Aspnetcore.docs: Complete examples for Authenticated Encryption would be helpful

Thanks for contacting us.
We don’t have the resources to invest in this area, so we are closing the issue. Should your request generate enough 👍 responses, we’ll reconsider.

@blowdart our security chief can overrule me and open this issue.

@Rick-Anderson , @blowdart
Though I appreciate the transparency, I'm disappointed to hear this kind of response. Respectfully, let me make a few points:

1. Cryptography is extremely difficult to get right - subsequently, very easy to get wrong.
2. The efficacy and usefulness of API's is closely tied to the amount of and accuracy of documentation provided on how to effectively and correctly use them.

Sometimes I feel like you guys are moving too fast for your own good - and for the good of the dev community. It's one thing to stay ahead of devs that are consuming API's you write; but it's another thing to leave them in the dust. I politely ask you to reconsider - or at a minimum, put this on the radar sometime soon.

When you say authenticated, what algorithms do you mean? ASP.NET has no encryption algorithms, that's part of CoreFX and such a request would belong on their docs, along with what algorithms you want generated.

DataProtection is a specialized component, and is limited in what encryption it can and will support, and has authentication via MACs built in.

Full disclosure...I don't have a deep background in crypto/security so please keep that under consideration; rather, I'm simply a dev trying to implement using Data Protection to create custom cryptographically-secure tokens stored as cookies so that I can "authenticate" their values at some future time. That being said, I'm not new to the game - working with .net since 2002.

@blowdart - here is where I'd originally read about Authenticated Encryption - New cryptography in .NET Core 3.0

The parts that stand out are:

While the cryptography provided by .NET Core 2.0 is close to that of the latest .NET Framework, .NET Core 3.0, to be released in September 2019, will provide two major improvements: authenticated encryption and interoperable key formats. Below we’ll look at why these are important and what support Microsoft will give us.

And

Authenticating a ciphertext before decrypting it is now seen as fundamental for security

So, I went digging on the .net core docs and came across Core cryptography extensibility in ASP.NET Core. I found the sample lacking. It reminded me how there are samples in the .net core github repo for Authentication, Authorization, using MS Graph, etc. I was thinking that something like that would be useful for an area of development that is inherently difficult to get right and intimidating for dev's that don't work in the Crypto/security area full time. Thank you for your consideration.

DataProtection already does this for you. All you need to do is call protect and unprotect. It’s already authenticated cryptographically. You don’t need to implement anything. An added bonus is we will rotate keys as they get old.

Authenticated encryption can be achieved by an encryption algorithm combined with a message authentication code to protect again people changing the payload. It doesn’t need a specialist algorithm, what those offer is both properties in a single algorithm, but by combining two algorithms, one for encryption, one for message authentication you get the same thing.

From: Dave Black notifications@github.com
Sent: Thursday, January 30, 2020 7:04:56 PM
To: aspnet/AspNetCore.Docs AspNetCore.Docs@noreply.github.com
Cc: Barry Dorrans Barry.Dorrans@microsoft.com; Mention mention@noreply.github.com
Subject: Re: [aspnet/AspNetCore.Docs] Complete examples for Authenticated Encryption would be helpful (#16784)

Full disclosure...I don't have a deep background in crypto/security so please keep that under consideration; rather, I'm simply a dev trying to implement using Data Protection to create custom cryptographically-secure tokens stored as cookies so that I can "authenticate" their values at some future time. That being said, I'm not new to the game - working with .net since 2002.

@blowdarthttps://github.com/blowdart - here is where I'd originally read about Authenticated Encryption - New cryptography in .NET Core 3.0https://cryptosense.com/blog/new-cryptography-in-net-core-3-0/

The parts that stand out are:

While the cryptography provided by .NET Core 2.0 is close to that of the latest .NET Framework, .NET Core 3.0, to be released in September 2019, will provide two major improvements: authenticated encryption and interoperable key formats. Below we’ll look at why these are important and what support Microsoft will give us.

And

Authenticating a ciphertext before decrypting it is now seen as fundamental for security

So, I went digging on the .net core docs and came across Core cryptography extensibility in ASP.NET Corehttps://docs.microsoft.com/en-us/aspnet/core/security/data-protection/extensibility/core-crypto?view=aspnetcore-3.1&tabs=aspnetcore2x. I found the sample lacking. It reminded me how there are samples in the .net core github repo for Authentication, Authorization, using MS Graph, etc. I was thinking that something like that would be useful for an area of development that is inherently difficult to get right and intimidating for dev's that don't work in the Crypto/security area full time. Thank you for your consideration.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/aspnet/AspNetCore.Docs/issues/16784?email_source=notifications&email_token=AAGCNCUIBNURYRMX23NUJYLRAOINRA5CNFSM4KN3QKI2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKNKUIA#issuecomment-580561440, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAGCNCWYOKXBXQ5726T66XDRAOINRANCNFSM4KN3QKIQ.

Closing for now.