I have a classic asp site with a shop and I have to migrate to the new SHA256 method (in Spain it's Redsys the company who provide the TPV service). It's a Spanish site but I suppose the problem is for everybody.
They have libraries for php and asp.net but no for classic asp.
The problem is when you create the signature. In the manual they say:
decode a string with BASE 64
Do a 3DES encryption
Calculate de HMAC SHA256
Encode in BASE 64
Could somebody say where to find the libraries for that (free please)
Here you can download and use the RedSysAPI libraries for ASP Classic sites: https://github.com/ictmanagement/redsysHMAC256_API_ASP
It implements all the required steps for comunicating with RedSys servers, and you can use the same official documentation because the API interface is the same that RedSysAPI_PHP. You have also examples.
The most important is that you are not required neither to install any ActiveX in your server, nor install PHP.
I hope it will be usefull for you!!
They won't tell you how to calculate the signature (like they did with the SHA1 implementation). Your only solution will be to use the APIs they provide. They have PHP, Java and ASP.NET covered but they're still working on the API for classic ASP, so you'll have to wait!
Don't worry about the cut-off date of 23rd of November, they'll keep SHA1 online for a whole lot longer as they're completely missed their own deadlines.
Related
My question is about encrypting data in classic ASP and what the best course of action would be to encrypt text (not passwords) for storage and then allow all users to have access to the data (decrypt it). Basically the project consists of a classic ASP application that allows users to create accounts and see messages from other users. These messages need to be encrypted before being stored.
I have found some classic ASP encryption methods including Microsoft CAPICOM but the website points to a link where the download can be found for it and actually is a dead link. https://msdn.microsoft.com/en-us/library/ms995332.aspx
I have also seen some other forums posts mention creating a .net web service that will handle the encryption/decryption process which can be called from the classic ASP files.
I also stumbled on another concept which does not use the public/private key and uses an approach and uses a shared private key?
So I am hoping someone might know what method is best to try and accomplish this.
You only had to Google CAPICOM download.
Site: Download Center: Platform SDK Redistributable: CAPICOM
This download contains the redistributable files for CAPICOM 2.1.0.2 and samples of its use. CAPICOM can be used to digitally sign data, sign code, verify digital signatures, envelop data for privacy, hash data, encrypt/decrypt data and more.
Version: 2.1.0.2 File Name: capicom_dc_sdk.msi
Date Published: 9/26/2016 File Size: 1.8 MB
See also: Alternatives to Using CAPICOM
I have been tasked to integrate a Classic ASP website with the SageOne API. As part of their authentication you are required to provide a HMAC-SHA1 signature. I've found how to do this with SHA256 here: hash_hmac in using pure classic ASP, which worked in that it produced the hash, but was not valid for the API. I've found similar code for SHA1 here: https://precompiled.wordpress.com/2007/11/26/hmac-sha1-encryptie-onder-classic-asp/ but unfortunately the link to the required wsc file is no longer valid. I've not been able to find it elsewhere. Has anyone come across this file elsewhere? Or could anyone point me towards an alternative way of doing this?
Your sha1.wsc can be found at https://github.com/chakphanu/labs/blob/master/classic-asp-s3/sha1.wsc
I will not include it here as I don't want to examine the license requirements.
I know there are already a few questions on SO about the oracle padding exploit but none of them explain how it downloads the web.config. I run a couple of ASP .NET apps which I have already tested using Microsoft recommended mitigation factors but i'm still scared that people will be able to get the web.config.
Can someone please explain how they do this or even provide a link to a tool that I can use to test my site with. I find that the official explanation of this part of the attack is really lacking.
The attack that was shown in the
public relies on a feature in ASP.NET
that allows files (typically
javascript and css) to be downloaded,
and which is secured with a key that
is sent as part of the request.
Unfortunately if you are able to forge
a key you can use this feature to
download the web.config file of an
application (but not files outside of
the application).
Guys - the answer is that once they have obtained the machineKey, they can use that key to fetch the files using another feature in ASP.NET
"In ASP.NET 3.5 Service Pack 1 and ASP.NET 4.0 there is a feature that is used to serve files from the application. This feature is normally protected by the machine key. However, if the machine key is compromised then this feature is compromised. This goes directly to ASP.NET and not IIS so IIS's security settings do not apply. Once this feature is compromised then the attacker can download files from your application - including web.config file, which often contains passwords.
Versions of ASP.NET prior to ASP.NET 3.5 SP1 do not have this feature, but are still vulnerable to the main machine key attack."
(see the post at the bottom of here: http://forums.asp.net/t/1603799.aspx from the asp.net team)
Scott Guthrie has a post which explains it to some extent.
This blogpost is pretty interesting: http://www.gdssecurity.com/l/b/
also read this:
How serious is this new ASP.NET security vulnerability and how can I workaround it?
afaik it goes like this:
these are hit: webresource.axd and scriptresource.axd, both use an encrypted/signed value that asp.net tries to check if its valid
because of differences in the response when the files are or not valid, they can make the padding attack.
once the attack is successful they can generate a request for a resources as if it were originally emitted from asp.net
Now, as far as I knew, both of those are supposed to serve embedded resources, but I guess that's not the case (Scott Gu did mention in his post's comments those are the ones being used in the attack showed).
The following post may be interesting for this thread:
http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
FYI, a patch for this bug has been released on Windows Update.
http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx
Are there any ways to encrypted a project in ASP.NET, so my customers can not change change the function where it checks the license code?
No, it is not possible.
You can implement certain things that make it more difficult for customers to reverse or alter your program, in order such that it becomes cost-prohibitive to attempt such reversing or altering. But you cannot prevent them, if they are sufficiently determined, from reversing or altering your program.
Take a look at Eziriz's .NET Reactor. It's pretty good at protection. From ther site:
.NET Reactor prevents decompilation by
a variety of methods which convert
your .NET assemblies into processes
which no existing tool can decompile (
and which are also very likely to
prevent decompilation by any future
tool). .NET Reactor builds a native
code wall between potential hackers
and your .NET assemblies by producing
a file which cannot be understood
directly as CIL. Because the CIL in
your assembly is emitted intact only
at run time or design time (in a form
in which the source is completely
inaccessible), no tool is capable of
decompiling .NET Reactor protected
assemblies.
The native code wall created by .NET
Reactor between the hacker and your
source includes industry leading
NecroBit technology, which is
exclusive to .NET Reactor. .NET
Reactor's protection has never been
broken since the first release in
2004. These technologies make reconstruction of your source code
more difficult by so many orders of
magnitude that NecroBit is by far the
most effective protection you can use
for .NET assemblies.
Not if the customers are persistent and have even a modicum of skill. Obfuscation can only get you so far. Any .Net assembly can be decompiled.
See here for info:
https://web.archive.org/web/20210802164013/https://aspnet.4guysfromrolla.com/articles/080404-1.aspx
Added
Also, see this previous question:
.NET obfuscation tools/strategy
use Dotfuscator Community Edition that ships with VS. Also put checksum function to check if your EXE is changed or not.
I'm building a web application that most allow the user to digitally sign PDF documents with certificates installed in the client machine.
The document, once signed, should be posted back to the server, where it will store the signed version.
The server is running Classic ASP/ASP.NET
Where should I go?
Try Adobe LiveCycle Designer
This comes with the Adobe Master Suit and has all the capabilities for ES. It works with PKI infrastructure and will Publish "certified" PDF documents that prove authenticity for recipients. It's better to start with something that already exists.
Our SecureBlackbox library has a distributed cryptography add-on which does what you need. Client-side modules that do signing can be extended by the user (we provide complete source code). You will find detailed description of the add-on on our site or in this SO answer.
I actually built a system just like this into our web application. Here are some links I found tremendously helpful in doing so:
http://www.codeproject.com/KB/vb/Digital_Signatures.aspx
http://www.devx.com/security/Article/17249/0/page/2
http://www.example-code.com/vbdotnet/digSig1.asp
http://www.abanet.org/scitech/ec/isc/dsg-tutorial.html
http://livedocs.adobe.com/livecycle/es/sdkHelp/programmer/sdkHelp/wwhelp/wwhimpl/common/html/wwhelp.htm?context=sdkHelp&file=signaturesSigning.90.4.html
http://www.c-sharpcorner.com/UploadFile/Gowri%20S%20Paramasivam/Cryptography211242005003308AM/Cryptography2.aspx
I would use iTextSharp to sign the PDF. iTextSharp is free and open source. Take a look at the sample code signing PDF http://itextpdf.sourceforge.net/howtosign.html I have used iTextSharp before reliably.
Look for java libraries to sign PDF documents. You can deploy them in an applet which should fit in your web application. If users need to preview the PDF documents before signing them then look at the java bean jPDFNotes from Qoppa Software (Disclosure: I'm affiliated with this company). If the documents can be signed without preview, look at their other libraries jPDFFields or jPDFProcess. There is also iText an open source library but iText doesn't support viewing documents so it will only work in the second scenario.
Go to http://www.certisign.com.br/ they have the answer for you. CertSign has API's and training to enable digital certification.
This place did exactly what you need when I renewed my digital CPF http://loja.certificadodigital.com.br/Serasa/Serasa-Certificados-Digitais/D1
I use to write the FDF to PDF programming from Adobe FDF toolkit. I could take the full version of Acrobat Pro and use a W-2 , I-9 Federal Forms place fields and a signature box and with Topaz Systems signature pads, based on pressure points, angles etc... the activex algorithm would save the signature and everything into the sql server database, and i could go the other way and populate a PDF from SQL Server.
We do this using Silverlight with BouncyCastle in the client and iTextSharp in the server.