You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Encryption Stores
There is an inconsistency in how protectworthy information is stored. Some parts of the framework implement secure storage, while others don’t.
On the one hand, X509 certificates appear to be stored using the X509Store object, which repre- sents a secure physical storage that is used to manage certificates.
On the other hand, encryption keys appear to be managed using ConfigurationBuilder in base64 encoded format. ConfigurationBuilder is typically used to manage application settings and config- urations, rather than to securely manage sensitive information such as passwords, API keys, or connection strings.
Cryptography
The CypherCodec class implements three methods that ease the use of the AES API.
The GenerateKeyAndIV function generates a new random AES key and IV (initialisation vector) in a base64 encoded format.
The user of this class is limited to encrypting only one plaintext message per key, unless he gen- erates a new randomised IV using a different library. This might be misleading and encourage an inexperienced developer to reuse the same key and IV for different messages, which can lead to cryptographic vulnerabilities such as the “padding oracle”.
Custom Security Implementations
In general, it is better to use built-in security or proven security frameworks rather than developing your own implementation. Built-in security features and established frameworks have undergone rigorous testing and scrutiny by security experts, making them inherently more reliable and less prone to vulnerabilities.
When having to implement security concepts, try to use reliable sources such as OWASP for additional information.
The text was updated successfully, but these errors were encountered:
Encryption Stores
There is an inconsistency in how protectworthy information is stored. Some parts of the framework implement secure storage, while others don’t.
On the one hand, X509 certificates appear to be stored using the X509Store object, which repre- sents a secure physical storage that is used to manage certificates.
On the other hand, encryption keys appear to be managed using ConfigurationBuilder in base64 encoded format. ConfigurationBuilder is typically used to manage application settings and config- urations, rather than to securely manage sensitive information such as passwords, API keys, or connection strings.
Cryptography
The CypherCodec class implements three methods that ease the use of the AES API.
The GenerateKeyAndIV function generates a new random AES key and IV (initialisation vector) in a base64 encoded format.
The user of this class is limited to encrypting only one plaintext message per key, unless he gen- erates a new randomised IV using a different library. This might be misleading and encourage an inexperienced developer to reuse the same key and IV for different messages, which can lead to cryptographic vulnerabilities such as the “padding oracle”.
Custom Security Implementations
In general, it is better to use built-in security or proven security frameworks rather than developing your own implementation. Built-in security features and established frameworks have undergone rigorous testing and scrutiny by security experts, making them inherently more reliable and less prone to vulnerabilities.
When having to implement security concepts, try to use reliable sources such as OWASP for additional information.
The text was updated successfully, but these errors were encountered: