I would like to dedicate this book to my wife, Amanda, and my two kids, Amy and Daniel. Their support makes completing large projects like this much easier when I am sitting on my own in a room trying to write.
Assume breach. That’s pretty much the point we’ve reached in the industry now where we need to resign ourselves to the fact that despite our best efforts, the likelihood of an attacker gaining access to our systems is alarmingly high. I started Have I Been Pwned in 2013 with 154 million breached records from a small handful of incidents. Fast forward only a few years, and its many billions of records across hundreds of individual data breaches. And that’s just scratching the surface of what lies beneath; there are an untold number of incidents that we, the public, will never know about. In many cases, the service owners themselves don’t even know, or it takes years to discover the extent of or even the existence of a data breach. I’m not talking about small fly-by-night services here either; I’m talking about some of the web’s largest services, such as Dropbox, LinkedIn, and MySpace.
It’s fascinating to look at how these incidents occur because the root causes span such a diverse set of exploits. Software vulnerabilities remain prevalent (SQL injection is still considered the number one application security risk today 1 ), databases are regularly left publicly facing without a password and insiders are both deliberately and inadvertently exposing data. In one recent case, we even learned that one of our local Aussie banks may have lost customer records off the back of a truck—not metaphorically either, literally . Maybe the auditors called in to investigate the breach reported that “Forensic investigators hired to assess the breach retraced the route of the truck to determine whether they could locate the drives along this route but were unable to find any trace of them.” 2
This is why cryptography matters. It matters because it’s an essential part of the answer when organisations ask how they can better protect themselves from the types of incidents described above. It matters because we’re increasingly realising that data protection goes well beyond the controls that keep adversaries from accessing the data in the first place and extend all the way to protecting the data itself.
Like Stephen, I’ve spent the last two and a half decades building software in all sorts of capacities, most recently in my role as a Microsoft Regional Director (an honorary title). During that time, I’ve seen some huge changes in the industry but without doubt, the most significant has been the move to cloud computing. Microsoft has played a significant role in that shift with their Azure platform and it’s changed so many of the ways we deliver applications; the way we code, the way we scale and yes, even the way we encrypt. Key Vault has brought secure and accessible cryptographic storage to the masses and addressed a fundamental problem we’ve been tackling for years: how to correctly store secrets in our software.
I’ve known Stephen for many years now and have always enjoyed seeing him talk about cryptography. It’s one of those niche subjects within application security which is a niche itself within the software development discipline. I’ve often joked that I know enough about cryptography to know how much I don’t know, which probably also explains why I always take something away from Stephen’s talks.
We’ve never had more cryptography than we have today. More than three quarters of all web traffic is encrypted, 3 our families and friends are socialising on networks with end-to-end encryption like WhatsApp and iMessage and we’re walking around with supercomputers in our pockets which encrypt all data at rest. Encryption has come to the masses and just as it’s now more accessible than ever to the general public, it’s also more accessible than ever for those us of building software. Stephen’s approach to applied cryptography on Microsoft’s platform will help you continue that trend by introducing more cryptography into your own development. I hope you enjoy hearing from him as much as I have over the years and that maybe, just maybe, this book even takes some work off my plate and prevents a few data breaches!
—Troy Hunt
Founder of Have I Been Pwned
I like the choice of words that Troy Hunt used in the foreword for this book, “assume breach.” Those two words sum up the entire existence of this book and why I wrote it. Organizations today need to adopt this mindset change and realize that they will most likely suffer a data breach at some point in their existence. Sure, you may have spent a fortune on firewalls and intrusion detection systems, and indeed these are good investments, but what about the disgruntled operations engineer who was recently passed up for promotion or a pay rise and decides he wants payback? I am not trying to pick on operations staff deliberately, but I mean anyone inside the organization who has some level of production access to data or developers who routinely use cuts of production data in their test environments; please stop doing this…
How do you stop that data from being taken outside the organization? Of course, you might be using at-rest encryption for your databases, and that is great, but what if this malicious insider does a “select *” query over a series of tables, pastes the results into a spreadsheet, and makes a copy of the file. At-rest encryption isn’t going to help you then. This data could contain sensitive personal information that relates to individuals, and it is this personal information that gives the data value because it can then be used to mount social engineering and impersonation attacks against your customers.
Instead of just relying on encryption at rest, we need to add an extra layer of encryption at the database row-level and ensure the keys used to encrypt this data are appropriately managed, and that is where this book comes in. If you are like me, then you are a software developer working in a team producing software for your organization. You are most likely not a dedicated security professional but a general software developer. These are the types of people that this book for. Time and time again in my career, I have seen security features pushed back in a schedule for more visible features that are perceived to add more value to the company; but although security features are less visible, they are just as important, if not more important, than the domain system features.
As a developer, I can emphasize with you when this happens, and this book is my way of helping you. When I started designing this book, there were different approaches I could have taken. I could have written a 700-page reference manual in which I documented every class, method, and property used for security in .NET, but if you are like me, then you probably wouldn’t read it. Instead, my goal was to make this book as short as possible, yet packed with information, which is why this book takes you through the cryptography primitives available in .NET/.NET Core and shows you how to use them to build something secure with key management in Azure Key Vault. I want you to be able to work through the book fairly quickly and have the provided source code be useful to you, so that you can easily adopt it in your systems.
It isn’t my goal to turn you into a master cryptographer; it is my goal to arm you with enough tools and sample code so that you can incorporate better security without it being seen as a “burden” on your business sponsors. Even a small bit of encryption with well-managed keys is better than nothing at all. As we have already stated, you should assume a data breach is going to happen, but if that breached data has encrypted personal information and encrypted sensitive data with properly manages keys, then that data becomes near worthless.
A breach notification system, like Have I Been Pwned, is designed to notify people when a data breach has occurred, but if a person’s personal data (including email address) is encrypted, then the data is more anonymous and can’t be tied back to a physical person. The last thing you want as an organization is to appear as a breach in Have I Been Pwned with unencrypted personal details, payment card data, and passwords. Breaches that appear in Troy’s system end up becoming public, and Troy appears on news channels around the world to discuss the breaches that give a company a bad reputation. The impact of a data breach can be drastically lessened when important data is encrypted.
So, on that note, I hope that you enjoy this book, and I wish you every success in making your systems more secure. Cryptography is actually good fun when you get your head around the subject.
Table of Contents
About the Author and About the Technical Reviewer
About the Author
has been a software developer for the last 25 years, working in many industries, such as video games, financial services, insurance, and healthcare. One of his main specialties is security and cryptography, and he has implemented a range of techniques into many systems at many companies, including financial lenders, insurance claims management companies, and global banks. Stephen regularly speaks at conferences and user groups about secure coding in .NET, and he has authored a highly rated cryptography course for Pluralsight.
About the Technical Reviewer
is a software architect for Aptera Software and a Microsoft MVP for Visual Studio and Development Technologies. He works primarily in the .NET web platform, but loves opportunities to try out other stacks. He has been developing high-quality custom software solutions since 2001. At Aptera, he has successfully delivered solutions for clients in a wide variety of industries. He loves to dabble in new and exciting technologies. In his spare time, he loves to tinker with Arduino projects. He fondly remembers what it was like to develop software for the Palm OS. He has an amazing wife and five wonderful children. He blogs at http://humbletoolsmith.com , and you can follow him on Twitter as @pottereric.