Data Protection APIs In Asp.Net

To be simple, protecting data has the following steps:

1. Create a data protector from a data protection provider.

2. Call the Protect method with the data you want to protect.

3. Call the Unprotect method with the data you want to convert into plain text.

Most frameworks such as ASP.NET or SignalR configures the data protection systemand sum it to a service container you approach via dependency injection. The followingsample explains configuring a service container for dependency injection and listing thedata protection stack, receiving the data protection provider via DI, developing aprotector and protecting the unprotected data

using System;

using Microsoft.AspNetCore.DataProtection;

using Microsoft.Extensions.DependencyInjection;

public class Program

{

public static void Main(string[] args)

{

// add data protection services

var serviceCollection = new ServiceCollection();

serviceCollection.AddDataProtection();

var services = serviceCollection.BuildServiceProvider();

// create an instance of MyClass using the service provider

var instance = ActivatorUtilities.CreateInstance<MyClass>(services);

instance.RunSample();

}

public class MyClass

{

IDataProtector _protector;

// the 'provider' parameter is provided by DI

public MyClass(IDataProtectionProvider provider)

{

_protector = provider.CreateProtector("Contoso.MyClass.v1");

}

public void RunSample()

{

Console.Write("Enter input: ");

string input = Console.ReadLine();

// protect the payload

string protectedPayload = _protector.Protect(input);

Console.WriteLine($"Protect returned: {protectedPayload}");

// unprotect the payload

string unprotectedPayload = _protector.Unprotect(protectedPayload);

Console.WriteLine($"Unprotect returned: {unprotectedPayload}");

}

}

}

/*

* SAMPLE OUTPUT

*

* Enter input: Hello world!

* Protect returned: CfDJ8ICcgQwZZhlAlTZT...OdfH66i1PnGmpCR5e441xQ

* Unprotect returned: Hello world!

When you design a protector you should provide one or more Purpose Strings. Apurpose string gives isolation between consumers, for instance, a protector designedwith a purpose string of “green” would not be able to unprotect data provided by aprotector with a purpose of “purple”.

Examples of IDataProtectionProvider and IDataProtector are thread-safe for manycallers. It is said that once a component gets a reference to an IDataProtector via a call toCreateProtector, it will use that reference for multi calls to Protect and Unprotect.

A call to Unprotect will throw CryptographicException if the protected payload cannotbe evaluated. Some components might wish to ignore errors during unprotect operations;a component which reads genuine cookies might handle this error and treat the requestas if it had no cookie at all rather than fail the request.

An overview of consumer APIs

The IDataProtectionProvider and IDataProtector interfaces are the fundamentalinterfaces via which consumers use the data protection method. They are located in the

Microsoft.AspNetCore.DataProtection.Interfaces.

IDataProtectionProvider

Now the provider interface is the root of the data protection system. It cannot be directlyused to protect or unprotect data. In spite, the consumer must get a reference to anIDataProtector by calling IDataProtectionProvider.CreateProtector(purpose), where thepurpose is a string that defines the intended consumer use case.

IDataProtector

This protector interface is returned by a call to CreateProtector, and it is this interfacewhich consumers can utilize to do protect and unprotect operations.

To protect a piece of data, pass the data to the Protect method. The basic interfaceexplains a method which transforms byte[] -> byte[], but there is also an overload whichtransforms string -> string. The security given by the two methods is similar; thedeveloper should select whichever overload is most easy for the use case. Irrespective of

the overload selected, the value returned by the Protect method is now protected and theapplication can send it to an untrusted client.

In order to unprotect a previously-protected piece of data, then pass the protected data tothe Unprotect method. If the covered payload was produced by an earlier call to Protecton this same IDataProtector, Unprotect method will give the original unprotectedpayload. If the protected payload has been interfered with or was yielded by a differentIDataProtector, the Unprotect method will give CryptographicException.

If you are interested in learning .Net and enroll yourself in ASP.NET training, thenCRB Tech Solutions would be of help. We update ourself with the current changes inASP.Net course.

Stay linked to the page of CRB Tech reviews for more technical optimization and otherresources.