skip to Main Content

Welcome

Say hello to the toggle bar. This is an optional section you can use to display any content you'd like. Simply select a page from the theme panel and the content of the page will display here. You can even use the drag and drop builder to create this! This is a perfect place for your company mission statement, alerts, notices or anything else.

Get In Touch

Email: support@total.com
Phone: 1-800-Total-Theme
Address: Las Vegas, Nevada

Our Location

togglebar-map

[Security] Purpose string, Encryption, Hashing data

Post Series: ASP.NET Core Security

This post look at hashing, encryption and random string generation in ASP.NET Core. We examine a few different approaches and explain why some common techniques should be avoided in modern applications. More security, more slower generator.

Generating a random string

Purpose:Often use to create primary keys or Email validation, Password reset

using System.Security.Cryptography.RandomNumberGenerator.Create class

 

Hashing string

Why: SHA512 or MD5 is not security for current Modern GPUs.
.NET Framework use Rfc2898DeriveBytes class but it has limitations:

  • It only supports HMACSHA1 algorithm, where as ‘KeyDerivation.Pbkdf2’ supports HMACSHA1, HMACSHA256, HMACSHA512
  • ‘KeyDerivation.Pbkdf2’ supports Performance improvement depend upon operating system, (basically it auto detects operating system and implement most optimized way)
  • ‘KeyDerivation.Pbkdf2’ can specify input parameters for hashing (e.g. Salt value, algorithm, iteration count), current .NET hashing class has provided inbuilt default values for this.

Use Microsoft.AspNetCore.Cryptography.KeyDerivation allows us to use PBKDF2 which is far harder to brute force.

Purpose: Hashing is a common requirement for storing passwords.

After hashing cannot go back to original text.

To verify a plain-text string against a stored hash

Encrypting strings and objects

Purpose: Protect data

In ASP.NET Core use DataProtector

Out of the box, the data protection APIs use AES256 (CBC Mode) for encryption and SHA256 for validation but you can easily change this by configuring it in Startup.cs:

If we create a protector with a string key ‘ABC’ and protect a data, it cannot be unprotect same data with a protector created with string key ‘XYZ’, so it is again a step forward to make data more secure.

See docs for more information

Resources:

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm?view=netcore-1.1
https://www.devtrends.co.uk/blog/hashing-encryption-and-random-in-asp.net-core
https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/introduction

https://www.codeproject.com/Articles/1152468/Data-Security-in-ASP-NET-Core

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top