In this chapter, we discuss the two main components of .NET security:
Permissions, in .NET, provide a layer of security independent of that imposed by the operating system. Their job is twofold:
Limiting the kinds of operations that partially trusted .NET assemblies can perform
Limiting who can do what
The cryptography support in .NET allows you to store or exchange high-value secrets, prevent eavesdropping, detect message tampering, generate one-way hashes for storing passwords, and create digital signatures.
The types covered in this chapter are defined in the following namespaces:
System.Security; System.Security.Permissions; System.Security.Principal; System.Security.Cryptography;
In Chapter 15, we covered isolated storage, which serves another useful role in a secure environment.
The Framework uses permissions for both sandboxing and authorization. A permission acts as a gate that conditionally prevents code from executing. Sandboxing uses code access permissions; authorization uses identity and role permissions.
Although both follow a similar model, they feel quite different to use. Part of the reason for this is that they typically put you on a different side of the fence: with code access security, you’re usually the untrusted party; with identity and role security, you’re usually the untrusting party. Code access security is most often forced upon you by the CLR or a hosting environment such as ASP.NET ...