Chapter 6. Keeping Secrets Secret — Hashing and Encryption

Most Web applications will store data that may be considered sensitive — credit card information, Social Security Numbers, and, of course, passwords. In Chapter 5, you saw how you can encrypt ViewState and portions of your configuration files to prevent information leakage, but how do you encrypt other data you wish to protect?

In this chapter, you will learn about the following

  • The four basic areas of cryptography: hashing, generating random numbers, symmetric encryption, and asymmetric encryption

  • Where it is appropriate to use hashing and how to use it

  • The difference between symmetric and asymmetric encryption

  • How to encrypt and decrypt

  • What algorithms are unsafe

  • What the Windows Data Protection API provides, and how to use it

As you read through this chapter, you will find a lot of references to "clear text". Clear text simply refers to the unencrypted data you wish to secure. It may not actually be text at all. Generally, encryption algorithms work on binary data. However, clear text is a phrase derived from "plain text,"which refers to information in the language of the communicating parties, a concept used long before computers were available. So cryptography has stuck with using the word "text" when actually it can refer to binary data as well. When reading about cryptography, "plain text" and "clear text" are often synonymous.


The Open Web Security Application Project (OWSAP) lists insecure cryptographic storage as one ...

Get Beginning ASP.NET Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.