In this article I will show you how to create and use Digital Signatures in .NET.
A digital signature is a mathematical scheme that demonstrates the authenticity of a message or document. A valid digital signature gives the recipient reason to believe that the message was created by a known sender, such that the sender cannot deny having sent the message (authentication and non-repudiation) and that the message was not altered in transit (integrity). Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.
Digital signatures are often used to implement a digital analog to hand written signatures. In broader terms this refers to any electronic data that carries the intent of a signature. Digital signatures employ a type of asymmetric cryptography. For messages sent through a non-secure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects, but properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes, in the sense used here, are cryptographic based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret.
A digital signature scheme consists of three algorithms
A key generation algorithm that generates a private and public key, such as RSA.
A signing algorithm that, given a message and a private key, produces a signature.
A signature verifying algorithm that, given a message, public key and a signature, either accepts or rejects the message’s claim to authenticity.
Two main properties are required. First, the authenticity of a signature generated from a fixed message and fixed private key can be verified by using the corresponding public key. Secondly, it should be computationally infeasible to generate a valid signature for a party without knowing that party’s private key. A digital signature is an authentication mechanism that enables the creator of the message to attach a code that act as a signature. It is formed by taking the hash of message and encrypting the message with creator’s private key.
In this article I want to talk a little about Password Based Key Derivation Functions and their use in .NET. A Password Based Key Derivation Function or PBKDF2 as it is known, is a way to encode passwords as an alternative to hashing functions which are susceptible to rainbow table attacks.
For this article though I am going to try a different method of explaining it. I am going to talk about this subject and do a little code demo by video. Yes, you have to suffer my voice and video editing. This video was actually recoded back in June, and the astute amongst you will notice that this looks very much like a Pluralsight video. Well, it is, kind of. This is one of my audition videos that I had to produce to become a Pluralsight author.
I was very pleased with the result seeing as it was my first time recording and editing a video / code demo, and Pluralsight were gracious enough to give me permission to post the video on my blog, but minus the Pluralsight branding, as it is not an official video of theirs.
Now that I have the video recording bug, plus I have paid for all the software and hardware etc, I may do more of these along side my Pluralsight courses.
There has been a lot of panic in the press recently about a new vulnerability found in the Unix Bash shell that can allow an attacker to execute commands on a target machine. Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet processes, such as web servers, use Bash to process commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
The training company Pluralsight has released a short 15 minute video explaining how the vulnerability works with a good example. It’s well worth a watch just so you understand what is going on with it.
That is quite a bold post title, but it turns out to be very true. I was sent a link on Sunday to a Google service called Location History, where you could log in (with your Google account) and for any given day it would show you where you was at any point in the day, or more accurately where a phone that was registered with Google was during the day. I think it is safe to assume this is just for Android devices, but I would be surprised if Apple isn’t doing this too.
Don’t believe me, then look at the first image below:
This image shows my typical commute to work. In this case on Monday 7th July 2014. The data here is generally pretty accurate. There are a few points that are not quite right, but this is pretty damn close to my commute route to work via train. I don’t mind posting this you can find out the organisation I work from quite easily for this site and my LinkedIn Profile. The image doesn’t show where I live though. I positioned that out of the view.
You read pretty much every day about some new virus, or a new attack against a person or company, but last week there was an attack against a company that can only be described as terrifying. The company attacked was Coventry (UK) based Svn hosting company CodeSpaces.
I read about this attack in The Hacker News. An attacker started a Distributed Denial of Service (DD0s) attack against the company, and also managed to gain access to their Amazon AWS and EC2 dashboard. The attacker then proceeded to hold them to ransom for a large fee to stop the DDos attack. The company, naturally, tried to regain control of their system and started changing passwords. When the attacker realised what they were doing, he started deleting all the companies data from the Amazon cloud servers, including all the backups.
I have recently released a small open source library that I thought might be useful to people. The library is called Block Encrypter it is designed to make asymmetric encryption of data in .NET / C# easier. The code in this library has been developed over the past year and used in my open source tools SafePad and Text Shredder. The way in which this library goes about encryption has been peer reviewed by many people in the open source community so should give you a level of comfort that it is secure in how it goes about encrypting data. Block Encrypter encrypts data using standard cryptographic primitives like AES, HMAC, PBKDF, and cryptographically secure random number generation.
First lets look at some usage examples. The main object in the library to call is the Block Encrypter object and this contains methods that allow you to encrypt/decrypt strings or byte arrays of data.
Overview of the Library
The library itself is quite straight forward to use and there are not that many objects to get to grips with. The main entry point for the library is the BlockEncrypter object. This object will then call out to the GzipCompression object, Aes object, and the ByteHelpers object.
The library is also well covered in unit tests that exercise the majority of the functionality.
In January 2012 we defeated the SOPA and PIPA censorship legislation with the largest Internet protest in history. Today we face another critical threat, one that again undermines the Internet and the notion that any of us live in a genuinely free society: mass surveillance.
In celebration of the win against SOPA and PIPA two years ago, and in memory of one of its leaders, Aaron Swartz, we are planning a day of protest against mass surveillance, to take placethis February 11th.
Together we will push back against powers that seek to observe, collect, and analyze our every digital action. Together, we will make it clear that such behavior is not compatible with democratic governance. Together, if we persist, we will win this fight.
I have now released version 1.1 of my popular encrypted notepad application SafePad. Version 1.1 focuses on many of the requests I have had from users. These are mainly around usability.
What is SafePad
SafePad is a simple FREE text editor that lets you encrypt your documents using 3 cascaded iterations of AES encryption (Advanced Encryption Standard). To protect your document you have to provide 2 passwords. Passwords have always been a problem when it comes to security as users tend to pick a password that is easy for them to remember. This also means that the password is most likely easy to crack. By using 2 passwords and performing multiple rounds of encryption, it makes it much harder to crack the passwords. If someone manages to crack password 1, all they will get back is encrypted text, so it would be very hard to them to know they have cracked that password.
Picking strong yet easy to remember passwords is essential when protecting your files. If your passwords are easy to guess or can be cracked by a brute force search then you are leaving your data open to being stolen. Here is a good article over at wolfram.org with some good advice on picking strong passwords.
In this article I want to talk about the storage of passwords in your systems. Passwords are still the most common way of being able to authenticate a user, but it is very easy to put yourself in a situation where your system is not secure and susceptible to attacks. In this article I want to discuss ways in which you shouldn’t store passwords, and talk about how you can safely store passwords and protect yourself where you have been a victim of data theft.
Storing Passwords in the Clear
Easy of Implementation : EASY
Is Good Idea : TERRIBLE IDEA
When you are developing a system that needs to authenticate a user, the biggest mistake you can make is storing passwords as clear text in your database. You may as well not bother having security as you can’t offer any kind of privacy to your users. This may seem like common sense, but there are still plenty of sites that do this. A user’s password should be secret and only known by the person who it belongs too.