Crypto in .Net

Friday, November 21, 2003

.NET

Everyday I learn something, and I like it ;-)

Some valid point on the data encryption post:

From Wes

Actually for user passwords hashing with a salt is typically the way they are done. They are usually not encrypted with symmetric encryption, because there is usually no reason to be able to decrypt them. If a user loses a password then you simiply reset it. You don't want to, or at least I don't want to be able to decrypt my users passwords, that can lead to a whole can of worms I don't want to deal with.

And from Securecoder.news(subscribed from now)

The built-in crypto capabilities of the .NET framework are pretty extensive. It contains the ability to do both Symmetric (DES, RC2, Rijndael, TripleDES) and Asymmetric Encryption (DSA, RSA) as well as Hashing (MD5, SHA1, SHA256, SHA384, SHA512).

As far as storing passwords in a database. DON'T! One of the basic tenets of security is that if you don't need to keep a secret, don't! Passwords are a great example where this should be followed. Hash or even better store a salted hash of the password.

The byproduct of this of course is, how do you go about doing password resets?

Couple of ways I can think of are to have password hints that you are provided by the user when the account is set up that are provided by the user when the password needs to be changed or sending out a temp password to an known and verified e-mail account on file with an explicit and short time window during which you can make the password change.

Of course, for highly secure apps, the cleanest would be to provide a phone number where a human actually verifies the identity of the user and does temp password reset.

And Andrew Birkett mention this:

There is an implementation of AES (and others) in the System.Security.Cryptography, if you're using C#. It will (hopefully!) be better tested than the version in the article, and I think it delegates to the Win32 CryptoAPI, which means it will run faster than the C#

Strange that in a recent MSDN magazine, they don't mention this namespace at all, but just checked in the docs, and yes a lot of things can be done from there.
Well the article is worthwhile, because James explain the way it works.

No Comments