Browse DevX
Sign up for e-mail newsletters from DevX


ASP.NET Security: 8 Ways to Avoid Attack : Page 3

Adding security to Web apps may not be great fun but it doesn't have to hard. You can easily ensure your apps meet today's best practices by applying eight principles for secure Web development.

Tip 4—Use Hashing to Store your Passwords
I have seen a number of cases where developers simply store users' passwords in plain text. This is a dangerous thing to do; if your SQL Server is compromised, you run the risk of exposing all the passwords. (There are those who argue that if your database server is compromised, it doesn’t matter how you save your passwords—they are no longer secure).

A much better way to store passwords in your database is to use hashing. Hashing is a one-way process of mapping data (plain text) of any length to a unique fixed-length byte sequence. This fixed-length byte sequence is called a hash. Statistically, two different pieces of data would not generate the same hash. And a hash cannot be used to reverse-generate the plain text. In the case of saving passwords in the database, saving the hash value of each password is preferred over the saving the plain password. When a user logs in, the hash value of the password is computed and then compared to the hash value stored in the database. In this case, even if the database server is compromised, the hackers have no way of knowing the users’ real passwords (though he could still alter the hash value of a user’s password to one he generated himself and gain illegal access).

The following function shows how to use the SHA1 hash algorithm implementation in the .NET Framework:

    Public Function ComputeHashValue(ByVal data() As Byte) As Byte()
        Dim hashAlg As SHA1 = SHA1.Create
        Dim hashvalue() As Byte = hashAlg.ComputeHash(data)
        Return hashvalue
    End Function
You could derive the hash value of a password like this:

   Dim hashValue() As Byte
       hashValue = ComputeHashValue(Encoding.ASCII.GetBytes(txtPassword.Text))
The hash value could then be stored in place of the user’s password.

Tip 5—Encrypt Sensitive Data
ASP.NET Web developers know that it is sometimes useful to store information such as database connection strings in the Web.config file rather than hardcode them in the application. Doing so allows the database server to be changed without modifying and recompiling the application. However, storing sensitive information such as the connection string (which may contain user information and password) in plain text format in Web.config file is not a very good idea, as Web.config is an XML document stored as a text file and thus easily accessed.

So, a safer way would be to encrypt the sensitive information and store the ciphertext into the Web.config file. There are two types of encryption algorithms that you can use:

  • Symmetric
  • Asymmetric
Symmetric algorithms encrypt and decrypt information using a common key. It is a simple and efficient way of encrypting/decrypting information. However the use of a common key makes it less secure if more than one party needs to know the key.

Asymmetric algorithms encrypt and decrypt information using a pair of keys. This pair of keys is made up of a private and a public key. Data encrypted using the public key can only be decrypted using the private key and vice versa. Asymmetric algorithms are much more complex and are computationally expensive. However, it is also much more secure than symmetric algorithms.

Listing 1 shows the use of the Rijndael symmetric encryption algorithm implementation in .NET. Listing 2 shows the RSA asymmetric encryption algorithm implementation in .NET.

The functions shown in Listings 1 and 2 will allow you encrypt the sensitive data in your Web application, especially configuration and XML files. Listing 3 shows the supporting function used by the functions in Listings 1 and 2. The supporting function converts a string to a byte array. For example, it converts a string "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16" to a byte array of {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16}.

For asymmetric encryption, you need to first create the pair of private and public keys:

        '===========For Asymmetric use=============
        Dim publicKey, privateKey As String
        Dim RSA As New RSACryptoServiceProvider()
        publicKey = RSA.ToXmlString(False)  ' get public key
        privateKey = RSA.ToXmlString(True)  ' get private key

        '===========Asymmetric Encryption=============
        Dim cipherText as String = AsymmetricEncryption _
                  (txtAsyPlainText.Text, publicKey)

        '===========Asymmetric Decryption=============
        Dim plainText as String = AsymmetricDecryption _
                  (txtAsyCipherText.Text, privateKey)
For symmetric encryption, you need a 16-byte key and Initialization Vector (IV):

        Dim Key, IV as String
        IV ="1234567890123456"
        Dim cipherText As String = SymmetricEncryption _
                  (txtSyPlainText.Text, Key, IV)

        Dim plainText as String = SymmetricDecryption _
                  (txtSyCipherText.Text, Key, IV)
Because SOAP messages are sent in plain text, Web services could also benefit from encryption. Instead of using SSL to protect the entire communication path (which is overkill), you could use encryption to protect sensitive information such as credit card numbers from prying eyes.

Thanks for your registration, follow us on our social networks to keep up-to-date