Chapter 6. Keeping Secrets Secret — Hashing and Encryption
Most Web applications will store data that may be considered sensitive — credit card information, Social Security Numbers, and, of course, passwords. In Chapter 5, you saw how you can encrypt
ViewState and portions of your configuration files to prevent information leakage, but how do you encrypt other data you wish to protect?
In this chapter, you will learn about the following
The four basic areas of cryptography: hashing, generating random numbers, symmetric encryption, and asymmetric encryption
Where it is appropriate to use hashing and how to use it
The difference between symmetric and asymmetric encryption
How to encrypt and decrypt
What algorithms are unsafe
What the Windows Data Protection API provides, and how to use it
As you read through this chapter, you will find a lot of references to "clear text". Clear text simply refers to the unencrypted data you wish to secure. It may not actually be text at all. Generally, encryption algorithms work on binary data. However, clear text is a phrase derived from "plain text,"which refers to information in the language of the communicating parties, a concept used long before computers were available. So cryptography has stuck with using the word "text" when actually it can refer to binary data as well. When reading about cryptography, "plain text" and "clear text" are often synonymous.
The Open Web Security Application Project (OWSAP) lists insecure cryptographic storage as one ...