Security in .NET 2.0

The new security components in .NET 2.0 can help you greatly reduce the amount of code you need to write in order to make your applications secure. Security is difficult to get right, and it is a good strategy to leverage the code provided by Microsoft and other security vendors. To that end, .NET 2.0 provides numerous additional types that encapsulate functionality already provided in the base Windows OS., as well a new functionality only available in .NET 2.0. The improvements affect public key cryptography, Windows security, remoting, ASP.NET and Code Access Security. Even if you plan to stick with .NET 1.1 for a while and implement your own security classes, you might want to take inspiration from.NET 2.0 beta.

This article will concentrate on changes to the way certificates and public keys are handled.

Certificates and certificate stores
While it is possible to store certificates in files, it is more convenient and more manageable to have them in a certificate store. Put simply, a certificate store is a database containing certificates. With the new X509Store class, you can open a store and query its certificates using several criteria including subject name and thumbprint. The new X509CertificateEx class is much richer and provides support for checking the certificate revocation list.

The following snippet finds a cer

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT .NET Developer Programming Indigo DataSets and Web services don't mix Tracking down managed memory leaks Handling exceptions in .NET .NET Compact Framework graphics The Data Access Application Block A great .NET resource: .Net2TheMax Delegates vs. interfaces in .NET Project structure best practices Working with PDFs in a .NET environment Microsoft .NET Web services How do I balance throughput requirements and interoperability? APM software traces transactions across tiers, technologies How you can learn M Grammar for Oslo modeling Legacy modernization opens Windows for publisher Former .NET Web developers ride Ruby and Rails application framework Microsoft Oslo at PDC: Dial 'M' for modeling language Yahoo proxy fight looms New Microsoft site for architects LAMP coders go hybrid route Silverlight shines on bank RIAs Microsoft .NET Web services Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Common Language Infrastructure  (SearchSOA.com) Visual J#  (SearchSOA.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

tificate and prints its status on the console:

Public Key Cryptography Standard
In the Pkcs namespace, the new EnvelopedCms and SignedCms classes define ways to create encrypted or signed messages that contain a reference to the certificate used. As a result, processing this message is much easier because you don't have to locate the key yourself.

For example, to encrypt a message, you simply specify the content to protect and the certificate to use.

Decrypting the message is effortless because you don't have to specify a key; the framework finds it automatically in the appropriate store based on the embedded serial number.

In addition, the Xml cryptography namespace has been improved to the level provided by the web services enhancements.

The rest of this article discusses .NET 2.0 enhancements to support for accounts, security identifiers, object level security, data protection API, and secure communication. Read it at The ServerSide.NET.

Pierre Nallet is a software consultant in the San Francisco area. He specializes in all areas of the .NET platform. He has experience in data access, object-oriented programming, component architecture, and compiler technology. He is the author of OLE DB Consumer Templates: A Programmer's Guide published by Addison-Wesley. He is also the creator of XC#, an extensible C# compiler.