.NET Security and Cryptography

Security and cryptography have always been recognized as important issues in multiuser and enterprise-level computing. Even in the early mainframe systems of the mid-1960s, such as System/360, ^[12] multiuser operating systems were designed with careful attention given to user authentication, program isolation, auditing, and privacy. Symmetric cryptographic algorithms, such as the Data Encryption Standard (DES), were used heavily in mainframe applications by banks and governments by the late 1970s. UNIX ^[13] systems continued to treat security as a first-class design requirement throughout its history. In the early 1990s, UNIX systems made use of symmetric and asymmetric cryptography in various technologies and protocols, such as Kerberos network authentication.

^[12] System/360 was developed by IBM in 1964. The chief architect working on this operating system was Gene Amdahl.

^[13] Unix was initially developed by Bell Labs (then part of ATT) in 1969 and the early 1970s. Ken Thompson wrote the first UNIX system in assembly language, and many other contributors, too numerous to mention, developed it further over the last 30 years . Many vendors contributed to its development, resulting in many competing implementations , including BSD, System V, Solaris, HP-UX, AIX, Linux, and FreeBSD.

In contrast, the history of Windows has shown a marked lack of awareness toward issues related to security and cryptography. This is to some degree understandable, considering that for much of its early history, Windows ( especially in its 16-bit form) was used primarily as a single-user, non-mission-critical productivity tool and entertainment console. This is not to disparage Windows in any way. Indeed, Windows quickly grew to become a significant industry in its own right, providing the world with effective and affordable computing capabilities. However, the concepts of security, privacy, and authentication were largely unknown to most Windows users, and the vendor simply catered to that market. In contrast to the obsession with security, privacy, and reliability typical of large corporate computing facilities, Windows users have been generally tolerant of security weaknesses and more interested in powerful user-oriented features. This is why, much to the chagrin of mainframe old-timers, Windows has been plagued with malicious code, operating system reliability problems, and information leakage. Fortunately, this is all changing now, for many reasons.

• PC users are now more sophisticated, demanding greater security, privacy, and reliability.

• Corporations recognize the need to extend security policy over the Internet.

• Microsoft has recently stepped up its interest in security and reliability to a strategic level.

• Many secure corporate computing tasks have moved from the mainframe to the PC.

• The Win32 API provides powerful but arcane support for security and cryptography.

• The .NET platform provides powerful and convenient support for security and cryptography.

• Code has become more mobile, making code authentication and verification more important.

• Many experts in the field, including Bruce Schneier, have effectively evangelized security.

• Hardware cost and performance improvements make security and cryptography more practical.

• U.S. export restrictions on strong encryption were dramatically relaxed in January 2000. ^[14]

  ^[14] High-strength cryptographic products are now generally exportable from the United States without license to most countries. At the time of writing, embargoed countries included Cuba, Iran, Iraq, Libya, North Korea, and a few others. See the Bureau of Industry and Security at www.bxa.doc.gov for the most current information on U.S. export regulations.

• Public awareness of viruses and issues such as buffer overflow ^[15] vulnerabilities has increased.

  ^[15] As we shall see later in this book, the buffer overflow is a nasty technique used by the likes of the Code Red Internet worm in which a malicious request overwhelms a server with data that overflows into a sensitive memory area, such as a parameter stack, where it can then take over control of the server and wreak havoc.

• The growth in mission-critical Web services has made security a front- burner concern.