Security
Slashdot recently reported on a post on Bruce Schneiers blog which reports that the SHA-1 hashing algorithm has been ‘broken’ by a team in China (wonder why they were working on it ) – this is a pretty big deal; SHA-1 is the NSA / NIST standard for hashing algorithms right now – though recently they announced that they’ll be recommending the stronger SHA-512 and SHA-256 variants (properly called SHA-2 variants) soo, – good timing! For most common applications though where there’s a possibility collision after 2^69 ( 590295810358705651712 ) hash operations compared to 2^80 (1208925819614629174706176) really isn’t that bad then...
Following on from Part 3 , Eric Lippert has posted Part 4 of his series of posts on Hashing and security he also discusses Keberos...If you're really into this sort of stuff but not from an overly mathematical background (like me) the best book I've found on Cryptography is Practical Cryptography by Niels Ferguson and Bruce Schnier this covers pretty much everything the non-NSA employee could need to know about this topic.
THis is a great series of articles - I posted on this previously - part 3 covers why you should use a salt (and I've mentioned how to generate them recently ) . These really are excellent articles!
Oh, thought I should mention, if you're just looking for a really simple way to generate an alphanumeric hash for a password (as opposed to a byte array), the ASP.NET framework has a handy (if extensively named) method for doing this: FormsAuthentication.HashPasswordForStoringInConfigFile
Just been reading what looks like the second part in a series on security from Eric Lippert on the use of hashes for protecting password information (first part is here) . I find this especially interesting since I've recently designed a system which uses salted-hash (as opposed to sticky-black hash which is a whole different thing ;-)) as a method to protect user passwords. As it turned out it wasn't all that easy to do this in .NET ; of course it might just be me...anyway here's the little function I came up with for hashing passwords (with a...
So, Slashdot got a hold of the story about the ASP.NET vulnerability (the backslash bug), as usual they're loving it over there. What I haven't seen much of though is mention of the fact that many sites were never affected by this - reason? URLScan for IIS 5 and IIS 6 (which incorporates much of URLScan already) have always blocked this type of attack - remember, URLScan was released in 2001 and it blocks a host of malformed URL type attacks (there've been a bunch before). The current Microsoft advice is to add some code to each ASP.NET application, fine -...
Well, seems my DNS provider uses some kind of procedure which can be prone to failure. Anyway, my DNS stuff is now functional again- yay! My plan for today is now to move on to playing a bit more with reflection and attributes...this could get interesting! Oh, in case you're wondering, I'm playing with the Provider Pattern for a project I'm working on, also looking at doing some sort of low-maintainance security model for 'operational' security on method calls; so I can define that a particular method requires that my system provides the 'Edit' permission for that user / object before...
Read on Stefan Demetz's blog about a movement afoot to lobby Microsoft to change how textboxes allow passed in data. See here for the comment. Sorry but I think this is a plain awful idea and is very reminiscent of the horrible RequestValidation nonsense introduced in .NET 1.1. I am in favour of a simple method of encrypting and validating QueryString input such as presented here (apart from the fact that it used 3DES - DO NOT DO THIS! 3DES is MUCH slower and not as secure as AES). So what's my problem with changing the default behaviour of input controls? Simple, three...
From Gareth Brown, a very handle little tool which I can think of a dozen uses for right now - a pronouncable password generator.
I'm aware this is a fairly controversial viewpoint, I should explain some of my own background as a precursor to my dislike of this. In the bad old days, I was a penetration tester; I ran my own little company which provided this service to a number of customers, my job was to essentially crack / in other ways break web sites and 'other' networks. In my time as a pen tester, one of the most annoying things was flaws which could effect a huge number of sites / installations at the same time, classics were Cisco password flaws, Perl and PHP...
Full Security Archive