I am wondering if its possible to encrypt the ReturnURl before it's displayed to the end user.
I am pretty new at .NET, but I have tried using the PostAuthenticateRequest in the Global.asax. But that doesnt seem to ever fire.
I would be using my own encryption logic if this is even possible.
The only reason you would want to do this is if you have sensitive information in the URL.
And if you have sensitive data in the URL --
Don't.
And also, don't use your own encryption logic. Someone else has already done the heavy lifting for you. This is definitely one area you don't want to reinvent the wheel.
.NET includes plenty of ways to encrypt your data.
A .NET Cryptography Primer
Related
How could I read/write specific string on my WPF application
It's must be internal and on my application
I have using
CredentialManager
, but I lose data of it during reboot
CredentialManager.WriteCredential("title", "user, "pass");
You want to write your data to a file or a database in order to be able to access them after a reboot.
In most of the cases you could simply use a FileStream and do your file read/writes. But from your example it looks like you're trying to save user credentials which is sensitive data, so should never be written/saved anywhere without proper security measures.
So using some sort of encryption algorithm is one good practice. .NET comes with its own basic Encrypt and Decrypt capabilities, but those are really basic. I don't know what level of security you'd want so it's really a judgement call on what to use.
If you prefer rather high level of encryption, this SO post has some good answers on how to go about it. Hope this helps.
In fact, private methods are implemented in C# that can still be searched with Reflection.
What I am going to do is to write public string Encrypt(string data) and private string Decrypt(string cipher) methods to perform encryption and decryption.
Unfortunately, if someone knows .NET framework, he can use Reflection to find Decrypt methods and it decrypt everything that is encrypted.
It seems that is not that secure. So I want to make Decrypt method to truly private method.
But how to do that?
Updated 09 Jan 2012 10:52PM Sydney Time
bdares provides the technical explanation of this question
Eric Lippert provides the political explanation of this question
Thanks both experts!
You can't. If the attacker has access to your code, compiled or source, he can trace your program and find where it's being encrypted or decrypted.
You can add a layer of security by storing the key in a separate location, but generally if the attacker is executing code on your server, you're already screwed.
(You're only worried about this if the attacker is executing code on your server, because otherwise it doesn't matter whether or not the method is private. Also, he can't use reflection to find method names unless he's executing code on your server. In short: you're worrying about the wrong thing here.)
Your fundamental problem is that you've got the trust model wrong. If someone can use reflection then they are the user. You are the software provider. You work for them. Trust flows from them, not from you. They are the person who has to trust you, not you them.
If you don't trust the user then do not sell them your software in the first place. Don't sell weapons to people who you believe plan to attack you.
I believe you are referring to obfuscation, which is an attempt to hide/disguise code from being read by humans when opened in program such as Reflector.
Supplied within Visual Studio is a community use license for PreEmptive Solutions dotfuscator which will provide this functionality on small projects, and also for Windows Phone projects (if you download the add-on). There are also commercial platforms available too, from the same vendor and others .
This blog post explains a little more.
If you're creating your own encryption method, you're doing it wrong. People who know way more about encryption than you or I have already come up with excellent methods for encryption, and MS has implemented most of them already.
For good encryption, it's the keys, not the method, that makes encryption secure. Keep the keys safe and the algorithm can (and should) be published for all to see.
If you're trying to distribute both content and keep it encrypted, aka DRM, you're most probably doomed to failure unless you can keep the keys very well hidden in hardware, and even that will only buy you some time -- maybe months, maybe years.
I am not sure about your exact application. But if you are selling a product to a customer who will be doing both the Encryption and Decryption on their own system, then there is no way to keep the encryption secret from them. But you can instead allow them to generate a new Private Key for their own use. In this way each customer's data is 'secure' in regards to other customers; though obviously still not so secure within the same customer's site. In other situations where you control the encrypted content you can also look into creating a private master key to be generated on your side and only allow the customer to have a public key.
I want to pass information to athenticate a user to an XBAP application running in a browser. It's a username and password, where the password is hashed.
I've figured out how to do it via GET request (i.e. just pass in the information in a query string and use BrowserInteropHelper.Source.Query to get the information).
However that means exposing the data in the query string. Since the password is hashed it's not like you can actually see it, but it feels like bad practice to me. I can't find any real information about whether it's possible to pass data in via POST or a cookie. From what I've gathered from the internet cookies won't work for XBAP applications, but I might be wrong.
Does anyone know if and how it's possible to transfer this kind of data in a more secure way? It would also be nice to get a confirmation that cookies indeed won't work in this scenario - or how I need to go ahead and implement them.
From what I could gather from various sources on the internet, GET really is the only way to go in this scenario.
POST doesn't seem to work at all. Also, XBAPs cannot access any session cookies, so that option is not feasible as well.
(I would link to the sources, but it was more about collecting bits and pieces from everywhere and putting it together.)
We settled on passing the parameters via GET, but encrypting the whole query string. This is not an ideal solution, but it has to do until we have the resources to implement a more complex and prettier solution which enables sharing authentication details between two completely separate applications - where one is a Java application and the other an XBAP.
So I've made a simple C# application and I'm currently using HTTPrequests to login to my phpBB forum, using a custom PHP file to check the post count of the user, and consistently resends HTTPrequests every 30 seconds. Unfortunately, I fear that this can easily be cracked despite the obfusculation. I've heard of serialization, but I don't know what that is.
Any suggestions for consistently validating the post count/login or optimizing it?
Some things that may help:
Are these on the same server or different servers? PHP has solid built in COM support, so there is no reason to use any kind of sockets if they are on the same server.
I can think of two options here: (a) Provide no authentication and make the data such that if someone gets it there is no downside (b) encrypt the data / authentication yourself.
(b) may be easier than you think. PHP has solid built in encryption:
$iv = mcrypt_create_iv (mcrypt_get_iv_size (MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB), MCRYPT_RAND);
$key = "ThisIsYourKeyOfDoomAndPower";
$encryptedData = base64_encode(mcrypt_encrypt (MCRYPT_RIJNDAEL_128, $key, $dataToEncode, MCRYPT_MODE_ECB, $iv));
Hopefully this helps you get on the right track...
First of all serialization is not a method to protect your code. You can read more about it on Wikipedia.
The problem you may likely have is that you may pass your forum credentials in insecure way (without SSL/TLS encryption). This way anyone using a HTTP sniffer can get that data with little effort. If you are worried that someone may decompile your app and steal your code then there are some ways of making that harder (like obfluscation that you've mentioned) but you can never be 100% safe.
If I'm missing the point here please provide more details about your app vulnerability.
Beforehand :
I have read indeed the other topics on SO, but I can't find an answer in them.
(The others are about config-files, or a list of techniques)
My question thus is very simple, though a bit subjective (I'll label it beforehand :-)) what is the easiest way..
File.Encrypt is pretty simple - one call (with one parameter).
Of course, it really depends on what you want the encryption for. File.Encrypt encrypts to the current account, which isn't much use if you're passing the file around. But, given your spec - i.e. easiest way to encrypt a file - it has to be a candidate!
Data Protection API in C#
Don't believe you have any security just because you encrypt a config file. If someone has access to the encrypted config file, and your executable, containing the password, it's likely to be possible to decrypt your configfile. It's just a little harder.
And say your config file contains passwords to database connections, it might be possible to get those passwords looking at the network packets.
Encryption is trivial with modern libraries: the hard part is securing the key(s).
So you need to look at what you're trying to secure, and what threats you are trying to secure against.
To encrypt a file so only the current user can see it on a client workstation, File.Encrypt is a good choice, or DPAPI with the CurrentUser scope.
For a configuration file on a single server, DPAPI using the LocalMachine scope is a good choice. You then need to make sure only authorized users are able to log in to the server. Here you're essentially delegating key management to Windows.
For a configuration file on a server farm, you need to share the key between the servers. RsaProtectedConfigurationProvide is a good choice, but you have more work ensuring that all servers have access to the same key, and that it is protected against unauthorized access (e.g. using a DACL).
I recommend the Cryptography Application block in Enterprise Library. Very easy, very flexible.