I am developing a asp.net application to use the HMAC encryption (SHA1). I do not want to store the encryption keys in .config files or in database. In .net is there any other alternatives to securely store the encrption keys
View 1 RepliesI want the encryption and decryption codes in C# for RSA, MD5 and HMAC-SHA1 for generated key.
View 1 RepliesNot sure if I'm posting the question in the right category.
1) I'm working in a project where encryption of data is high priority. Could some one suggest what would be the best encryption method to protect data from being cracked.
I'm using TCP/IP protocol.
2) Is HTTPS totally secured. If I'm using HTTPS, does that mean that there is no encryption of data required in the coding?
I am encrypting data (health care industry) using the aes encryption classes in the .net framework. What are some of the recommended locations for safely storing the key? I have it in the web.config for development, but that does not feel production worthy, to say the least.
View 4 RepliesWe are designing a .net web application that has an external and internal site.
Both sites need to encrypt data only the internal site needs to decrypt data.
We are wondering what are the best practices for:
Which encryption method to choose?
Where to store the encryption / decryption key?
I am using a Query Encryption Technique shown in Thread[URL]I am facing a problem with the above module status bar always displays real URL,& when ever i right click on page then properties than Address URL shows Real URL
View 4 RepliesI would like to use the System.Security.Cryptography to encrypt / decrypt my passwords strings for my custom membership provider login.I've read some basic article's but they don't explain much about the process in detail. I've decided to use AES because it is said to replace DES encryption. How can I encrypt and decrypt my password strings in the strongest way possible with AES? I would really like a very detailed explanation about the method to use for this task.
View 1 RepliesIf a website is already using SSL, this guarantees a secure channel between the client and the website right. If I do another encrypt on the information being transmitted via HTTP POST would this be an overkill?
View 2 RepliesI inherited a ASP.Net website. Some changes need to be implemented. The login for the application is encrypted using the md5cryptoserviceprovider class. After upgrading to 2.0, the password is no longer encrypted the same as when it was 1.1.
I left the 1.1 virtual directory and it's still working. On the same box, I loaded the 2.0 code and setup a new virtual directory (which isn't encrypting the same as 1.1).
I copied the section below from the 1.1 machine.config section into the web.config and the 2.0 machine.config.
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/>
Here is the code that is generating the hash.
MD5CryptoServiceProvider encryptionServiceProvider = new MD5CryptoServiceProvider();
var bytes = ASCIIEncoding.ASCII.GetBytes(inputString);
what is two way encryption and how does that work ?
View 2 RepliesI have a hex string (encrypted)I need to use Rijndael classes with these settings:
Encryption: AES
I have a problem trying to encrypt a string in PHP and also in C# using DES (cbc) encryption. The problem I'm facing is that I'm getting different results using the different languages.In C#:
[Code]....
You can see that they are close...
PHP: HLp51qoFW0rimOTafCVTVQ==
C# : HLp51qoFW0ojU8eGEGkk4w==
But something is going wrong somewhere, I suspect it's a difference between (PHP) pack("H*", '0F26EF560F26EF56') and (C#) StringToBytes.ConvertHex("0F26EF560F26EF56") but I'm really struggling to spot it.
my code:
[Code]....
I have a stored encryption: "dkljas84u238jidasjidoia"When I get in this instance decryption "11111111111111111"show how the combobox "****************** 1111 "Something like: SELECT RIGHT ('11111111111111111 ', 4)
I'm just starting to really get into JSON as a tool for my sites. I was showing my friend how I am calling a WS and returning the data, and he asked me about security of passing JSON data to and from a web service as he saw the data from the "POST" (via Firebug). Many of our public facing sites deal with member information and contain PHI. Can I encrypt the JSON data and then unencrypt it? Is that a good way to go about it to ensure a layer of protection? Or is there another "better/right" way of doing it? Or are his concerns unfounded? Is there an article about how to encrypt or secure the JSON data when needed? Just trying to gather as much knowledge as possible before I go down a path that won't work for the company.
View 4 RepliesMy website has to connect to a hosted SQL Server database. The connectiostring, incluing username and password, is stored in the web config file.I have two questions.The first is that everything I read says this must be encrypted so that it cannot be read and used by others. Well, how would that happen. My understanding of ASP.net is that all the work is carried out on the hosted server and the rendered page is then delivered to the user. How would a user be able to view my connectionstring.Secondly, I have used some msdn vb.net code to encrypt the connection string in the web config file. Following on from the first question, how can I confirm that the encryption is intact on the published web.config file.
View 7 RepliesI am creating an application that will save financial data.I am in the process of creating an architecture for this application.I am stuck deciding wether to do encryption on the application side or SQL Server side. I am planning to use AESManaged algorithm for this.My requirement is such that the ecnryption key is unique for each user (based on user's password).I am of the opinion that it should be on the application server side as it becomes easily scalable. Another attractive thing that I find is that if my frontend is Silverlight then I can pass on the actual encryption load onto the client system.
View 7 RepliesI am trying to use both .NET Cryptography as well as SQL Symmetric Encryption with Triple DES, if it's possible. I was able to set up a test database with encryption on a single field like so:
[Code]....
I am using this because of SQL Reportas that are being ran and I don't have access to C# development within them. Now to insert the encrypted key what do I use? I found the following code on another post http://forums.asp.net/p/902066/1000988.aspx#1000988:
[Code]....
How do I modify OR what code do I use to Encrypt/Decrypt the SQL Encryption, does the SQL Encryption method need to change..Is it even possible?
I'm trying to encrypt username and password using a key file generated using enterprise library and every thing works fine, but the problem is that key can only be used on the mashine on which i have generated the key,eithor by machine mode or user mode, i want to ask if their any way to use encryption without using a key file ...
for example by machine key in web config..
I am trying to encrypt my passwords and store in database..i want to know which is the latest one..
View 2 Replieshow to encrypt a PIN in to 4 byte binary. The MD5 and other hashes I have known give the result as 8 or 16 byte. I need only 4 bytes because it is alloted only varchar(4) in the database.
View 3 RepliesI am trying to encrypt/decrypt a file with CAPICOM in javascript. I have to encrypt file with private key and decrypt with public key. But I dont know how to do this with CAPICOM.
View 1 RepliesThis is meant to be easy ...so ive been told, but still cant get it to work!I have a sql database hosted on a shared server which requires the use of sql authentication.As a result I require to encrypt my sensitive data in the config (connection strings etc).I understand that you can do this using aspnet_regiis etc, but ive been told that as I have no direct acccess to the server, I may need to program the encryption.
I have seen a few examples, but as a novice I have been banging away at this, looking at an errors screen most of the time!
I need to get message integrity by encrypting the data while dataflow between Service <-> client (by directional). Below are the details.
Development Environment: .net framework 4.0; Windows 7, IIS7, VS2010.
Production Environment: .net framework 4.0; Windows 2008, IIS7.
Business Requirement:
I have an WCF Service hosted in IIS7. There are multiple Windows Forms Application as clients to my service. Services will be consumed via internet.User, Role information are stored in SQL Server 2008 database. Need to Authenticate and Authorize requests agains the SQL Server database. Dataflow is bi-directional. Clients will write data to service. And also Service will serve data to clients Data transfered in wires must be encrypted, in both directions. My approch to solution:
Below is the configuration setting in Service web.config file.
<system.serviceModel> <bindings> <wsHttpBinding> <binding name="POCWsHttpBinding"> <security mode="Message"> <message clientCredentialType="UserName" negotiateServiceCredential="true" /> </security> </binding> </wsHttpBinding> </bindings> <services> <service behaviorConfiguration="POCServiceBehaviour" name="SecurityPOC.SecuredService"> <endpoint address="" binding="wsHttpBinding" bindingConfiguration="POCWsHttpBinding" name="POCwsHttpBindingEndPoint" contract="SecurityPOC.ISecuredService" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="POCServiceBehaviour"> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="false" /> <serviceCredentials> <serviceCertificate findValue="CN=WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" /><userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Common.MyCustomUsernamePasswordValidator, Common" /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> </system.serviceModel>
Questions & Assumptions:
My assumption is that, client certificate is used for authentication. I am not using Certificates at Client side, becuase my client authentication will be done using UserNameValitions against the Database.
Am I write? Using only Server side Certificate, with negotiateServiceCredential="true".
Is it required is install Server certificate on client machines in this case?
I am assuming Server Certificate details will be downloaded to client site during the first call..
<security mode="Message">,
Assuming this setting takes care about the message security/encryption using the Server certificate, in both directions. As per my requirement, message must encryped on wire while tranfer between Server to client and while Client to Server.
Am I write?
My Last question...How to ensure that messages are being encripted on both directions, from Testing point-of-view. I need to take test evidences out of it.
I want to know how can I protect my password in login & register pages because I am not using .net's Login or CreateUserWizard controls.I want an encryption method for this process e.g. when storing password in the database form the register page and when comparing the password with stored password in database to varify a user in login page.
View 3 RepliesJust a quick question i've been asked to look at enhancing security but encrypting passwords we store in a db table, essentially the data thats linked to the user account isnt sensitive however its more to stop someone reading passwords out of the table directly etc
I've read multiple ways of implimenting hashing etc i've started using FormsAuthentication.HashPasswordForStoringInConfigFile
//create new salt and update the password
Hashtable newInfo = new Hashtable();
newInfo["salt"] = GenerateFriendlyPassword(5);
string tmppass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtNewPass1.Text.ToString() + newInfo["salt"].ToString(), "SHA1");
newInfo["passwordHash"] = tmppass;
Generate friendly password returns a 5 char string based on a random position in a valid char array containing a - z and 0 - 9At present the functionality is at page level in the code behind, re this is the forms authentication HashPasswordForStoringInConfigFile function thread safe? Or do i need to look at implimenting this in a different wayCheers appreciate your response as im always jubious about multi threading etc,