IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [.net]

A runtime, architecture, and libraries for Microsoft Windows used for creating applications.

372 questions
91
votes
6 answers

Best place to store authentication tokens client side

When my users are authenticated they receive an authentication token, I need to use this authentication token to authorize some asp.net WebAPI calls. To do this I need to add the token to the head of that call, so I need the token accessible from…
jfamvg
  • 1,013
  • 1
  • 8
  • 5
68
votes
21 answers

Lessons learned and misconceptions regarding encryption and cryptology

Cryptology is such a broad subject that even experienced coders will almost always make mistakes the first few times around. However encryption is such an important topic, often we can't afford to have these mistakes. The intent of this question…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
51
votes
9 answers

Writing my own encryption algorithm

I am currently studying IT at college (UK college aka not University) and the coursework is boring me to death. I have been coding for quite a while now mainly in OO languages such as C# and Java but often get bored and give up quickly because the…
Confuto
  • 647
  • 1
  • 6
  • 6
50
votes
4 answers

How to approach replacing md5 for transporting Unity game data to a remote server

TL;DR I am working on a gaming system that uses UnityScript and C# on the client and PHP on the server. A MD5 hash of the data plus a shared secret is used to check that the data has not been modified in transit. Is MD5 good enough for this? What…
Martin
  • 1,057
  • 1
  • 11
  • 18
33
votes
3 answers

Is using the username encrypted with the password as key a good password storage scheme?

On web applications I build I don't hash the passwords. Instead I symmetrically encrypt the username using the user's password and store the result in the password field. I use RijndaelManaged on dotnet. On login I do it again and check if there is…
Rudy
  • 487
  • 4
  • 8
28
votes
10 answers

Is obfuscation worth it

There are many tools to obfuscate .NET applications. The free ones do some basic obfuscation while commercial ones seem to promise more. My question is: Is it worth to use the commercial obfuscation tools? Do they provide some security? I know…
user91560
27
votes
2 answers

How to avoid using System.String with Rfc2898DeriveBytes in C#

I am creating a .NET core webapp in C# that takes in a user password and hashes it to be stored on a server. I'm using Rfc2898DeriveBytes along with a randomly generated salt. I've read, however, that I should avoid using strings in the entire…
Jeff
  • 373
  • 3
  • 6
24
votes
7 answers

What are the realistic, and most secure crypto for Symmetric, Asymmetric, Hash, Message Authentication Code ciphers?

I'm interested in updating this two pronged question for 2011: What cryptology is most appropriate for low-powered devices (such as a cellphone), and yet still effective? What cryptology is most secure for a .NET developer? In November of '08…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
22
votes
1 answer

Is Rfc2898DeriveBytes using HMAC SHA1 still considered "secure enough" for hashing passwords?

I've been told by a CISSP that the .NET class Rfc2898DeriveBytes would not pass a security audit today because it still uses SHA1. It's reliance on SHA1 - even with the iterations - leaves it too vulnerable to brute-force cracking. For my own…
TheOtherTimDuncan
  • 323
  • 2
  • 4
17
votes
2 answers

Is it safe to use PBKDF2 for hashing?

I would like to get a few opinions on whether it would be safe or not to use PBKDF2 to generate a hash of a password. For my purposes I'd like to assume that the hash itself will be posted on the White House Twitter page (in other words it will be…
Razick
  • 357
  • 1
  • 2
  • 7
17
votes
3 answers

Is there an equivalent of npm audit for nuget packages?

I'm working on a couple of large .NET web apps and would like to audit the packages used in them. For node projects I've use npm audit. This checks whether your npm packages or their dependencies have any known vulnerabilities. Is there a similar…
jamesj
  • 1,093
  • 1
  • 8
  • 10
16
votes
2 answers

Secure big, old ecommerce website from XSS?

I'm working for an ecommerce website written in C#.net (no CMS used, quite a lot of code) where security hasn't been a priority for a long time. My mission right now is to find and fix any XSS breaches. There is a lot of non-filtered data written…
kyori
  • 215
  • 2
  • 7
15
votes
6 answers

Is PBKDF2-based System.Cryptology.RFC2898DeriveBytes() "better" for Unicode Password hashing than traditional methods?

When is it appropriate to use RFC2898DeriveBytes versus a typical hash? Update I now understand that a KDF is typically used to create a symmetric key for possible use in encrypting a stream. I also now understand that PBKDF2 obsoletes…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
15
votes
5 answers

Is it safe to binary-deserialize user-provided data?

AppHarbor has a blog post containing sample C# code which reads data from an unsigned cookie and passes it through .Net binary serialization. Is that safe? Obviously, the data is completely tamperable. However, are there any risks in passing…
SLaks
  • 250
  • 1
  • 2
  • 8
12
votes
5 answers

Gold Standard for password hashing

I've developing a web application that will be dealing with highly sensitive information and I want to ensure the hashing of passwords is gold standard. Ideally I'd go for per-user salted SHA512 using PBKDF2 to carry out multiple iterations of the…
Drunk Goldfish
  • 123
  • 1
  • 5
1
2 3
24 25