I am excited with what ASP.NET Core and .NET Core in general do for C# and other Microsoft technologies. ASP.NET Core runs on Windows, MacOS, and Linux, bringing C# to a wider audience then ever before.
Another reason to like ASP.NET Core is how it handles encryption within the framework. Frankly, this will end up being a short post, and that is a good thing.
Encryption With ASP.NET Core Data Protection API
When I was doing my research on this topic, I was expecting a series of calls to several classes and methods in order to generate keys and then encrypt the data. I was pleased to find that this is not the way it works.
Instead, there exists a Data Protection API designed to make encryption simple for developers. It starts with the IDataProtector interface. This interface defines methods called Protect and Unprotect. Another interface, IDataProtectionProvider, defines a CreateProtector method that returns an instance of IDataProtector.
One of the great additions of ASP.NET Core is built-in dependency injection (DI). A developer can use this DI to inject an instance of IDataProtectorProvider and then use it to create an instance of IDataProtector. It looks like this:
To encrypt data, call the Protect method and pass in the data you need to encrypt. Unprotect will decrypt the data for use.
And that is it. Call Protect to encrypt, and Unprotect to decrypt.
What ASP.NET Core Does Right
Throughout this discussion, I didn’t mention any algorithms or extra steps to make sure your implementation is as secure as it should be. There is a good reason for this. ASP.NET Core follows a core principle of good security (and other) API engineering: Make it easy for developers to do the right thing, and hard to do the wrong thing.
Make it easy for developers to do the right thing, and hard to do the wrong thing.
How does ASP.NET Core’s Data Protection API do this? First, its API is simple and easy to use. All that is needed is to inject an IDataProtector instance and call a method.
Second, the default algorithm is AES256. It also uses HMACSHA256 to ensure authenticity (HMACs are a topic for another post). Strong encryption by default eliminates any decisions and room for error.
Third, developers don’t manage keys. The API does that for them. Keys are generated when the API is called and are stored safely. The keys are rotated automatically every 90 days. Key management is an area where mistakes are easy to make, so it’s nice to see an API that helps manage keys by default.
Lessons from the Core
We’ve learned how to encrypt data with ASP.NET Core. You can learn more about the Data Protection API on Microsoft’s documentation site. It is definitely worth a read.
Developers and security practitioners alike can take a lesson from this API. Developers that are creating APIs for other developers to consume can take the lesson in encapsulation. There are no leaky abstractions with the Data Protection API. The methods simply do what they tell you they do and handle all of the details themselves.
Security practitioners should take to heart the lesson of making security easy. Many developers genuinely want to do the right thing and simply don’t have the knowledge and training to do it. It is our job as security guides to make security easy for developers.
If you make it easy, they will come.