Web Forms vs. ASP.Net MVC

June 5, 2009

Hi,
With emergence of ASP.Net MVC, Many Web developers put forward ideas and discuss about the future of Web Forms. There is a nice podcast there on Joe’s blog interviewing Scott Hunter, Senior Program Manager Lead on the ASP.NET Team. In this podcast, Joe & Scott talk about future of Web Forms and compare it to ASP.Net MVC.
Don’t miss this podcast!
Episode #1 – Scott Hunter on the future of ASP.NET Development with Web Forms


Keeping Passwords Secure

October 20, 2008

 

Hello,

Keeping sensitive data in database has always been one of the most challenging tasks which needs deep understanding of system planning and security issues that might affect the reliability of the system. Mainly, you may implement one of the following ways to keep passwords in database:

1 – Storing Passwords as Clear-Text/Plain-Text:

This option is the most insecure way of storing passwords in DB, because each password is kept as clear text without any kind of encryption/hashing algorithms used. The disadvantage of putting this into work is that anyone with access to your database will be able to read passwords and modify them. This imposes a great potential risk on your system and is not recommended in any scenario.

2 – Using Encryption Algorithms

This is a more secure approach that may be taken into account. In this way, you may implement one of the Asymmetric/Symmetric algorithms to encrypt/decrypt the data. In asymmetric algorithms, the key which is used to encrypt data differs from that of decrypting; there is a public key which enables you to encrypt password and a private key allowing you to decrypt it. In contrast with Asymmetric algorithms, Symmetric algorithms use a single key for encrypting/decrypting data. Intending to implement this method, use a unique public/private key for each user. Consequently if attacker obtains the private/public key of a user, it will not be usable for other users. This algorithm is mostly common in scenarios which need password retrieval system, meaning that passwords can be recovered. So if password retrieval is not a part of your system planning, this method is not recommended.

3 – Hashing Passwords

This technique is a one-way solution and makes it more secure. A “Hash Function” gets a value of variable length and produces an output with constant length. For instance, SHA256 algorithm gets the input value and generates a 256 bits output. Note that hashes of two sets of data are identical if and only if the corresponding data matches and any minor change in data causes the hash value to change dramatically, so this is a cool method when comparing large amount of data. Password recovery is also not possible when implementing this solution. When using hash functions to store scrambled data, keep in mind that if two users have the same password . the hash output will be identical and this is considered as a great vulnerability. To prevent this, you may use “Salted-Hash technique”, it means that you should add some additional data to your password and then compute the hash of new generated data. For example you may append username to the password and then hash the whole string. Consequently when authenticating users, you must first append username to entered password, hash it and then comparing it with the hash value stored in database. For more security you can generate a random salt for each user and store it in database.

.Net Framework System.Security.Cryptography namespace provides you with many cryptographic services such as Encryption/Decryption , Hashing , Random Number generation , etc.

4 – OTP – One-Time Password

In spite of implementing salted hash, passwords are still stored on hard disk and are prone to be cracked. So a better approach is required here. In contrast with static passwords, one-time passwords are changed each time a user logs on to the system and usually users should carry a small hardware used for synchronizing with server. Mainly there are two types of OTP:

  • Time-Synchronized: In this method, user should enter a password in a given period of time, otherwise it will be expired and a new password is generated. Of course this method may lead to clock-skew problem, it means that if the authentication server and the user token don’t keep the same time, authentication process will fail.
  • Counter-Synchronized: A counter is synchronized between server and user client and each time the device requests an OTP value, the counter is advanced. Like the previous solution, when user wants to logs on, he enters the password shown on the device.

For more information, visit Safer Authentication with a One-Time Password Solution.

Some Security Tips

  1. Try implementing salted hash.
  2. Enforce password policies when registering users and do not allow weak passwords.
  3. Separate authentication data (i.e. username, password, salt, etc) and user profile data (i.e. FirstName, BirthDate, etc) into different tables.
  4. Implement strong hash algorithms like SHA256, SHA384, and SHA256 (known as SHA2).
  5. When connecting to database, use an account with the minimum required privileges.
  6. Prevent SQL Injection attacks by using stored procedures, parameterized queries and validating data before passing them to query.
  7. Obtain information on different kinds of attacks (i.e. Dictionary, Brute-Force, SQL Injection, etc) and how to defend against them.
  8. Keep security tasks and functions secure by encrypting them.
  9. Use secure connections when sending/receiving data to/from server. (I.e. SSL).

The issues that mentioned in this article are just a few tips that should be considered in order to provide a secure system and the given recommendations are all dependant upon system requirements and scenario.

Enjoy!


SecureString : Storing Sensitive Data

July 11, 2008

Hello ,

Today , I’m going to elaborate on a great feature called System.Security.SecureString class which was introduced in .Net Framework 2.0. This class provides you with a secure way to store sensitive data and prevent them from being revealed by hackers. Implementing standard System.String class is not a secure way for keeping sensitive information and also swap file is in danger of being disclosed. Let’s take a look at some disadvantages of putting System.String class into work :

  1. As it’s not encrypted , anyone with access to swap file or process memory is able to read unencrypted data easily.
  2. When modifying this class , old value is not removed from the memory , so both old and new versions are kept in memory.
  3. There is not a certain way to dispose it from memory when finishing with it.

SecureString class uses DAPI to encrypt data. Information ecrypted in this way by CLR is only decrypted when accessing it and in contrast with standard System.String class , this class implements IDisposable interface so that it can be cleared out from memory and its allocated memory will be zeroed out when disposing it.

Now , let’s see an example :

using System.Security;
using System.Runtime.InteropServices;
using System;
using System.Windows.Forms;

namespace SecureStringProject
{
public class SecureStringExample
{
public void ImplementSecureString()
{
SecureString secureString = new SecureString();
///Implementing AppendChar method to add
///characters to SecureString Object.
secureString.AppendChar(‘A’);
secureString.AppendChar(‘C’);
secureString.AppendChar(‘G’);
secureString.AppendChar(‘E’);
secureString.AppendChar(‘F’);

///Implementing InsertAt method to insert a character
///at specified index.
secureString.InsertAt(1, ‘B’);

///Implementing SetAt method to replace character
///at specified index with new character.
secureString.SetAt(3, ‘D’);

///Implementing RemoveAt method to
///remove a character at specified index.
secureString.RemoveAt(5);

///Reading SecureStrinng content.
IntPtr pointer = Marshal.SecureStringToBSTR(secureString);
MessageBox.Show(Marshal.PtrToStringUni(pointer));

///Clearing SecureString Object.
secureString.Clear();

///Disposing SecureString Object.
secureString.Dispose();

///Free BSTR pointer allocated using
///SecureStringToBSTR method.
Marshal.ZeroFreeBSTR(pointer);
}
}
}


Creating a strong assembly using ILMerge

April 26, 2008

Hello ,

Sometimes , you may use an assembly that is not strong-named and also the source code is not available. How do you make an strong assembly out of that? ILMerge Tool allows you to sign/resign an assembly with a specified .snk file. Consider having a weak assembly called “Weak.dll” , you can create a strong-named assembly out of that as shown below :

ilmerge Weak.dll /keyfile:key.snk /out:Strong.dll

Note: You can create a random .snk file using Sn.exe(Strong Name Tool) from Visual Studio Command Prompt , For Example :

sn -k key.snk

ILMerge Download Page


C# 3.0 : Automatic Properties

February 24, 2008

Hello ,

Being a C# programmer , you’ve used to leverage propcode snippet to create a property . C# 3.0 provides you with a nice feature called “Automatic Properties” which enables you to avoid having to declare private accessor field for properties and write get/set logic , this will make your code more concise and legible . However , you can still create regular properties and change get/set logic.

This is a property created by C# 2.0 :

        private string propertyName;
        public string PropertyName
        {
            get { return propertyName; }
            set { age= propertyName; }
        }

And this one is re-writed using C# 3.0 :

public string PropertyName { get; set; }

Implementing this feature , the compiler automatically creates the get/set logics . If you need to make the above property readonly , add private keyword before set accessor :

public string PropertyName { get; private set; }


How to Load CSV File Into SQL Server Table/View

February 14, 2008

Hello ,

T-SQL ‘Bulk Insert’ statement lets you load CSV or any other user-specified file formats into table/view .  In a CSV file , each field is seperated by a Comma and each line represents a record. Now , open notepad and create a CSV file named ‘test.csv’ with the following content :

1,FirstName1,LastName1,20
2,FirstName2,LastName2,25
3,FirstName3,LastName3,30

 

The following procedure demonstrates loaing the CSV file into a temporary table :

Create Procedure dbo.LoadCSVFile
AS
Begin
Create Table #CSVTest( ID INT , FN Nvarchar(50) , LN Nvarchar(50) , Age INT )
BULK INSERT #CSVTest FROM 'c:\test.csv' WITH
(
FieldTerminator = ',' ,
RowTerminator = '\n'
)
SELECT ID,FN,LN,Age FROM #CSVTest
End

Executing the procedure results in :

result1.jpg


ANTS Profiler – .Net Code & Memory Profiler

February 7, 2008

Hello ,

RedGate ANTS Profiler is a great tool which enables you to identify bottlenecks in your code and optimize memory usage , It also profiles how long each line of code takes to be executed(line-level timing) and reports the slowest lines of code and procedures. In addition , It Integrates into Visual Studio with context sensitivity.

ANTS Profiler profiles Windows Applications , ASP.Net Web Applications , COM+ Applications and Windows Services which are written under .Net Framework 1.1 , 2.0, and 3.0.

Download 14-day free trial


Follow

Get every new post delivered to your Inbox.