Security¶

Secret Provider¶

GridLab.Abp.Security.SecretProvider allows you to work easily with secrets. Instead of retrieving sensitive information from your application's configuration, Secret Provider allows you to retrieve secrets from a configured Secret Store. The secret store supports multiple secret providers to get its secrets from, like Azure Key Vault, HashiCorp, etc. and allows you to write your own secret provider.

Package provides an approach similar to how IConfiguration is built, but with a focus on secrets. You can pick and choose the secret providers you want to use and we'll get the job done!

Once register, you can fetch all secrets by using ISecretProvider which will get secrets from all the different registered secret providers.

Available providers;

• Azure Key Vault secret provider
• Configuration secret provider
• Docker Secrets secret provider
• Environment variables secret provider
• HashiCorp Vault secret provider
• User Secrets secret provider

String Encryption¶

String Encryption service provides a robust way to encrypt and decrypt strings using AES encryption.

It ensures that the same passphrase and salt are used for both encryption and decryption, making it secure and reliable.

All string values encrypted by this service are equipped with the SIE: prefix.

Installation¶

If you want to install security framework component;

• Add the GridLab.Abp.Security NuGet package to your project:

  Install-Package GridLab.Abp.Security

• Add the AbpApplicationSecurityModule to the dependency list of your module:

  [DependsOn(
      //...other dependencies
      typeof(AbpApplicationSecurityModule) // <-- Add module dependency like that
  )]
  public class YourModule : AbpModule
  {
  }
  

• Locate the appsettings.json file in your project.

• Add a new section for string encryption settings. This section should include the DefaultPassPhrase key.

  {
   "Logging": {
     "LogLevel": {
       "Default": "Information",
       "Microsoft": "Warning",
       "Microsoft.Hosting.Lifetime": "Information"
     }
   },
   "StringEncryption": {
     "DefaultPassPhrase": "YourDefaultPassPhraseNotLessThan32Char"
   },
   "AllowedHosts": "*"
  }
  

Using String Encryption¶

All encryption operations are included in IStrongStringEncryptionService. You can inject it and start to use.

public class MyService : DomainService
{
    protected IStrongStringEncryptionService StringEncryptionService { get; }

    public MyService(IStrongStringEncryptionService stringEncryptionService)
    {
        StringEncryptionService = stringEncryptionService;
    }

    public string Encrypt(string value)
    {
        // To enrcypt a value
        return StringEncryptionService.Encrypt(value);
    }

    public string Decrpyt(string value)
    {
        // To decrypt a value
        return StringEncryptionService.Decrypt(value);
    }
}

Using Custom PassPhrase¶

IStrongStringEncryptionService methods has passPharase parameter with default value and it uses default PassPhrase when you don't pass passPhrase parameter.

// Default Pass Phrase
var encryptedValue = StringEncryptionService.Encrypt(value);

// Custom Pass Phrase
var encryptedValue = StringEncryptionService.Encrypt(value, "MyCustomPassPhrase");

// Encrypt & Decrypt have same parameters.
var decryptedValue = StringEncryptionService.Decrypt(value, "MyCustomPassPhrase");

Using Custom Salt¶

IStrongStringEncryptionService methods has optional salt parameter for key generation. If null, a new random salt is generated. Random salt always added to cipher.

A dictionary attack involves using a precomputed list of possible plaintexts and their corresponding ciphertexts to find matches. By adding a unique salt to each encryption operation, the same plaintext will produce different ciphertexts, making dictionary attacks impractical.

// Default Salt
var encryptedValue = StringEncryptionService.Encrypt(value);

// Custom Salt
var encryptedValue = StringEncryptionService.Encrypt(value, salt: Encoding.UTF8.GetBytes("MyCustomSalt")); 

// Encrypt & Decrypt have same parameters.
var decryptedValue = StringEncryptionService.Decrypt(value,  salt: Encoding.UTF8.GetBytes("MyCustomSalt"));

String Encryption Options¶

Default values can be configured with StrongStringEncryptionOptions type.

Configure<StrongStringEncryptionOptions>(options =>
{
    options.DefaultPassPhrase = ":Hav21O3lH6)+oy0gnBRVPn#eaA/sgH@";
});

These options ensure that the encryption and decryption processes adhere to specific security guidelines, providing robust protection for sensitive data.

• Keysize: Ensures a strong encryption key by enforcing a 256-bit key size. Not configurable.

• HashAlgorithmName: Uses SHA-384 for secure key derivation. Not configurable.

• DefaultPassPhrase: Provides a default passphrase for encryption and decryption. Configurable. Can't be shorter than 32 char length.

• Saltsize: Uses a 32-byte salt to enhance security and prevent attacks. Not configurable.