Encryption: Comparison and Resources
Special Online Bonus Info For "9 Steps to Secure Forms Authentication," by Beth Breidenbach
By Beth Breidenbach
In my article, "9 Steps to Secure Forms Authentication," (asp.netPRO August 2002), I showed you the choices you face at each step in the authentication process, the implications of those choices, and how to code them safely. Here is some bonus information on encryption: the pros and cons of the popular encryption algorithms as well as where you can learn more.
Encryption Algorithms Comparison
DES (Data Encryption Standard) is a popular encryption method. It applies a 56-bit key to each 64-bit block of data and is considered a strong encryption algorithm. Triple DES (3DES) extends the algorithm by applying three separate keys to each block of data instead of one.
MD5 is one of the hashing algorithms developed by Rivest. It takes a message of any length and produces a 128-bit digest. MD5 is suitable for most scenarios, although researchers have found pseudo-collisions for this hashing algorithm.
SHA1 (Secure Hash Algorithm 1) is specified in the Secure Hash Standard (SHS, FIPS 180) and was developed by the National Institute of Standards and Technology (NIST). SHA1 accepts a message of less than 264 bits in length and produces a 160-bit digest. The algorithm is slower than MD5, but it's considered more secure against brute-force collision attacks because of the larger message digest.
Crypto Link Farms (http://www.cs.auckland.ac.nz/~pgut001/links/link_farms.html): A good starting point for encryption resources.
RSA Security (http://www.rsasecurity.com/rsalabs/faq/index.html): An excellent site offering answers to frequently asked questions.
DevelopMentor mailing lists (http://discuss.develop.com): The place to hang out for .NET development questions.
Applied Cryptography, by Bruce Schneier (Wiley): The classic book on cryptography.
Writing Secure Code, by Michael Howard and David Leblanc (Microsoft Press): How to code securely, as written by the masters on the subject.
Hacking Exposed, by Stuart McClure, Joel Scambray, and George Kurtz (Osborne McGraw-Hill): Every developer should at least skim this book, just to get an idea of the attacker mindset.
Black Hat (http://www.blackhat.com): Look at its previous conferences, many of which are available to download.
SQLSecurity.com (http://www.sqlsecurity.com): A good discussion of database security, including SQL Injection attacks.
The Open Web Application Security Project (http://www.owasp.org/asac): A nice classification of Web site attack vectors. Check out the list on the right-hand side for the major classes of attacks a hacker might mount against your code.
Beth Breidenbach is a product architect for Getronics, a Netherlands-based provider of software and infrastructure solutions throughout the world. A self-professed "data geek," Beth has an abiding interest in all aspects of data design, security, storage, and transmission - which was a natural lead-in to exploring the possibilities inherent in the new family of XML-related technologies. Beth's most recent project was the application of XML and database technologies to rule processing engines. E-mail Beth at mailto:[email protected].