Listen to this Post
In the realm of software development, securing sensitive data such as API keys, database passwords, and user secrets is paramount. A single exposed key or password can compromise your entire infrastructure. While many developers still rely on basic encoding or weak encryption, properly implemented encryption serves as the last line of defense, ensuring that stolen data remains unreadable even if other security measures fail.
.NET provides built-in support for cryptography, including the Advanced Encryption Standard (AES) algorithm, a symmetric encryption method widely regarded for its security and efficiency.
You Should Know: Implementing AES Encryption in .NET
To encrypt sensitive data using AES in .NET, follow these steps:
1. Generate a Key and Initialization Vector (IV):
AES requires a secret key and an IV for encryption and decryption. Both should be securely stored and managed.
using System.Security.Cryptography; using Aes aes = Aes.Create(); byte[] key = aes.Key; byte[] iv = aes.IV;
2. Encrypt Data:
Use the generated key and IV to encrypt your sensitive data.
byte[] EncryptStringToBytes_Aes(string plainText, byte[] key, byte[] iv)
{
using Aes aesAlg = Aes.Create();
aesAlg.Key = key;
aesAlg.IV = iv;
ICryptoTransform encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV);
using MemoryStream msEncrypt = new MemoryStream();
using CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write);
using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
{
swEncrypt.Write(plainText);
}
return msEncrypt.ToArray();
}
3. Decrypt Data:
To decrypt the data, use the same key and IV.
string DecryptStringFromBytes_Aes(byte[] cipherText, byte[] key, byte[] iv)
{
using Aes aesAlg = Aes.Create();
aesAlg.Key = key;
aesAlg.IV = iv;
ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
using MemoryStream msDecrypt = new MemoryStream(cipherText);
using CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read);
using StreamReader srDecrypt = new StreamReader(csDecrypt);
return srDecrypt.ReadToEnd();
}
4. Securely Store the Key and IV:
The security of AES encryption relies heavily on how the key and IV are stored. Consider using secure storage solutions like Azure Key Vault or hardware security modules (HSMs).
Additional Security Measures
- Envelope Encryption: Encrypt the AES key (DEK) with another key (KEK) derived from a user password or stored in a trusted platform module (TPM).
- Hashing Passwords: For database credentials, always use hashing algorithms like bcrypt or Argon2 instead of encryption.
- Operating System Differences: Be aware of how different operating systems handle encryption keys. For example, Windows may silently decrypt keys for logged-in users, while macOS requires authentication.
Example: Decrypting Chrome Passwords on Windows
The following Python script demonstrates how an attacker could decrypt Chrome passwords stored on Windows:
import os
import json
import base64
import sqlite3
from Crypto.Cipher import AES
import win32crypt
def decrypt_chrome_password(key, encrypted_password):
try:
iv = encrypted_password[3:15]
payload = encrypted_password[15:]
cipher = AES.new(key, AES.MODE_GCM, iv)
decrypted_pass = cipher.decrypt(payload)
decrypted_pass = decrypted_pass[:-16].decode() # Remove suffix
return decrypted_pass
except Exception as e:
print(f"Error decrypting password: {e}")
return ""
<h1>Fetch the encryption key</h1>
secret_key = win32crypt.CryptUnprotectData(secret_key, None, None, None, 0)[1]
<h1>Decrypt passwords</h1>
<h1>(Full script available at: https://github.com/ohyicong/decrypt-chrome-passwords)</h1>
What Undercode Says
AES encryption is a powerful tool for securing sensitive data, but its effectiveness depends on how the encryption keys are managed. Always use secure storage solutions and consider additional layers of security like envelope encryption and hashing. Be mindful of operating system-specific behaviors, as they can significantly impact the security of your encrypted data.
Expected Output:
- Encrypted data using AES in .NET.
- Decrypted data using the same key and IV.
- Secure storage of keys and IVs in Azure Key Vault or HSMs.
- Awareness of OS-specific encryption behaviors.
Relevant URLs:
References:
Reported By: Milan Jovanovic – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
