RSA algorithm is producing different output value on different .NET framework. The encrypted password with .NET 3.5 framework has "==" at end but with .NET 4.6.2 the encrypted password has only one "=" at end.
Password = "abc123"
output generate on .NET 3.5
vsJJq67cZaS89DMI1BtPDxiWrnNZykqAgJTLUv4un/Zs1acZbaQ8P/kiahC2ZXEsT+d/2JtYxlDiUr63gaR4QGPEAowBadiE7FfThBVeRyNU6O5vc/ptW+wenp3K9ScMy9ZLyPCp9Sp6zoLxFohBKk/RK0mW9YHH/KgEoQsVVeDLFjnWm/svZynCHJjPmG1uaBSP5B4+SStkZNJidhIm7sv0vf9Inb0N1gl4xlq8GtXEgWuQS5SwS+oa4yJNMr9zGPnpagVAXJZbVKFA04xRmU7O7Szl4Cska4oXpVJyhDL304UbvH3Q/2FYmnZ7gLcmbxIqcmr/4jfDs/MixLYrBQ==
Password = "abc123"
output generate on .NET 4.6.2
AF2oLOsFQJnMEC3B7iJ5HPBAtWfoTDUXAK8FcOIv2vjc7G0VTUo3qOtF2bBrbpcABhUY5+IifZHOIgWQB1umGcGCsPs3i2pYLrP3c1uhCycE9GNvn9VywUZPD4XsnZrJcPuuV9QS5nDgf6/xIX5PVdAFuFLEceL+yEr19dhi6o+kBGx88boKDPMBQB+r3zJSK1fBZ6p3zvOmUTjxZ4RAxOiyLHdM7MineeyYCsmkd5x7O6BKc37tLSgQWVSUcpT25ib8T1/F794zP8IV2LHw7fZA8QRF7WftLHsPZl2HJegfclKEyOjIVqZe8Qup9dhmSBxM5Jb1U1nGlTDapYe3+C0=
Scenario: I am sending the encrypted password to third party for verification but the they failed to decrypte the encrypted password generated by .NET 4.6.2 framework, but they are getting password after decryption of encrypted password generated by .NET 3.5 framework.
My code for encryption is
public string Encryption(string strText)
{
var testData = Encoding.UTF8.GetBytes(strText);
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
rsa.FromXmlString(publicKey.ToString());
var encryptedData = rsa.Encrypt(testData, false);
return Convert.ToBase64String(encryptedData);
}
My Approach to cater this issue right now
I am writing the encrypted password generated by .NET 3.5 framework into file and read the output from the file in .NET 4.6.2 framework.
My approach looks not right solution because when the customers load will increase for password verification the CPU usage will be very high that will affect the system performance.
Please guide me how to cater this problem with right approach or my approach is right ?
Related
We have an ASP.NET Core 3.1 Web API controller that is called from an ASP.NET web app using .NET 3.5 framework. The API controller is called via a HttpWebRequest and results in an error
That assembly does not allow partially trusted callers
Both apps reside on the same shared hosting environment and domain. That is, both app's have the same domain but are in different folders (i.e. applications) in IIS. For instance, mywebsite.com/folder1 and mywebsite.com/folder2.
Here's a sample how asp.net web app calls the .net core web api:
oRequest = HttpWebRequest.Create("https://www.mywebsite.com/folder2/path/to/api")
With oRequest
.Method = "GET"
.ContentType = "application/x-www-form-urlencoded"
.Accept = "application/json"
.ContentLength = 0
oResponse = oRequest.GetResponse()
oReader = New StreamReader(oResponse.GetResponseStream)
'store results in string
sResult = oReader.ReadToEnd
End With
We checked the .NET trust level and both app's are set to "Full (Internal)". Also, we tried adding the AllowPartiallyTrustedCallers attribute to the controller but per MS, "Partially trusted code is no longer supported. This attribute has no effect in .NET Core."
Is there a way to call the api?
Help is appreciated.
I am looking for an alternative to DpapiDataProtectionProvider because this uses machine key and a user requests to reset the password from other application rather than the main MVC product, the token is always invalid.
I have got an ASP.net MVC application and an API application. They are both using the same token provider passwords like this:
var provider = new DpapiDataProtectionProvider("MyWeb");
appManager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(provider.Create("MyWebToken"));
DpapiDataProtectionProvider relies on machine key, so the token is invalid when using a link from an email. What alternative could I use?
Thanks
For anyone with the same problems, I ended up using MachineKeyProtectionProvider like this solution offered here and I included this line in the startUp:
app.SetDataProtectionProvider(new MachineKeyProtectionProvider());
and I added machine key in web.config files.
we have a application developed on asp.net. It uses membership provider with its websecurity functionality to register accounts and log users.
We have another application which needs to share the same database. This one is developed on asp.Net Core. It does not require a login but it needs to register accounts on membership provider format.
As both systems are not compatible, we want to write the passwords manually on the table webpages_Membership.
Is it possible to store passwords, on the .Net Core application, using the same salt+hash that is used on the ASP.Net application?
If not, there is any way to solve it?
The only solution I see is to create our own login system, in our tables, and adapt our ASP.Net application to this purpose; but in this case it is a lot of work and I'd prefer to find another solution.
Thanks
Maybe you can just use System.Security.SecureString from both applications and so ensure that the database values are compatible?
You could use code like this to convert the user entered string into a SecureString
public static SecureString ToSecureString( this string source )
{
if ( source == null )
{
return null;
}
var securePassword = new SecureString();
foreach ( char c in source )
{
securePassword.AppendChar( c );
}
securePassword.MakeReadOnly();
return securePassword;
}
I have created a web forms .net application which has jut got one page with four input fields.
I am storing the input parameters in the view state to be available between post backs.
This application is now deployed onto live server which is actually load balanced between two servers.
When I load the page, it works fine. But this application is going to be used by
10,000 users.
There is no machine key on the web.config file for this application. I read in a documentation when a application
is loaded on a web farm(when load balanced between two servers), a machine key is required to preserve
view state information.
So I tried to generated a machine key on my local host with the following settings
Encryption method: SHA1
Decryption method: auto
Validation key:
Automatically generate at runtime (unchecked)
Generate a unique key for each application (unchecked)
Decryption key:
Automatically generate at runtime (unchecked)
Generate a unique key for each application (unchecked)
I used the generated keys on the web.config of live server, but the application fails to load trying to load the login
page which is not my start page.
So my questions are:
1) Do I really need a machine key as the application is loading without it?
2) When thousands of users use the application page at the same time, is it alright without machine key?
3) If machine key is required, how is it generated and what encryption method, validation key and decryption key
parameters need to be used?
I dont know if you need a machine key. But here's how you generate one: Here is a little console program, which will create a machine key tag for your web.config. You can just copy the text from the console to your web.config like this:
<system.web>
...
<machineKey ... />
</system.web>
And the program. DISCLAIMER: Code not by me, I merely adapted it:
public class KeyCreator
{
const int VALIDATION_KEY_LENGTH = 24;
const int DECRYPTION_KEY_LENGTH = 64;
public static void Main(string[] args)
{
string decryptionKey = CreateKey(VALIDATION_KEY_LENGTH);
string validationKey = CreateKey(DECRYPTION_KEY_LENGTH);
Console.WriteLine("<machineKey validationKey=\"{0}\" decryptionKey=\"{1}\" validation=\"SHA1\"/>", validationKey, decryptionKey);
Console.ReadKey();
}
static string CreateKey(int numBytes)
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[numBytes];
rng.GetBytes(buff);
return BytesToHexString(buff);
}
static string BytesToHexString(byte[] bytes)
{
StringBuilder hexString = new StringBuilder(64);
for (int counter = 0; counter < bytes.Length; counter++)
{
hexString.Append(String.Format("{0:X2}", bytes[counter]));
}
return hexString.ToString();
}
}
I have generated the machine key as below on my local IIS and applied to the config file. I have then published that to live folder and it seems to be working fine.
Encryption method: SHA1
Decryption method: auto
Validation key:
Automatically generate at runtime (unchecked)
Generate a unique key for each application (unchecked)
I am using a Java web services from a c# client.The web services is using WS-security.The request I am sending is using
Where as the server is expecting
When I tried changing it in the code I found that this property is a read-only property.
So how can I change this property?
Below is the actual code from my WSE 3.0 client to change the encryption algorithm.
X509SecurityTokenManager objCertTokenManager = (X509SecurityTokenManager)SecurityTokenManager.GetSecurityTokenManagerByTokenType(WSTrust.TokenTypes.X509v3);
objCertTokenManager.DefaultKeyAlgorithm = "RSA15";
objCertTokenManager.DefaultSessionKeyAlgorithm = "TripleDES";