed. Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com FIGURE 322 This illustrates how the same objects that have been available since the early versions of .NET are still used within XAML to enable the same level of security to declarative applications. The principal and identity objects are used in verifying the identity or aspects of the identity of the caller attempting to execute your code. Based on this information, your application can either lock down system resources or adjust the options available to users within your custom application. The Identity and Principal objects make it possible to have your application respond as changes to user roles occur within Active Directory. MANAGING CODE ACCESS PERMISSION SETS This section looks at programmatic access to permissions. The example extends the ProVB_Security project discussed earlier. This example illustrates how when a method fails, an exception object containing the result is generated. Note that in the case of a real-world example, you would be setting up permissions for a calling application. In many instances, you don’t want a calling application to be able to access the registry, or you want a calling application to be able to read memory variables but not change them. Keep in mind that you can only limit those permissions which are already available to a user based on their identity. You can’t grant access to a portion of the operating system via code that the user doesn’t have access to based on their identity. The example first sets up the permission that is wanted and then grants the code the appropriate access level. Then code that accesses this security object illustrates the effect of these new permissions on the code: Private Sub TestFileIOPermission() Dim oFp = New FileIOPermission( Managing Code Access Permission Sets ❘ 1029 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 1030 ❘ CHAPTER 32 sECuRity iN tHE .NEt FRamEwoRk FileIOPermissionAccess.AllAccess, "C:\Test") oFp.PermitOnly() 'Try Dim strmWrite As New IO.StreamWriter( File.Open("C:\Test\Permission.txt", IO.FileMode.Open)) strmWrite.WriteLine("Hi there!") strmWrite.Flush() strmWrite.Close() Dim objWriter As New IO.StreamWriter( File.Open("C:\Test\NoPermission.txt", IO.FileMode.Open)) objWriter.WriteLine("Hi there!") objWriter.Flush() objWriter.Close() 'Uncomment the lines below (comment those above) to reverse the test. 'Dim oFp = New FileIOPermission(FileIOPermissionAccess.Read, "C:\") 'oFp.PermitOnly() 'Dim temp = oFp.AllFiles.ToString() 'Dim strmWrite = New IO.StreamWriter( ' File.Open("C:\Test\Permission.txt", ' IO.FileMode.Open)) 'strmWrite.WriteLine("Hi there!") 'strmWrite.Flush() 'strmWrite.Close() 'Dim objWriter = New IO.StreamWriter( ' File.Open("C:\Test\NoPermission.txt", ' IO.FileMode.Open)) 'objWriter.WriteLine("Hi there!") 'objWriter.Flush() 'objWriter.Close() ''Catch objA As System.Exception ''MessageBox.Show(objA.Message) ''End Try End Sub Code snippet from Form1.vb The first example attempts to access a file in the file system. This illustrates the use of the FileIOPermission class. Create a new folder on your C:\ drive called Test. Within this folder create two new files, the first file C:\Test\Permission.txt will use the default permissions assigned when you created the account. The second file C:\Test\NoPermission.txt (these files are not part of the download) has its permissions modified. To do this, access the file’s properties by right-clicking on the file and choosing Properties. On the Properties dialog select the Security tab and then use the Advanced button. Within the Advanced Security Settings dialog use the Change Permission button to open the Advanced Security Settings dialog. Next go to the bottom of this dialog and unclick the check box “Include inheritable permissions from this object’s parent” check box. You will need to verify that you want to add the security settings for this file to the file itself. After returning to the original Properties dialog by clicking the OK buttons you will want to remove the settings for Authorized Users. To do this you will need to use the Edit button to access the Permission dialog where you can use the Remove button. After having done this you will have removed the default modify permission for authenticated users to this file. The result should be the permission level that is depicted in Figure 32-3. Note that there are only three Group or usernames assigned permissions. Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... the National Institute of Standards and Technology (NIST) in January 2000 The original DSA standard, however, was issued by NIST much earlier, in August 199 1 DSA cannot be used for encryption and is good only for digital signature Digital signature is discussed in more detail in the next section Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 1 044   ❘  Chapter 32   SecuriTY... Imports Microsoft.VisualBasic.ControlChars Public Class SymKey Figure 32 -9 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Encryption Basics  ❘  1 043 Public Sub Main(ByVal CmdArgs() As String) Dim keyz As StringBuilder = New StringBuilder Dim ivz As StringBuilder = New StringBuilder keyz.Append("Dim b64Keys() As String = { _" + VbCrLf) ivz.Append(vbCrLf + "Dim b64IVs() As String... Private Shared b64Keys() As String = {"YE32PGCJ/g0=", _ "vct+rJ09WuUcR61yfxniTQ==", _ "PHDPqfwE3z25f2UYjwwfwg4XSqxvl8WYmy+2h8t6AUg=", _ Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Encryption Basics  ❘  1 041 "Q1/lWoraddTH3IXAQUJGDSYDQcYYuOpm"} Private Shared b64IVs() As String = {"onQX8hdHeWQ=", _ "jgetiyz+pIc=", _ "pd5mgMMfDI2Gxm/SKl5I8A==", _ "6jpFrUh8FF4="} Public Shared... people and organizations have turned off UAC However, as a developer you should now have it reenabled on your desktop and should begin to understand how to work both within its default constraints and beyond them Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Defining Your Application UAC Settings  ❘  1033 Defining Your Application UAC Settings By default in Visual Studio 2010, ... hmac.ComputeHash(fs) Dim b 64 As String = Convert.ToBase64String(hash) fs.Close() Return b 64 End Function End Class Code snippet from TestHashKey.vb The preceding snippet creates the object instance of the NET SDK Framework class with a salt (a random secret to confuse a snooper) The next four lines compute the hash, encode the binary hash into a printable Base 64 format, close the file, and then return the Base 64 encoded... 32-8 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Encryption Basics  ❘  10 39 The previous example uses an instance of the HMACSHA1 class The output displayed is a Base 64 encoding of the binary hash result value As noted earlier, Base 64 encoding is widely used in MIME and XML file formats to represent binary data To recover the binary data from a Base 64- encoded string, you... event handler The resulting display should be similar to what is shown in Figure 32-12 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Summary  ❘  1 0 49 Figure 32-12 Summary This chapter covered the basics of security and cryptography It began with an overview of the security architecture of the NET Framework The chapter introduced the four types of security within Windows and. .. theory and how it can be applied within your applications You looked at the different types of cryptographic hash algorithms, including SHA, MD5, symmetric key encryption, and PKCS You should also understand how you can use digital certificates, such as X.5 09 and Secure Socket Layer (SSL) certificates Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Simpo PDF Merge and Split... The most common encodings are things like UTF8, UTF7, and Base 64 encoding These encodings are typically used to take information that might interact with a container and hide the special characters Thus, if you want to embed binary data within an XML file and want to ensure that the binary data won’t interfere with the XML, you can Base 64 the data, and it can safely be placed within an XML file Encoding... be displayed and the index from the array algo, which is the name of the algorithm to be used It then looks for the input and output files, and finally a Boolean indicating whether the input should be encrypted or decrypted Within the code, first the action is to open the input and output files The code then creates an instance of the selected algorithm and converts the initial vector and key strings . project Message Digest in 199 6. By 199 7, the design of RIPEMD-160 was finalized. RIPEMD- 160 is a 160-bit hash algorithm that is meant to be a replacement for MD4 and MD5. The .NET Framework 2.0 introduced. established within a security context. .NET supports those users and roles associated within a security context and has support for generic and custom users and roles through the concept of principals Encryption ➤ Digital Signatures ➤ X.5 09 Certifi cates ➤ S S L ➤ This chapter covers the basics of security and cryptography. It begins with a brief discussion of the .NET Framework ’ s security architecture,