.NET Security and Cryptography

In a utopian world, security and cryptography would be a complete waste of time and effort. If you could trust everyone, everyone could trust you, and everybody knew that nobody would intentionally do any harm to anyone , then there would be no need to keep secrets, prove identity, or control access. Sadly, this is not reality. Therefore, we must take precautions to protect ourselves from untrustworthy individuals and organizations with conflicting interests.

Risk and Benefit

Whenever we interact with the world, we inevitably encounter both risks and benefits. The obvious strategy is to attempt to take only risks such that the expected benefit outweighs the expected risk. You want to strike a balance in which you gain benefit from communicating with certain individuals but limit how much they and others can know and do. For example, if you want to buy or sell something on http://www.ebay.com, you want to be sure that your credit card information is secure. You also want to be sure that you are actually dealing with whom you believe you are dealing with.

This balancing act can come in several flavors. For example, you may be confronted with a very low-probability risk with a huge downside compared against a high-probability benefit of moderate value. This is the type of decision you make every time you drive your car. The converse of this scenario is when you have a very low-probability benefit with a huge upside compared against a high-probability risk (or even a 100 percent certain cost) of low value. If you have ever bought a lottery ticket, then you have encountered this scenario. In some situations, you simply have no good choice. Even where the downside is significant (high probability and high cost) but prevention costs too much or is not possible, then you just have to hope for the best. Death falls into this last category.

These extreme scenarios are intended to get you thinking about weighing risk and benefit. You need to weigh risk and benefit whenever you decide on implementing security or cryptography features into your software or whenever you configure security on your systems. Keep in mind that if you try to be too secure, then users will try to find ways around your plans or worker productivity may be impaired.

Other Important Concepts

Here are several other important concepts related to cryptography and security.

• Confidentiality means that sensitive information is protected from disclosure to unauthorized persons. This is closely related to the concept of privacy .

• Integrity means that data consistency is assured and that the data is tamper-proof.

• Authentication is the process of proving the identity of an individual or a system.

• Nonrepudiation means that an individual cannot take an action and then deny it later. This is closely related to the concept of proof of receipt .

• Authorization means that an access policy can be specified that grants or denies specific rights to an individual to perform specific actions on specific resources. This is closely related to the concept of access control .

• Anonymity means that the identity of an individual can be concealed.

• Ownership of a resource represents the right to control the use of that resource.

• Certification is the process of endorsement by a trusted authority of a claim made by an individual. This is closely related to the concept of a Certificate Authority .

• Witnessing means the verification by one individual of an action performed by another individual.

• Validation means checking for the validity or truthfulness of a claim made by an individual. It can also mean the process of checking code or data for safety or for compliance with some other desired rules, such as type safety.