Cryptography Notes - from .NET Framework documentation

Cryptographic Services

Public networks such as the Internet do not provide a means of secure communication between entities. Communication over such networks is susceptible to being read or even modified by unauthorized third parties. In addition to file encryption and encryption on a local disk, cryptography enables you to create secure channels of communication over otherwise insecure channels, providing data integrity and authentication.

The classes in the .Net Framework cryptography namespace manage many details of cryptography for you. Some are wrappers for the unmanaged Microsoft CryptoAPI, while others are purely managed implementations. You do not need to be an expert in cryptography to use these classes. When you create a new instance of one of the encryption algorithm classes, keys are auto-generated for ease of use, and default properties are always as safe and secure as possible.

Cryptography Overview

Cryptography protects data from being viewed or modified and provides secure channels of communication over otherwise insecure channels. For example, data can be encrypted using a cryptographic algorithm, transmitted in an encrypted state, and later decrypted by the intended party. If a third party intercepts the encrypted data, it will be difficult to decipher the data.

In a typical situation where cryptography is used, two parties (Alice and Bob) communicate over an insecure channel. Alice and Bob want to ensure that their communication remains incomprehensible by anyone who might be listening. Furthermore, because Alice and Bob are in remote locations, Alice must be sure that the information she receives from Bob has not been modified by anyone during transmission. In addition, she must be sure that the information really does originate from Bob and not someone impersonating Bob.

Cryptography is used to achieve the following goals: 

- Confidentiality: To protect a user's identity or data from being read. 
- Data integrity: To protect data from being altered. 
- Authentication: To assure that data originates from a particular party. 

In order to achieve these goals, Alice and Bob use a combination of algorithms and practices known as cryptographic primitives to create a cryptographic scheme. The following table lists the cryptographic primitives and their uses.

Cryptographic Primitive Use 
- Private-key encryption (symmetric cryptography) - Performs a transformation on data, keeping the data from being read by third parties. This type of encryption uses a single shared, secret key to encrypt and decrypt data. 
- Public-key encryption (asymmetric cryptography) - Performs a transformation on data, keeping the data from being read by third parties. This type of encryption uses a public/private key pair to encrypt and decrypt data. 
- Cryptographic signing - Ensures that data originates from a specific party by creating a digital signature that is unique to that party. This process also uses hash functions. 
- Cryptographic hashes - Maps data from any length to a fixed-length byte sequence. Hashes are statistically unique; a different two-byte sequence will not hash to the same value. 

Private-Key Encryption
Private-key encryption algorithms use a single private key to encrypt and decrypt data. You must secure the key from access by unauthorized agents because any party that has the key can use it to decrypt data. Private-key encryption is also referred to as symmetric encryption because the same key is used for encryption and decryption. Private-key encryption algorithms are extremely fast (compared to public-key algorithms) and are well suited for performing cryptographic transformations on large streams of data.

Public-Key Encryption
Public-key encryption uses a private key that must be kept secret from unauthorized users and a public key that can be made public to anyone. Both the public key and the private key are mathematically linked; data encrypted with the public key can only be decrypted with the private key and data signed with the private key can only be verified with the public key. The public key can be made available to anyone; this key is used for encrypting data to be sent to the keeper of the private key. Both keys are unique to the communication session. Public-key cryptographic algorithms are also known as asymmetric algorithms because one key is required to encrypt data while another is required to decrypt data.

Public-key cryptographic algorithms use a fixed buffer size whereas private-key cryptographic algorithms use a variable length buffer. Public-key algorithms cannot be used to chain data together into streams the way private-key algorithms can because only small amounts of data can be encrypted. Therefore, asymmetric operations do not use the same streaming model as symmetric operations.

Digital Signatures
Public-key algorithms can also be used to form digital signatures. Digital signatures authenticate the identity of a sender (if you trust the sender's public key) and protect the integrity of data. Using a public key generated by Alice, the recipient of Alice's data can verify that Alice sent it by comparing the digital signature to Alice's data and Alice's public key.

Hash Values
Hash algorithms map binary values of an arbitrary length to small binary values of a fixed length, known as hash values. A hash value is a unique and extremely compact numerical representation of a piece of data. If you hash a paragraph of plaintext and change even one letter of the paragraph, then a subsequent hash will produce a different value. It is computationally improbable to find two distinct inputs that hash to the same value.

Random Number Generation
Random number generation is integral to many cryptographic operations. For example, cryptographic keys need to be as random as possible so that it is infeasible to reproduce them. Cryptographic random number generators must generate output that is computationally infeasible to predict with better than a probability of p < .05; that is, any method of predicting the next output bit must not perform better than random guessing. The classes in the .NET Framework use random number generators to generate cryptographic keys.
