Re: Web app security
- From: "SAL" <SAL@xxxxxxxxxxxxx>
- Date: Thu, 30 Oct 2008 15:07:35 -0700
Steven,
thanks for your pointers. What we wound up doing is I built a .NET assembly
for his use that handles the encrypting and decrypting.
He's able to use that in his app without having to go through any http pipes
or anything encrypting the password. He then passes the encrypted password
to me for authentication and I decrypt it. Then I just use the Membership
class to validate the user.
Using this method, we can both use our respective, native authorizing
environments (me ASP.NET and him ColdFusion) and we don't have to change
much in our apps.
S
""Steven Cheng"" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:k4cdbzKOJHA.356@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi SAL,
From your description, I understand that you're encountering some problem
to make the.NET AES encryption to work together with the AES encryption
component in Adobe codefusion system, correct?
Based on the codesnippet and encrypt info you provided, I think here are
something we need to clarify first:
#AES support various key length and may have customized chain mode, you
can
print the default settings (when you create the RijndaelManaged provider)
and confirm the setting with your CodeFusion side guys:
==================
RijndaelManaged AESP = new RijndaelManaged();
string str = string.Format("feedback mode:{0},key
size:{1},Padding:{2}", AESP.Mode.ToString(), AESP.KeySize, AESP.Padding);
MessageBox.Show(str);
==================
here is the output from my side:
---------------------------
feedback mode:CBC,key size:256,Padding:PKCS7
---------------------------
In addition, when you use .NET AES(Rnjindaelmanaged Provider) to perform
encryption. Two parameters are very important, the Key and IV(initial
vector). I suggest you ask the fusion guy to directly give you the two
things (better in byte array format/hex encoded) which can be directly
passed into the AES provider's Key and IV property. Therefore, it's much
more convenient for you to first test out whether the main AES provider
settings are correct. After that, we can move onto the password derived
approach.
BTW, in your code, you first use Unicode Encoding to convert string to
byte, you need to also confirm with Fusion guys that whether they also use
unicode encoding or only use base64 encoding for all string-bytes
convertion. This is also very important.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we
can improve the support we provide to you. Please feel free to let my
manager know what you think of
the level of service provided. You can send feedback directly to my
manager
at: msdnmg@xxxxxxxxxxxxxx
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from
the community or a Microsoft Support Engineer within 2 business day is
acceptable. Please note that
each follow up response may take approximately 2 business days as the
support professional working
with you may need further investigation to reach the most efficient
resolution. The offering is not
appropriate for situations that require urgent, real-time or phone-based
interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support
Engineer
by contacting Microsoft
Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
From: "SAL" <SAL@xxxxxxxxxxxxx>
Subject: Web app security
Date: Mon, 27 Oct 2008 14:45:49 -0700
Hello,and
at our company we have two different web development platforms, ASP.NET
ColdFusion.security
We are trying to merge security between the platforms to provide a
blanket, so-to-speak, around all our apps.a
We are trying to come up with the same encryption for a simple string with
simple Key using AES encryption. Since AES uses Rijndael I'm using thatusing
algorithm.
I admit my understanding of this is very limited but here's what we are
trying. The ColdFusion guy says he has different encoding options when
AES, one being Base64 encoding._e-g_01.html
We are trying to encrypt the following string and come up with the same
results:
string = 'mystring'
password = 00000000000000000000000000000000
Salt = ALgzpd1HvwRonMPzOPDp7g==
I've read through the docs a few times and am still not making sense of
this. I need to be able to match the ColdFusion guys output. He's
outputting:
Using Base64 encoding:
sZ4SKYHMO6At4GJP1i+QFA==
The docs for his function are at:
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions
He is not passing in the iterations argument.0x76,
So, I am using the following code:
The first function calling the second one.
public static string Encrypt(string clearText, string Password)
{
// First we need to turn the input string into a byte array.
byte[] clearBytes = System.Text.Encoding.Unicode.GetBytes(clearText);
byte[] salt =
System.Text.Encoding.Unicode.GetBytes("ALgzpd1HvwRonMPzOPDp7g==");
PasswordDeriveBytes pdb = new PasswordDeriveBytes(Password,
new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64,
0x65, 0x64, 0x65, 0x76 });0x0,
byte[] b = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,for
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0 };
// I've tried it both ways here using the salt for the second argument
the pdb passwordDerivedBytes constructor.data.
byte[] encryptedData = Encrypt(clearBytes, b, salt);
//byte[] encryptedData = Encrypt(clearBytes, pdb.GetBytes(32),
pdb.GetBytes(16));
return Convert.ToBase64String(encryptedData);
}
public static byte[] Encrypt(byte[] clearData, byte[] Key, byte[] IV)
{
// Create a MemoryStream that is going to accept the encrypted bytes
MemoryStream ms = new MemoryStream();
// Create a symmetric algorithm.
// We are going to use Rijndael because it is strong and available on all
platforms.
// You can use other algorithms, to do so substitute the next line with
something like
// TripleDES alg = TripleDES.Create();
Rijndael alg = Rijndael.Create();
// I tried this next line to no avail
//alg.Mode = CipherMode.ECB;
alg.Key = Key;
//alg.IV = IV;
// Create a CryptoStream through which we are going to be pumping our
// CryptoStreamMode.Write means that we are going to be writing data tothe
stream
// and the output will be written in the MemoryStream we have provided.
CryptoStream cs = new CryptoStream(ms, alg.CreateEncryptor(),
CryptoStreamMode.Write);
// Write the data and make it do the encryption
cs.Write(clearData, 0, clearData.Length);
cs.Close();
byte[] encryptedData = ms.ToArray();
return encryptedData;
}
.
- References:
- Web app security
- From: SAL
- RE: Web app security
- From: "Steven Cheng"
- Web app security
- Prev by Date: Re: cookie timeout
- Next by Date: Re: convert aspx to pdf
- Previous by thread: Re: Web app security
- Next by thread: Using Asp.net web form and controls .vs html form and inputs
- Index(es):
Relevant Pages
|
