Security :: AES Example / Implementing AES - Key Not Valid For Algorithm
Jun 21, 2010
I need an example on how to implement AES encryption/decryption in .NET. I've been googling but haven't yet found any good examples. I've for example found AES example whih after some research wasn't 100% AES. I have to make sure by AES encryption/decryption is 100% AES, as I have to send email to the authorities explaining how I use AES (with secret key all), so they can hire some encryption expert which verify that we encrypt/decrypt it correctly. So he can verify that the what I implemented in AES is actually 100%. I'm reading the AES standard and how it's to be implemted in .NET Here is some code I'm having trouble with:
[Code]....
Which throws an CryptographicException: Specified key is not a valid size for this algorithm.
PasswordDeriveBytes take 4 paramteres and return an encrypted key basead on 4 parameters: passPhrase, saltValue, hashAlgoithm and password iteration
I wonder what algorithm PasswordDeviveBytes are using, so I can tell someone who are not .NET programmer that this secretkey was made by that alogorithm and that he can use this algorithm also - And then he should get the same results as PasswordDeriveBytes method
can I change the password algorithm and still use the sqlMembershipProvider or do I have to create a new sqlMembershipProvider. If so, are they any step by step tutorials on how to do that.
I have a page that will receive an encrypted query string containing a user name, password & jobId, the problem is I don't want someone to be able to grab the encrypted url (browser history) and reuse it, so it has to change each time the page is requested.
The only way I can think of doing this is by having an encryption key associated with the the job and then change it after each time the page is requested. The client would either request the key or the entire url from a web service residing on my server.
Is this the best way to do this?
Is there a mutating encryption method out there I could use "out the box"?
I am rewriting my PHP website into C# .NET, and I need to be able to set the algorithm used by the CreateUserWizard / Membership Provider to SHA1 so that I can port all of the user accounts over without having to force them all to reset their passwords when this project is complete. At current glance it doesn't look like it is using SHA-1, and my Googlefoo is failing me.
I am planning to write a custom 'password reset control' that allows an Administrator to reset the user's password, while using the ASP.NET built-in 'login' and 'create new user' controls. For this reason, I will need the hashing algorithm (hopefully I can call some .NET class and method) to perform this.
I am doing web based projects in dotnet. Currently I am implementing security using session variables. I keep current user id and user type in session and authenticate user from these session variables (say Session["UserId"],Session["UserName"] and Session["UserType"]).
I've heard that such security can be broken and applications can be hacked very easily, like it is possible to get session id and directly connect to that session id etc.
Not sure if I'm posting the question in the right category.
1) I'm working in a project where encryption of data is high priority. Could some one suggest what would be the best encryption method to protect data from being cracked.
I'm using TCP/IP protocol.
2) Is HTTPS totally secured. If I'm using HTTPS, does that mean that there is no encryption of data required in the coding?
I am about to deploy an ASP .NET application (developed with LINQ-to-SQL). I have taken following precautions: Database access via user with limited access, however, since application is to access the sensitive data, I can't deprive this limited access user from it Database server is not exposed to external network - is hiding behind DMZ and all external ports are blocked I have done thorough security testing of the web-application; SQL Injections, rights management, illegal data access (via post/get data tempering) Application is operating on SSL
1 - I am using ASP .NET authorization API; any recommendation for avoiding session hijacking (in case someone some-how gets to know the session key). Is there are way to change the authentication cookie less prone to threats? Say like, changing it after every request? (I know I am get very conscious about this particular item)
2 - Data in the database is not encrypted. To make things ultra-secure, I am thinking about implementing transparent data encryption. Can someone share his/her experience or a link about implementing data level encryption with SQL Server 2008 along with pros-and-cons?
3 - Recommendation for storing connection string in web.config. Is using integrated security better then using encrypted database connection string?
I am developing a web application using asp.net 4.0, vb.net 4.0 and Sql-Server 2005 as backend. I want to implement read only or read/write permissions for a particular logged in user. Ex : I have a Purchase order page, now I want to assign only view permissions to a particular user and read/write permissions to another user. what would be the best way to do it ? Use authentication and authorization provided by .Net or implement custom authentication and authorization ?
I've set up a system with forms based authentication and using the asp:Login control. When I put in an invalid password I get the approriate invalid password message. However when I put in a valid password, it does nothing...just returns to the login page again. I'm triple checked the login info. There is no error message, and the invalid attempts counter doesn't increment. When I put a break point in the Login_LoggedIn event of the Login form, it hits it, but User.Identity.IsAuthenticated is false. I'm not 100% sure it should be true at this point, as I'm pretty new to .NET but it seems kind of odd.
My user database is stored in a sqlserver 2005 db that already existed. I've added a new connection for it.In the authorization I have
I have a site with about 4 pages or so. I was asked to implement a very simple security (check if user in database, if not kick out) using active directory and validating against a table of users. I was simply thinking of createing a master page and making all pages inherit that master page. I would then authenticate the users from the master page.
I am a newbie and using Visual Web Developer 2008 Express Edition developing a website with some SQL database and a membership folder.
The membership folder security was set via Website/ASP.NET Configuration and with Permission Deny for Anonymous users, and a user id and password was created.
However when running the website and login with the created userid and password, it failed to log in with error message "Your login attempt was not successful. Please try again." I suspect that the system could not find the ASPNETDB.MDF even though it is in the App_Data folder.
I have separately developed another website with Membership and User Login by following the example in ASP.NET Walkthrough in Learn Web Devbelopment, and it works ok.
I have an intranet site that is used to pull several other intranet applications/tools and database info to one place.One of the most popular features uses iFrames and jQuery tabs to give a broad overview of activities, signal etc in a network node. Chrome and Firefox eat it up with no problems, IE will work if you override the cookie policies that restrict 3rd party cookies without a valid p3p (what a worthless standard). IE also works if you already authenticated yourself on the individual sites and the session cookies are still valid.
I am trying to implement a small site which requires users to login using Forms based authentication. I have followed the tutorials found on various sites on the net and in particular the one at [URL] This enabled me to get a sample environment in place but it seems as though I am having a problem authenticating a user for which I know the username and password are correct.
I have a ASP.Net 3.5 site with my login.aspx form in a folder named login, my default.aspx in the root of the site and my protected content in a folder called main.
I am authenticating against a SQL Server Express database, so I have ran the aspnet_regsql.exe command to populate my database.
I have added the following authentication/authorization lines to my web.config
I believe that my connection string and my database are ok because if i use the ASP.NET Configuration from within Visual Studio I can create and manage my users and I can also see them in the tables in the SQL Server. Also if I do enter any incorect credentials in my login page the page tells me that the password is incorrect.
A question has been raised concerning password recovery revealing valid user ids. Stage 1 of the password recovery asks for a userid and when progressing to stage 2 will display an error message 'Invalid user id'. In theory this would allow valid user id'sto be identified.Is there a setting we are missing? Something that would allow the user id and question to be asked, then a message saying the 'User/Question combination is invalid'.
I have a custom oledb role provider that pretty much a cust and past of:
[URL]
except I've used oledb instead of odbc. I'm connecting to an oracle database and the tables have been created with out any issues. now if I go into the Website Administration Tool and try to create a new role I get the error
"Specified cast is not valid."
I can create a role directly in the database (through TOAD) and the role will show up in the .NET WAT, so I know it can make the connection and read the info just fine. I just can't create or delete or modify a role without the above error.
I am createing user dynamially with the below code; string MyPassword = Membership.GeneratePassword(8,0).ToString(); Membership.CreateUser(TextBox7.Text, MyPassword, TextBox8.Text); but before I start creating, I would like to check if the user name is used before or not.
I'm working on an ASP.NET project for the first time in about three years; in the meantime I've been working with Python/Django, PHP and Obj-C. Anyways, picked it right back up... except something that is totally killing me right now, and I have a feeling it must be staring me in the face:
I'm trying to bind to an LDAP server, for the purpose of authenticating users. The way it works here is, you bind on your own credentials, use that to find the Distinguished Name of the user you're authenticating, then you bind again on their DN and their password. If the bind is successful, the password was correct and the user can be authenticated.
Here's the problem - the first bind (on the fixed credentials, the ones with the ability to search for users and their subtrees) works fine. The search works fine. The second bind fails, no matter what, with the LDAP error INVALID_CREDENTIALS. This happens even when completely valid credentials are supplied.
Here's the code, with the usernames and passwords redacted, of course...
We are converting an ASP site (using DotNetNuke) to a new PHP site. The only thing we have right now is a full export of the existing database. One of the tables is called "aspnet_Membership" and contains the following fields:
Password (looks like base64) PasswordFormat (always value 2) PasswordSalt (looks like base64) PasswordQuestion (always empty) PasswordAnswer (always empty)
We would like to decode these passwords and hash them to fit our own framework. From what I understand from the .NET documentation these kind of passwords can be decrypted. Is there an algorithm available that can do this or is it more complicated than that? Will it be possible if we create an ASP script on the current server?
I created a user control for my web application that checks for Session Timeout. If the criteria are met for Timeout, I use Response.Redirect to send the user back to the login page. I include this user control in my Master page, and run the SessionTimeoutcode in the user control's Page_Init event. That all works great. However, once the user logs in again after time-out (and I have verified that the OnLoggedIn event does fire) the user is redirected to the DestinationPageUrl. That page runs the Session Timeout check when it loads (as it should) and the Session Timeout code "says" that the session is still timed-out.
I need an algorithm to determine who match who in the tournament bracket, say I have 32 ( number could be flexible) contestants seeded 1 to 32, at round 1, seed 1 matches with 32, seed 2 with 31 and so forth. What about 2nd, 3rd, 4th and 5th round? I need an algorithm to be programmed into computer.
Using sha As New SHA256Managed Using memStream As New MemoryStream(Encoding.ASCII.GetBytes("Hello World!")) Dim hash() As Byte = sha.ComputeHash(memStream) Dim res As String = Encoding.Default.GetString(hash) End Using End Using
I have been unable to recreate the same hash for the same values with these two bits of code.
The javascript implementation returns: 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
and the vb.net example returns: ƒeñüS-ÁHÖ]ü-KÖw(JÝÒ mi"
What am I missing? I assume it's something to do with the character encoding?
