Cryptography remains an ever-important topic in building modern security-minded applications. Bouncy Castle is a cryptography library for .NET that allows users to build robust cryptography features. In this article, we will cover just a few important capabilities Bouncy Castle offers us and how to implement them.<\/p>\n
Let’s get started!<\/p>\n
Bouncy Castle is a free open-source .NET library offering a wide cryptography feature set for building security into applications<\/strong>. Bouncy Castle is developed by the Legion of the Bouncy Castle, an Australian Charity. This library offers a wide array of basic and advanced cryptographic algorithms. Additionally, it offers capabilities to generate and verify cryptographic certificates.<\/p>\n To learn more about Bouncy Castle and the Legion of the Bouncy Castle visit their website here<\/a>. For a refresher on cryptography refer to\u00a0this article<\/a> on CodeMaze.<\/p>\n We can install Bouncy Castle via the .NET command line:<\/p>\n Hashing functions are deterministic cryptographic algorithms that can map a data set down to a fixed-size byte array<\/strong>. This process is irreversible which lends itself well to validating data has not been changed without the risk of divulging the data itself. We can use Bouncy Castle to hash data using various algorithms such as MD5 and SHA.<\/p>\n One real-world use of hashing is a publisher providing the hashed value of the binary of an application.<\/strong> The user downloading these binaries can then verify the file(s) have not been altered in any way by verifying the hash provided by the publisher. Because hashing is deterministic we expect that performing the same hashing algorithm on these files will produce a matching hash to the one the publisher has provided.<\/p>\n Let’s begin with performing an MD5 hash with Bouncy Castle:<\/p>\n To perform an MD5 hash, first, we create an This will produce a hash of our secret:<\/p>\n Let’s move on to SHA hashing.\u00a0<\/p>\n We can use Bouncy Castle to perform a SHA256 hash:<\/p>\n As we are using Bouncy Castle the code is very similar to creating an MD5 hash although they are different algorithms altogether. In this case, we create a This is an example of what a SHA256 hashed value would look like:<\/p>\n In the following sections we will discuss how to perform specific symmetric encryption algorithms, but let’s discuss what options Bouncy Castle offers. Symmetric encryption always begins by creating a cipher object. We use the Let’s take a look at the options we can choose from for each of these sections:<\/p>\n Algorithm<\/strong>:<\/p>\n Mode of Operation<\/strong>:<\/p>\n Padding Style<\/strong>:<\/p>\n Symmetric encryption, also known as private key encryption<\/strong>, is a class of encryption algorithms that use a single private key to perform encryption and decryption<\/strong> of a data set<\/strong>. This means the party that wants to decrypt data can only do so if they have obtained this key from whoever encrypted the data. Bouncy Castle allows us to easily use various symmetric encryption algorithms to protect data. In this section, we will discuss two well-known symmetric encryption algorithms: AES, and Blowfish.<\/p>\n First, let’s take a look at a code example of how to perform AES encryption:<\/p>\n We begin by transforming our input data set into a byte array using Now that we have encrypted data, let’s take a look at how we can perform decryption using Bouncy Castle to recover the original data:<\/p>\n We start by creating a cipher object with the same algorithm and mode<\/strong> used to encrypt the data. This is very important because if the cipher is not the same the decryption would not work. Next, we initialize the cipher with the same IV and key as the encryption<\/strong>. Additionally, we provide a Moving on, let’s take a look at how we can encrypt data using Blowfish:<\/p>\n Blowfish uses password-based encryption<\/strong> which means we use a password to generate a key. In the example, we generate a random IV and a key using the password as an input to the Lastly, let’s take a look at how we can decrypt a data set we encrypted using Blowfish:<\/p>\n To perform the decryption, we initialize a new cipher with the same settings as we did when it was encrypted and set it to decryption mode. Next, we generate another Asymmetric encryption is also known as public key encryption<\/strong>. They are a class of encryption algorithms that use a public key to encrypt data<\/strong> and a private key to perform decryption<\/strong> of a data set. The public and private keys are mathematically related. Only a private key related to the public key can decrypt the data set. Bouncy Castle enables us to perform asymmetric encryptions. In the following section, we will cover two asymmetric encryption algorithms: RSA, and DSA. It should be noted that DSA is typically used to digitally sign files as a security measure to prove files have not been tempered while exchanging between two parties.<\/p>\n Here is how we can perform RSA encryption using Bouncy Castle:<\/p>\n Here we see the pattern for asymmetric encryption is different from symmetric encryption. First, we generate a key pair by creating a Now that we have a key pair, we create a cipher object by providing an Now, let’s discuss how we can recover our data through decryption:<\/p>\n Again, we create a cipher with the same algorithm engine object and padding style<\/strong> as used in encryption. Next, we initialize the cipher in decryption mode and pass in the private key<\/strong> this time. Now, we call the Another application of asymmetric encryption is digital signatures used for secure file transfers.<\/strong> In this section, we will use the DSA algorithm to achieve this goal.<\/p>\n Let’s start by looking at an example of how we can digitally sign a byte array:<\/p>\n In this example, we are signing a byte array produced from a string, but in a practical example, we would read in a file as a byte array and perform all the same operations on it.<\/p>\n Firstly, we start by creating a key pair we can use for signing. Create a Now that we have the DSA keys we can begin the signing process. Starting off, we create an We can also verify the signature on the data using Bouncy Castle:<\/p>\n Begin by creating another Bouncy Castle allows us to perform a variety of cryptographic operations with an easy-to-use and consistent syntax. Data security remains an ever-important aspect of development. This is a great library to enable data security in applications!<\/p>\n","protected":false},"excerpt":{"rendered":" Cryptography remains an ever-important topic in building modern security-minded applications. Bouncy Castle is a cryptography library for .NET that allows users to build robust cryptography features. In this article, we will cover just a few important capabilities Bouncy Castle offers us and how to implement them. Let’s get started! What is Bouncy Castle? Bouncy Castle […]<\/p>\n","protected":false},"author":42,"featured_media":62189,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[12],"tags":[1582,2206,1811,1577,613,1580],"class_list":["post-116968","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-csharp","tag-asymmetric-encryption-in-cryptography","tag-bouncy-castle-cryptography","tag-c","tag-cryptography","tag-encryption","tag-symmetric-encryption-in-cryptography","et-has-post-format-content","et_post_format-et-post-format-standard"],"yoast_head":"\nInstalling Bouncy Castle<\/h2>\n
dotnet add package BouncyCastle.Cryptography<\/code><\/p>\nHashing With Bouncy Castle<\/h2>\n
Md5 Hashing<\/h3>\n
var secretValue = \"This is my pasword! Dont read me!\";\r\n\r\nvar hash = Md5Hasher.Md5Hash(secretValue);\r\n\r\npublic static byte[] Md5Hash(string secret)\r\n{\r\n var hash = new MD5Digest();\r\n\r\n var result = new byte[hash.GetDigestSize()];\r\n\r\n var data = Encoding.UTF8.GetBytes(secret);\r\n\r\n hash.BlockUpdate(data, 0, data.Length);\r\n\r\n hash.DoFinal(result,\u00a00);\r\n\r\n return result;\r\n}<\/pre>\nMD5Digest<\/code> object that we will use to create the hash. Next, we create a byte array, result<\/code>, the size of the digest. We then convert the secret value to UTF-8 encoded byte array. Next, we update the hash digest object with a byte array. We do this by calling BlockUpdate()<\/code> with blocks of bytes the size of our byte array. Finally, we call DoFinal()<\/code> on the digest object to produce the final hash.<\/p>\nU0e8NZgYzVdAFWH0+\/Wwvw==<\/code><\/p>\nSHA Hashing<\/h3>\n
var secretValue = \"This is my pasword! Dont read me!\";\r\n\r\nvar hash = ShaHasher.ShaHash(secretValue);\r\n\r\npublic static byte[] ShaHash(string secret)\r\n{\r\n var hash = new Sha256Digest();\r\n\r\n var result = new byte[hash.GetDigestSize()];\r\n\r\n var data = Encoding.UTF8.GetBytes(secret);\r\n\r\n hash.BlockUpdate(data, 0, data.Length);\r\n\r\n hash.DoFinal(result, 0);\r\n\r\n return result;\r\n}<\/pre>\nSha256Digest<\/code> object to perform the hashing. Similarly, we convert the secret into a byte array. We then load the byte array in the hash block. Lastly, like before, we call DoFinal()<\/code> on the digest object to produce our final hash.<\/p>\nn0xnEbCTlQ66Un8K2G8XxvZPlWo0GizTISE\/BTYkV3Q=<\/code><\/p>\nSymmetric Encryption with Bouncy Castle<\/h2>\n
CipherUtilities.GetCipher(\"AlgorithmName\/OperationMode\/PaddingStyle\")<\/code> method to make this cipher object. This method accepts a string with three sections that are delimited by a forward slash. The first section describes the algorithm the cipher should use. The second section describes the operation mode for the cipher. Last, the final section describes which padding style the cipher should use.<\/p>\n\n
\n
\"AES\"<\/code><\/li>\n\"DES\"<\/code><\/li>\n\"DESede\"<\/code>, \"3DES\"<\/code><\/li>\n\"Blowfish\"<\/code><\/li>\n\"CAST5\"<\/code><\/li>\n\"IDEA\"<\/code><\/li>\n\"Camellia\"<\/code><\/li>\n\"SEED\"<\/code><\/li>\n<\/ul>\n<\/li>\n\n
\"ECB\"<\/code><\/li>\n\"CBC\"<\/code><\/li>\n\"CFB\"<\/code><\/li>\n\"OFB\"<\/code><\/li>\n\"CTR\"<\/code><\/li>\n\"GCM\"<\/code><\/li>\n<\/ul>\n<\/li>\n\n
\"NoPadding\"<\/code><\/li>\n\"PKCS5Padding\"<\/code><\/li>\n\"PKCS7Padding\"<\/code><\/li>\n\"ISO10126Padding\"<\/code><\/li>\n\"ISO7816-4Padding\"<\/code><\/li>\n\"TBCPadding\"<\/code><\/li>\n\"X9.23Padding\"<\/code><\/li>\n\"ZeroBytePadding\"<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ol>\nAES Encryption<\/h3>\n
string input = \"Hello, Bouncy Castle!\";\r\n\r\nvar encryptedData = AesEncryptor.AesEncrypt(input, out byte[] iv, out byte[] key);\r\n\r\npublic static byte[] AesEncrypt(string input, out byte[] iv, out byte[] key)\r\n{\r\n var inputBytes = Encoding.UTF8.GetBytes(input);\r\n\r\n \/\/ Generate a random 128-bit key\r\n key = new byte[16];\r\n var random = new SecureRandom();\r\n random.NextBytes(key);\r\n\r\n \/\/ Generate a random 128-bit initialization vector (IV)\r\n iv = new byte[16];\r\n random.NextBytes(iv);\r\n\r\n \/\/ Create AES cipher with CBC mode\r\n var cipher = CipherUtilities.GetCipher(\"AES\/CBC\/PKCS7Padding\");\r\n\r\n cipher.Init(true, new ParametersWithIV(new KeyParameter(key), iv));\r\n\r\n return cipher.DoFinal(inputBytes);\r\n}\r\n\r\n<\/pre>\nUTF8.GetBytes()<\/code>. Next, we create two randomly generated<\/strong> byte arrays for the key and initialization vector (IV). Now that we have a key and IV, we generate a cipher object and initialize it with our key and IV. The first parameter of Init()<\/code> is a boolean that indicates if we are encrypting. Finally, we call the DoFinal()<\/code> method on the cipher object to produce the encrypted data.<\/p>\npublic static string AesDecrypt(byte[] key, byte[] iv, byte[] encryptedBytes)\r\n{\r\n var cipher = CipherUtilities.GetCipher(\"AES\/CBC\/PKCS7Padding\");\r\n cipher.Init(false, new ParametersWithIV(new KeyParameter(key), iv));\r\n\r\n \/\/ Decrypt the encrypted data\r\n var decryptedBytes = cipher.DoFinal(encryptedBytes);\r\n\r\n return Encoding.UTF8.GetString(decryptedBytes);\r\n}<\/pre>\nfalse<\/code> value in the Init()<\/code> method to indicate we will be decrypting.<\/p>\nBlowfish Encryption<\/h3>\n
var input = \"Hello, Bouncy Castle!\";\r\nvar password = \"mysecretpassword\";\r\n\r\nvar encryptedBytes = BlowfishEncryptor.BlowfishEncrypt(input, password, out byte[] iv);\r\n\r\npublic static byte[] BlowfishEncrypt(string input, string password, out byte[] iv)\r\n{\r\n var inputBytes = Encoding.UTF8.GetBytes(input);\r\n\r\n var random = new SecureRandom();\r\n iv = new byte[8]; \/\/ Blowfish uses an 8-byte (64-bit) IV\r\n random.NextBytes(iv);\r\n\r\n var cipher = CipherUtilities.GetCipher(\"Blowfish\/CBC\/PKCS7Padding\");\r\n\r\n var keyBytes = Encoding.UTF8.GetBytes(password);\r\n var keyParam = new KeyParameter(keyBytes);\r\n\r\n cipher.Init(true, new ParametersWithIV(keyParam, iv));\r\n\r\n return cipher.DoFinal(inputBytes);\r\n}<\/pre>\nKeyParameter()<\/code> constructor. Next, we create a cipher object using GetCipher()<\/code> and we specify we want to use Blowfish with CBC mode and PKCS7 padding. Again, we initialize the cipher set to encryption. Finally, we produce the final encryption by calling DoFinal()<\/code>.<\/p>\npublic static string BlowfishDecrypt(byte[] encryptedBytes, string password, byte[] iv)\r\n{\r\n var cipher = CipherUtilities.GetCipher(\"Blowfish\/CBC\/PKCS7Padding\");\r\n\r\n var keyBytes = Encoding.UTF8.GetBytes(password);\r\n var keyParam = new KeyParameter(keyBytes);\r\n\r\n cipher.Init(false, new ParametersWithIV(keyParam, iv));\r\n\r\n var inputBytes = cipher.DoFinal(encryptedBytes);\r\n\r\n return Encoding.UTF8.GetString(inputBytes);\r\n}<\/pre>\nKeyParameter<\/code> object using the password byte array. Finally, we call DoFinal()<\/code> to receive our original data back.<\/p>\nAsymmetric Encryption With Bouncy Castle<\/h2>\n
RSA Encryption<\/h3>\n
string input = \"Hello, Bouncy Castle!\";\r\n\r\n\/\/ Generate RSA key pair\r\nvar keyPair = RsaEncryptor.GenerateRsaKeyPair();\r\n\r\nvar encryptedBytes = RsaEncryptor.RsaEncrypt(input, keyPair.Public);\r\n\r\npublic static AsymmetricCipherKeyPair GenerateRsaKeyPair()\r\n{\r\n var rsaKeyPairGen = new RsaKeyPairGenerator();\r\n rsaKeyPairGen.Init(new KeyGenerationParameters(new SecureRandom(), 2048));\r\n return rsaKeyPairGen.GenerateKeyPair();\r\n}\r\n\r\npublic static byte[] RsaEncrypt(string input, AsymmetricKeyParameter publicKey)\r\n{\r\n var inputBytes = Encoding.UTF8.GetBytes(input);\r\n\r\n var cipher = new Pkcs1Encoding(new RsaEngine());\r\n\r\n cipher.Init(true, publicKey);\r\n\r\n return cipher.ProcessBlock(inputBytes, 0, inputBytes.Length);\r\n}<\/pre>\nRsaKeyPairGenerator<\/code> object. We initialize it with a random number generator of type SecureRandom<\/code> and an int<\/code> indicating the strength of the encryption using a bit length number. Lastly, we call GenerateKeyPair()<\/code> to produce the private and public keys.<\/p>\nRsaEngine<\/code> object to a PKCS1Encoding<\/code> object. Next, we initialize the cipher with the encryption mode as true<\/code> and the public key we generated. Finally, we call ProcessBlock() with our input byte array to encrypt, an offset value for where to start reading our input, and the length of the input. This will produce an encrypted byte array representation of our input data.<\/p>\nstring decryptedString = RsaEncryptor.RsaDecrypt(encryptedBytes, keyPair.Private);\r\n\r\npublic static string RsaDecrypt(byte[] encryptedBytes, AsymmetricKeyParameter privateKey)\r\n{\r\n var cipher = new Pkcs1Encoding(new RsaEngine());\r\n\r\n \/\/ Initialize the cipher for decryption with the private key\r\n cipher.Init(false, privateKey);\r\n\r\n \/\/ Decrypt the encrypted data\r\n var decryptedBytes = cipher.ProcessBlock(encryptedBytes, 0, encryptedBytes.Length);\r\n\r\n return Encoding.UTF8.GetString(decryptedBytes);\r\n}<\/pre>\nProcessBlock()<\/code> method again to produce the original byte array data.<\/p>\nCreating Digital Signatures<\/h3>\n
string input = \"Hello, Bouncy Castle!\";\r\n\r\nvar keyPair = DsaEncryptor.GenerateDsaKeyPair();\r\n\r\nvar signature = DsaEncryptor.DsaSign(input, keyPair.Private);\r\n\r\npublic static AsymmetricCipherKeyPair GenerateDsaKeyPair()\r\n{\r\n \/\/ Create DSA parameters\r\n var dsaParamsGenerator = new DsaParametersGenerator();\r\n var random = new SecureRandom();\r\n dsaParamsGenerator.Init(1024, 80, random); \/\/ key size: 1024 bits, certainty: 80\r\n\r\n \/\/ Generate DSA key pair\r\n var dsaParams = dsaParamsGenerator.GenerateParameters();\r\n var dsaKeyParams = new DsaKeyGenerationParameters(random, dsaParams);\r\n var dsaKeyPairGen = new DsaKeyPairGenerator();\r\n dsaKeyPairGen.Init(dsaKeyParams);\r\n\r\n return dsaKeyPairGen.GenerateKeyPair();\r\n}\r\n\r\npublic static byte[] DsaSign(string message, AsymmetricKeyParameter privateKey)\r\n{\r\n var messageBytes = Encoding.UTF8.GetBytes(message);\r\n\r\n var signer = SignerUtilities.GetSigner(\"SHA256withDSA\");\r\n\r\n signer.Init(true, privateKey);\r\n\r\n signer.BlockUpdate(messageBytes, 0, messageBytes.Length);\r\n\r\n return signer.GenerateSignature();\r\n}<\/pre>\nDsaParametersGenerator<\/code> object and initialize it with a secure random number generator, key size, and a certainty value. Next, we generate the parameters by calling GenerateParameters()<\/code> and pass them into the constructor of DsaKeyGenerationParameters<\/code>. We follow this up by creating a DsaKeyPairGenerator<\/code> object which we initialize with the previously created DsaKeyGenerationParameters<\/code>. Lastly, we generate the keys by calling GenerateKeyPair()<\/code>.<\/p>\nISigner<\/code> implementation by calling SignerUtilities.GetSigner(\"SHA256withDSA\")<\/code>. We initialize the signer by calling Init()<\/code> and indicating we are signing with the true<\/code> value and our private key. Once we have initialized the signer, we call BlockUpdate()<\/code> to pass in our data, an offset value, and the data array length. We produce the signature by calling GenerateSignature()<\/code>.\u00a0 It is important to note that the original data has not been obscured.<\/p>\nValidating Digital Signatures<\/h3>\n
var isSignatureValid = DsaEncryptor.DsaVerify(input, signature, keyPair.Public);\r\n\r\npublic static bool DsaVerify(string message, byte[] signature, AsymmetricKeyParameter publicKey)\r\n{\r\n var messageBytes = Encoding.UTF8.GetBytes(message);\r\n\r\n var signer = SignerUtilities.GetSigner(\"SHA256withDSA\");\r\n\r\n signer.Init(false, publicKey);\r\n\r\n signer.BlockUpdate(messageBytes, 0, messageBytes.Length);\r\n\r\n return signer.VerifySignature(signature);\r\n}<\/pre>\nISigner<\/code> implementation with the same parameters as the one used to produce the signature. We initialize it with a false<\/code> value and pass in the public key we generated before. We call BlockUpdate()<\/code> on the signed passing in the input data, an offset, and the data array length. Lastly, we verify the signature by calling VerifySignature()<\/code> and passing in the signature we produced.<\/p>\nConclusion<\/h2>\n