Needless to say if an unauthorized individual gets

Info icon This preview shows pages 464–467. Sign up to view the full content.

Needless to say, if an unauthorized individual gets hold of the key and IV, he can happily decrypt any of your cipher text, and you no longer have a communications channel free from prying eyes. It is therefore extremely important that you take care when sharing these secrets with the people who need them, to ensure that no one else can intercept them. (This turns out to be the hardest part—key management and especially human factors turn out to be security weak points far more often than the technological details. This is a book about programming, so we won’t even attempt to solve that problem. We recommend the book Secrets and Lies: Digital Security in a Networked World by Bruce Schneier [John Wiley & Sons] for more information.) 440 | Chapter 11: Files and Streams
Image of page 464

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

We’re calling a method called SelectKeyAndIV to get hold of the key and IV. In real life, you’d likely be sharing this information between different processes, usually even on different machines; but for the sake of this demonstration, we’re just creating them on the fly, as you can see in Example 11-52 . Example 11-52. Creating a key and IV private static void SelectKeyAndIV(out byte[] key, out byte[] iv) { var algorithm = TripleDES.Create(); algorithm.GenerateIV(); algorithm.GenerateKey(); key = algorithm.Key; iv = algorithm.IV; } TripleDES is an example of a symmetric algorithm, so it derives from a class called SymmetricAlgorithm . All such classes provide a couple of methods called GenerateIV and GenerateKey that create cryptographically strong random byte arrays to use as an initialization vector and a key. See the sidebar below for an explanation of why we need to use a particular kind of random number generator when cryptography is involved. How Random Are Random Numbers? What does “cryptographically strong” mean when we’re talking about random num- bers? Well, it turns out that most random number generators are not all that random. The easiest way to illustrate this is with a little program that seeds the standard .NET Framework random number generator with an arbitrary integer (3), and then displays some random numbers to the console: static void Main(string[] args) { Random random = new Random(3); for (int i = 0; i < 5; ++i) { Console.WriteLine(random.Next()); } Console.ReadKey(); } If you compile and run, you should see this output: 630327709 1498044246 1857544709 426253993 1203643911 No, I’m not Nostradamus. It is just that the “random” algorithm is actually entirely predictable, given a particular seed. Normally that seed comes from Environment.Tick Count , which means that you normally see different behavior each time. Thus, we have the illusion of “randomness.” But this isn’t good enough for encryption purposes; Streams That Aren’t Files | 441
Image of page 465
encryption schemes have been broken in the past because attackers were able to guess a computer’s tick count.
Image of page 466

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Image of page 467
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '15

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern