I am working on a SCADA application which has applications developed in Java,C# and C++ and runs on Windows, Linux, AIX currently. I want to adopt password hashing to store it in database securely. Which algorithm has capability to support all these requirements? Are there libraries available for the same?
Related
I'm writing a desktop client local web service in C++ to interact with the browser over https, which will provide the user with an api in JavaScript. Due to the lack of development framework, weak concurrency, and cross-platform limitations, I want to refactor the entire service. What solutions can you recommend if you do it all over again? I hope it is small enough to download and install easily, I hope it can be used on windows, linux, mac, I hope it supports sessions, I hope it can interact with C dynamic library, I hope it supports asynchronous multi-threading. Other languages are acceptable to me.
I have an application running ASP.NET on 3.0 framework that uses form authentication. I am now building and MVC 4 application that also uses forms authentication and I would like to share authentication between the two apps. I have both config files matching for the auth tag and exact machine key tags. I think my problem is that the ASP.NET application uses the old ASP membership provider which has the user passwords in MD5 format, and the MVC application is using simple membership, password format SHA1.
Is there a way to share user authentication between the two apps even with different credentials(password formats)?
For the main app that authenticates in the forms tag I have this
<credentials passwordFormat="MD5"/>
I am not really sure if this is my issue or what's going on.
Well figured out my answer. All I had to do was add in the tag was the attribute compatibilityMode="Framework20SP2".
This was due to the fact my ASP.NET app was running on the older framework and my new MVC app was on framework 4.0
Your options are pretty much:
Write your own ASP.Net 2.0 MembershipProvider to use the PBKDF2 algorithm to store passwords (Resetting everyone's passwords will be required).
You don't get to override SimpleMembershipProviders storage of passwords (that I know of) so you'll have to writing your own ExtendedMembershipProvider to duplicate the ASP.Net 2.0 security mechanisms in the default MembershipProvider.
As a side note, MD5 is (in my opinion) a terrible algorithm to store passwords. At this point from what I've read bcrypt or PBKDF2 is recommended by most security experts.
If you're interested on the changes Microsoft made to increase security in .Net releases the article Stronger Password Hashing in .NET with Microsoft’s Universal Providers is a good read.
I have a .Net 1.1 app that must be upgraded to 2.0. The application encrypts passwords in the database using MD5CryptoServiceProvider. After I upgraded to 2.0, the MD5 value was different. In the machine.config, the machinekey was set to autogenerate.
Is there a way to retrieve this key?
Yes, you can with a bit of reflection, see here for details and code :)
Though, I'm not sure that MD5CryptoServiceProvider actually uses the machine key, I thought it was independent, someone correctly me in comments?
The System.Security.Cryptography.MD5CryptoServiceProvider doesn't rely on the ASP.NET system.web/machineKey settings. These are used to control tamper proofing and encryption of ViewState, forms authentication tickets, and role cookies (How To: Configure MachineKey in ASP.NET 2.0).
I just compiled a simple console application under .NET 1.1 and 2.0 that performs a MD5 hash and they both produce the same value. I ran these applications on two different machines (one with autogenerated machine keys, and one with hard coded keys), again, identical results.
This sounds like the Encoding used is possibly different, i.e. the 1.1 application is using ASCIIEncoding and the 2.0 application is using Unicode.
Another thing to check is if the method you're using a uses salt that you've forgotten about, that would certainly cause different hashes to be generated.
I don't understand the purpose of the WPF browser appliction. Is it simply another way of serving information through a browser, or is it not intended to be used for external deployment?
WPF Browser applications allow you to create very rich, application style UI's deployable via the web, using coding languages windows developers already likely have in their toolset. The downsides are that the users must must have .net installed, and use IE to access the application, considerably limiting the size and scope of your audience. WPF browser applications are very similar to Java applications in that they run in a virtual machine on the client. As it runs on the client, all data access and communication with the server must be done through WCF or web services.
With ASP.NET you have considerably more cross browser compatibility and support, giving you access to a much larger audience, with the possible downside of learning new libraries and the ASP.NET programming model. ASP.NET also provides a rich data access model and data control support. Silverlight is another interesting option based on .NET and WPF, as it is supported by a wide variety of browsers and provides similar rich user interface experiences. It can als be run out of the browser, disconnected if neccesary.
** Update based on Comment Request ***
The big advantage to Silverlight out of browser, is that you get most of the Rich, windows application style functionality, with a web deployable model and tiny install (4-6MB). Silverlight also supports an auto update feature which is VERY nice if you have a large user base.
Microsoft's Official description (propaganda :) )here
Silverlight Out Of Browser
Enables users to place their favorite Silverlight applications directly onto their PC and Mac, with links on the desktop and start menu—all without the need to download an additional runtime or browser plug-in. Further, the new experience enables Silverlight applications to work whether the computer is connected to the Internet or not—a radical improvement to the traditional Web experience. Features include:
Safe and secure. Leveraging the security features of the .NET Framework, Silverlight applications run inside a secure sandbox with persistent isolated storage. These applications have most of the same security restrictions as traditional web apps and so can be trusted without security warnings or prompts, minimizing user interruptions.
Smooth installation. Because Silverlight applications are stored in a local cache and do not require extra privileges to run, the installation process is quick and efficient.
Auto-update. Upon launch, Silverlight applications can check for new versions on the server, and automatically update if one is found.
Internet connectivity detection. Silverlight applications can now detect whether they have Internet connectivity and can react intelligently including caching a users’ data until their connection is restored.
A WPF browser application is a client side technology, rather than ASP(.NET) which is server-side. It is definitely not meant to replace it.
Using a WPF browser application one can provide a rich client inside the browser. However, this will only work when the whole .NET framework is installed. Another similar technology is Silverlight, which uses a very small (the installer about 5-6 MiB) framework, and is available to multiple platforms. It includes a small subset of .NET framework.
You can use it in external deployment considering the above requirements.
The following portion of the above selected comment is wrong:
and use IE to access the application,
considerably limiting the size and
scope of your audience
WPF in the browser (aka XBAP) is works just from FireFox (Mozilla) and Google Chrome. It was true about 2 years ago, but not today.
You could use XAML in silverlight, if thats what you are looking for.
Plus the RIA Application templates makes development quite neat.
How can I take full advantage of 64-bit architecture in my .NET 2.0 Web Applications and Console/Forms Applications?
I think there is not too much you can optimize in your managed .NET code regarding 32bit vs. 64bit architectures. This is because most of the differences and optimizatinons are most likely already implemented by the underlying VM. As mentioned in Programming for the 64 bit platform, the 64bit VM may perform better on larger data types (as long stored in one register).
The best gain of 64 bit platform is an amount of memory yours application can address. This means what you web application can support a larger amount of active sessions or/and longer sessions. Also you can store more data in the application cache. So keeping this in mind you can re architect you app.