This post assumes you are somewhat familiar with how character encodings work. You might want to check out my Introduction to character encoding if you're not. I wrote it mainly because I didn't want to explain the basics of encodings in this post.
The encoding issues/features I discuss here are all well documented in the article Character Encoding in the .NET Framework, but I believe that the issues aren't that well known. Stack overflow, blogs, and discussion forums are riddled with insecure code samples. Do a Google search for "ASCII.GetBytes" password, and you'll get a lot of results. I even found insecure code examples in a text book, the C# 2008 Programmer's Reference (page 344). So I definitely believe we need to raise awareness of these issues in the .NET community.
Encoding subtleties
In the MSDN article on character encoding you'll find that the first suggestion on how to use the encoding objects in .NET is:
Use the static properties of the Encoding class, which return objects that represent the standard character encodings available in the .NET Framework (ASCII, UTF-7, UTF-8, UTF-16, and UTF-32). For example, the Encoding.Unicode property returns a UnicodeEncoding object. Each object uses replacement fallback to handle strings that it cannot encode and bytes that it cannot decode.And people love to use the static properties! But if you don't read this carefully and pause with the "replacement fallback", you might get into trouble. "Replacement fallback" means that every character that cannot be encoded to bytes will be replaced with the "?" character silently. But what does that mean? Time for a demo using the ASCII encoding:
Oh my. What just happened here?
- First you see different strings I've chosen to demonstrate how "default" encoding works. Some strings contain characters that do not exist in the ASCII encoding.
- Next you see the output from System.Text.Encoding.ASCII.GetBytes(...), the strings have become bytes shown as hex. Hint: look at how the last three strings' bytes suddenly are identical after running them through GetBytes()!
- Just to underscore that hashing does not help here (identical bytes give identical hash values). Out of our five different input strings, three have the same hash value!
- System.Text.Encoding.ASCII..GetString(...), to turn our byte tables back into String objects. If you compare the input strings and output strings, only one of them is unchanged.
... might not have the appropriate behavior for your application. It uses replacement fallback to replace each string that it cannot encode and each byte that it cannot decode with a question mark ("?") character.Still, this is often how people recommend you hash passwords. Read the docs people!
The MSDN article on character encodings is really good, so go read it. I've included the source code for the demo at the end of the post in case you want to try it yourself. I've also added a commented out Exception fallback example, try that out too.
This was bad. Now what?
Well, first I'll point out the implications here. If all your user's were to use ASCII characters only, this wouldn't be a problem. Ironically, as you add non-ASCII characters to passwords — supposedly making them "more secure" — you make them less secure since the non-ASCII characters become "wildcards." All you guys who are native English speakers have to keep in mind that there are more of us who aren't, so use UTF-8 in your code samples instead of ASCII. Then we can still use our classic Norwegian trick to make passwords "uncrackable" by adding a Norwegian letter to it: æ/ø/å.
So, while I've pointed out what could be a potentially serious security issue, it's probably not the end of the world. But you should move away from the ASCII-encoding if that's what you're using for your password hashing.
Building an authentication system based on passwords is not as straight forward as many might think, here's a couple of important challenges:
- You need to avoid the problem I've outlined in this post, so you don't mess up the password before you're even started (it can be solved by using a Unicode encoding with the Exception Fallback).
- You need to salt the passwords to avoid the problem of rainbow tables
- You need to decide on how you want to compute the value you store in the database, should you use a plain SHA-256 transform, the PBKDF2 algoritm, bcrypt, or maybe scrypt? That decision directly affects the effectiveness of brute-force and dictionary attacks.
You'll find a detailed article by Troy Hunt on the issues with password hashing in his OWASP top ten for .Net developers. And here's a definite take away:
..when it comes to security, the more stuff you can pull straight out of the .NET framework and avoid rolling yourself, the better. There’s just too much scope for error and unless you’re really confident with what you’re doing and have strong reasons why the membership provider can’t do the job, stick with it.Amen.
Anything else?
Well, yes. You might not always be making the decisions yourself for how encoding errors should be handled, so you need to keep an eye out for how others deal with these issues. As I've been writing this post there's been a relase of the AntiXSS library. One of the changes is that "Invalid Unicode no longer throws an exception", here's the details from the release notes:
Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.I'm not sure what the change is in lines of code, but I would guess that they emit the � explicitly after catching an error. The documentation is quite clear for the Unicode encodings:
To enable error detection and to make the class instance more secure, the application should use the UnicodeEncoding constructor that takes a throwOnInvalidBytes parameter, and set that parameter to true. With error detection, a method that detects an invalid sequence of characters or bytes throws a ArgumentException. Without error detection, no exception is thrown, and the invalid sequence is generally ignored.I'll try to ping @blowdart and see if he'll write something about this on his blog. What it definitely does mean, is that if you output invalid unicode for some reason, it's probably only your users, and not you, who'll notice. To detect errors you will have to search the output from the AntiXSS library for the �.
What the TransformTool bug looked like
Here's two screenshots from TransformTool, the first showing that non-ASCII characters are replaced with questionmarks.
And here's after my bugfix, using the Exception Fallback, where a System.Text.EncoderFallbackException is thrown:
The code
Here's the code for the console application. I've commented out the safe way to obtain an ASCII encoding. You can give the code a try to see the behaviour for yourself, switching between the safe and unsafe way of instantiating an ASCII encoding.
var exampleStrings = new String[] { "abcde", "abcdé", "?????", "ééééé", "üüüüü"}; byte[][] ASCIIBytes = new byte[exampleStrings.Length][]; var ASCIIEncoding = System.Text.Encoding.ASCII; //var ASCIIEncoding = System.Text.Encoding.GetEncoding("ASCII", // new EncoderExceptionFallback(), // new DecoderExceptionFallback()); Console.WriteLine("Strings to encode:"); Console.WriteLine("0: " + exampleStrings[0] + " -> all ASCII chars"); Console.WriteLine("1: " + exampleStrings[1] + " -> é is not a valid ASCII char"); Console.WriteLine("2: " + exampleStrings[2] + " -> all questionmarks (valid ASCII)"); Console.WriteLine("3: " + exampleStrings[3] + " -> all chars invalid ASCII"); Console.WriteLine("4: " + exampleStrings[4] + " -> all chars invalid ASCII"); Console.WriteLine(); Console.WriteLine("Get bytes (ASCII encoding):"); int i = 0; foreach (var s in exampleStrings) { ASCIIBytes[i] = ASCIIEncoding.GetBytes(s); Console.WriteLine(i + ": " + BitConverter.ToString(ASCIIBytes[i])); i++; } Console.WriteLine(); Console.WriteLine("Let's pretend they are passwords and hash them with SHA-1!"); i = 0; using (var sha = SHA1CryptoServiceProvider.Create()) { foreach (byte[] bytes in ASCIIBytes) { Console.WriteLine(i + ": " + BitConverter.ToString(sha.ComputeHash(b))); i++; } } Console.WriteLine(); Console.WriteLine("Uhm... Why are 2,3,4 identical?"); Console.WriteLine(); Console.WriteLine("Back to ASCII strings: "); i = 0; foreach (byte[] bytes in ASCIIBytes) { Console.WriteLine(i++ + ": " + ASCIIEncoding.GetString(bytes)); } Console.WriteLine(); Console.ReadLine();
And here is an API for .NET to do it properly :)
ReplyDeletehttps://sourceforge.net/projects/pwdtknet/
Deletenarnj
narnjmusic
دانلود آهنگ جدید
The information shared is very much helpful Thanks for sharing it
ReplyDeleteDot Net Training in Chennai
I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
DeleteCyber Security Projects for Final Year
JavaScript Training in Chennai
Project Centers in Chennai
JavaScript Training in Chennai
ralph lauren polo
ReplyDeletecoach outlet
rolex watches
pittsburgh steelers jerseys
toms shoes
oakley sunglasses
prada sunglasses
michael kors bags
tiffany and co
toms uk
chenlina20170421
From this article you will get info about spy apps to catch a cheater.
ReplyDeleteInteresting information. keep sharing new things.
ReplyDeleteรับแทงบอล
sbobet mobile
royal1688
ทางเข้า maxbet
Thanks for the info
ReplyDeletegoldenslot
PROMO BONUS TURN OVER S1288POKER ONLINE
ReplyDeletePromo Spesial Bonus Turnover Poker Online Untuk Semua Games
(Berlaku Tanggal 01 s/d 28 Febuari 2018)
*Turnover diatas 9.999.999 -> Bonus Chip Rp 10.000
*Turnover diatas 24.999.999 -> Bonus Chip Rp 25.000
*Turnover diatas 49.999.999 -> Bonus Chip Rp 50.000
*Turnover diatas 99.999.999 -> Bonus Chip Rp 100.000
*Turnover diatas 249.999.999 -> Bonus Chip Rp 250.000
*Turnover diatas 499.999.999 -> Bonus Chip Rp 750.000
*Turnover diatas 749.999.999 -> Bonus Chip Rp 1.125.000
*Turnover diatas 999.999.999 -> Bonus Chip Rp 1.500.000
*Turnover diatas 4.999.999.999 -> Bonus Ios Iphone 8
LIVE CHAT ALTERNATIF DI WWW(dot)S1288POKER(dot)NET
Jika Live Chat Non Aktif Kamu Bisa Contact Kami
Come & Join Us :
-WhatsAPP : 087782869981
-WeChat : s1288poker
-Line : s1288poker
-Twitter : @s1288poker
-Facebook : @s1288poker
-BBM : 7AC8D76B
Partner Betting Terpercaya
ReplyDeletePerkenalkan kami dari website www.bolavita.pro
kami menawarkan berbagai macam produk yang menarik dan menguntungkan tentunya.
silakan mengunjungi website kami sekarang juga !
BBM : BOLAVITA ~
WA : 0813-7705-5002 !
Thank you for giving me valuable information that is something that I am very interested in.
ReplyDeleteRuby888
Pest Control services in Kirti Nagar
ReplyDeletePest Control services in Modi Nagar
Pest Control services in Patel Nagar
Pest Control services in Rajouri Garden
Pest Control services in Tilak Nagar
Pest Control services in Janakpuri
Pest Control services in Paschim Vihar
ayam sabung
ReplyDeletethank for good sharing,....
ReplyDeleteโกลเด้นสล็อต
goldenslot
golden slot
ทางเข้า goldenslot
goldenslot online
โกลเด้นสล็อต
ReplyDeletegoldenslot
golden slot
ทางเข้า goldenslot
goldenslot online
Ayam ayam jago bertarung
ReplyDeletevideo sabung ayam
Ayan ayam Petarung terbaik se indonesia ^^
ReplyDeletesabung ayam peru
cara melihat ayam bagkok jago tarung
ReplyDeleteAyam ayam jago Terbaik di Indonesia
ReplyDeleteayam bangkok petarung
20180831xiaoke
ReplyDeletemichael kors outlet clearance
coach factory outlet online
burberry outlet sale online
adidas shoes
cheap air jordans
coach factory outlet
michael kors outlet online
michael kors outlet clearance
pandora outlet
jordan shoes
Ayam ayam jago Terbaik di Indonesia
ReplyDeletetarung ayam bangkok
sabong ayam
ReplyDeleteAyam ayam jago Terbaik di Indonesia
ReplyDeletetaji ayam sabung
Ayam ayam jago Terbaik di Indonesia
ReplyDeletewww ayam bangkok
Ayam ayam jago Terbaik di Indonesia
ReplyDeletesabung ayam bangkok
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteadu ayam bangkok
Ayam ayam jago Terbaik di Indonesia
ReplyDeletes128 sabung ayam
pertarungan ayam
ReplyDeletesurveillancekart security system
ReplyDeletesurveillancekart cctv installation services
cp plus
Pestveda pest control services
dezigly
The feedgasm Latest News And Breaking News
quicksodes
latest news in hindi
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteadu ayam pisau
Ayam ayam jago Terbaik di Indonesia
ReplyDeletes1288 sabung ayam
Ayam ayam jago Terbaik di Indonesia
ReplyDeletesabung ayam s128
ReplyDeletehttps://khalejmovers.com/شركة-نقل-عفش-شرق-الرياض/
https://khalejmovers.com/نقل-عفش-من-الرياض-الى-المدينة-المنورة/
https://khalejmovers.com/نقل-اثاث-من-الرياض-الى-القصيم/
https://khalejmovers.com/نقل-اثاث-من-الرياض-الى-الدمام/
https://khalejmovers.com/ارخص-شركة-نقل-عفش-بمكة/
Ayam ayam jago Terbaik di Indonesia
ReplyDeletesabung ayam birma
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteayam sabung taji
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteadu ayam online
Tonton Secara Live Video Adu Ayam Birma Di Bandar Judi Sabung Ayam BOLAVITA
ReplyDeleteAyam ayam jago Terbaik di Indonesia
ReplyDeleteayam sabung peru
Ayam ayam jago Terbaik di Indonesia
ReplyDeletesabung ayam jago
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteadu ayam pisau
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteyoutube sabung ayam
Ayam ayam jago Terbaik di Indonesia
ReplyDeletesabung ayam bali
mau yang asik ? ayam bangkok petarung
ReplyDelete
ReplyDeleteAyam ayam jago Terbaik di Indonesia
jago bangkok
Ayam ayam jago Terbaik di Indonesia
ReplyDeletesabung ayam s128
Web Ocean Design is the best IT services provider for complete mobile and web application development. The young development company based in Bihar, India, owned and managed by Vicky who have a good amount of experience in Information Technology, Management and other related fields. We provide technical and creative services ranging from Internet Marketing to Communication maneuver. We are also skilled in website development which includes brand promotion, web designing and software development.
ReplyDeletewebsite design company in patna
website development company in patna
website development in patna
web design company in patna
web development company in patna
website design in patna
website design patna
seo company in patna
seo company in bihar
Web Ocean Design is the best IT services provider for complete mobile and web application development. The young development company based in Bihar, India, owned and managed by Vicky who have a good amount of experience in Information Technology, Management and other related fields. We provide technical and creative services ranging from Internet Marketing to Communication maneuver. We are also skilled in website development which includes brand promotion, web designing and software development.
ReplyDeletebest seo company in patna
digital marketing company in patna
best website design company in patna
affordable seo service in patna
website optimization in patna
educational internet marketing company patna
social media marketing company patna
real estate seo company in patna
ecommerce seo company patna
ReplyDeleteAyam ayam jago Terbaik di Indonesia sabung ayam filipin
Ayam ayam jago Terbaik di Indonesia ayam bangkok vietnam
ReplyDeleteAyam ayam jago Terbaik di Indonesia tarung sampai mati
ReplyDeleteAyam ayam jago Terbaik di Indonesia sabung ayam s128
ReplyDeleteayam jago tarung
ReplyDeleteGreat Article
ReplyDeleteIEEE Projects on Information Security
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
a number of objects to the fractures and scratches and a lot of damage to furniture and electrical appliances, which makes it worse, you see your home like an old house, it may be difficult to repair many pieces of furniture .شركة نقل عفش
ReplyDeleteOur declaration to providing the best customer experience when it comes to the best custom essay writing service are guided by these principles we entrench daily in our delivery for the best online essay writing service firm.
ReplyDeleteOne should know which company has the best writers whose essay is free from grammatical errors. Grammatical errors reduce the quality of a custom paper especially those who want to buy nursing papers online and those seeking for custom assignment services.
ReplyDelete
ReplyDeleteGreat Article
Network Security Projects for CSE
JavaScript Training in Chennai
Project Centers in Chennai
JavaScript Training in Chennai
Are you looking to buy Already Written Essays from the best writers? You are not alone. When given Custom Dissertation Services, many students look Best Essay Writing Company for help.
ReplyDeleteWe are Webspace Inc. organization working as the Best Digital Marketing Company in USA and we give many services to our client that is website designing, website development, Search Engine Optimization, E-commerce web Designing, Software Development, Google Adword and Mobile Application.
ReplyDeleteWeb Development company in Los Angeles
web design New York
web development New York
online marketing New York
ecommerce web development New York
internet marketing New York
SEO company New York
seo company USA
Web development company
Web development company California
Web development company Los angeles
Professional Web Design Services USA
Website Design Comapny
Web Design Company
webiste design services
Web Development Company in USA
Web Development Services in USA
website development company in usa
Ecommerce Website Development Company in USA
Ecommerce Website Development Services
custom ecommerce development
Ecommerce Website Development Company In Usa
CMS Web Design Services USA
CMS Website development company In Usa
Digital Marketing compnay in Usa
Online Marketing Services
Digital Marketing Company Usa
Seo Comapny In usa
Professional Software Development Company USA
software development company
custom software development company
custom software development In Usa
App Development Services USA
Mobile App development Company
Mobile Application Development Services
The Norton setup secret is a numeric-alphabet code that includes Norton’s subscription. Go to the return of the subscription card and find your 25 digits code.
ReplyDeletewww.norton.com/setup
The Norton Setup
norton setup
norton.com/setup
www norton.com/setup
norton product key
enter norton product key
Install Norton
Antivirus Support Phone Number
norton antivirus support phone number
avg antivirus support phone number
avast antivirus support phone number
kaspersky antivirus support phone number
mcafee antivirus support phone number
avast tech support phone number
avast customer service number
avast tech support usa
avast tech support canada
avast support phone number
Students seek professional Custom Papers Writing assistance from Top Rated Term Papers Writingcompany to accomplish any type of essay assigned to them. When you request for urgent Professional Custom Research Paper, they strive to meet your professors’ requirements.
ReplyDeleteOne unique characteristic of the firm's Custom Research Paper Services and College Paper Writing Services is that they offer the best market rates and actual research on all their Custom College Paper Writing Services.
ReplyDeleteThanks for sharing valuable information.
ReplyDeleteDigital Marketing training Course in Chennai
digital marketing training institute in Chennai
digital marketing training in Chennai
digital marketing course in Chennai
digital marketing course training in omr
digital marketing certification in omr
digital marketing course training in velachery
digital marketing training center in Chennai
digital marketing courses with placement in Chennai
digital marketing certification in Chennai
digital marketing institute in Chennai
digital marketing certification course in Chennai
digital marketing course training in Chennai
Digital Marketing course in Chennai with placement
digital marketing courses in Chennai
This helps me a lot. Thank you so much for sharing the post! The most common wired networks use cables connected at one end to an Ethernet port on the network router and at the other end to a computer or other device. You can find the tutorials to change its password on 192.168.l.l
ReplyDeleteNikmati Bonus Menarik Dari Bolavita Sekarang...
ReplyDelete-Nikmati Bous New member 10%
-Nikmati Bonus Cashback Hingga 10%
-Nikmati Juga Bonus jackpot Hingga Ratusan juta Rupiah Setiap harinya...
Info Lengkap Hubungi:
WA : 0812-2222-995
Line : cs_bolavita
Link : www.bolavita1.com
TERIMA KASIH
Our team of Ethics Essay Writing Services is comprised of professionals who have experience in delivering Ethics Research Writing Services. The company also offers Online Essay Writing Services At affordable cost.
ReplyDeleteTechnology has changed our lives in every manner. There is a lot of pregnancy tracker app that can make yourself comfortable in this crucial time period of Pregnancy. The baby pregnancy tracker app has been expanding its feet in the IT industry.
ReplyDeleteTechgropse is a well-known healthcare app development company that provides specialized healthcare applications and is one of the leading healthcare app development companies in the region. We aim to make healthcare applications accessible to all, with incredible solutions. With our highly skilled staff, we strive with healthcare leaders and providers to the flawless execution of the healthcare business.
ReplyDeleteTechGropse is a one-stop service provider in the field of mobile app development. With its wide range of services and extensive portfolio, it is a popular choice for app development among its customers. The company has expanded its strength by putting exceptional efforts to bring the best to the market. It made several prestigious websites and institutions to recognize TechGropse as a leading app development company in the region. Talking of our versatile portfolio, the company has developed marijuana apps for a few of its clients with different objectives. Since the company has done a spectacular job in the healthcare app development, industry leaders prefer TechGropse as a top-rank and competent marijuana app development company.
ReplyDeleteAndroid wearable apps are no longer only a way to display short notifications but also feature interfaces to entertain users and systematically track their health-related information.
ReplyDeleteOrganizations are using the Flutter framework to attain high revenues in a short period and go through the lucrative results in real-time. It takes a small amount of time to code UI designs after being saved to update the application itself. In general cases, the significant modifications allow the Flutter developers to reload the app.
ReplyDeleteYou’ve made some really good points there. It should reach to mass audience. You can take help from SEO Services company to boost the traffic.
ReplyDeleteNikmati Bonus Menarik Dari Bolavita Sekarang...
ReplyDelete-Nikmati Bous New member 10%
-Nikmati Bonus Cashback Hingga 10%
-Nikmati Juga Bonus jackpot Hingga Ratusan juta Rupiah Setiap harinya...
Info Lengkap Hubungi:
WA : 0812-2222-995
Line : cs_bolavita
Link : www.bolavita1.com
TERIMA KASIH
skycut plotter india
experts
mobileskinsoftware
silhouette cameo 4
mobileskinsoftware
ambition gifts
top sublimation
wemaketrips
canada goose jacket
ReplyDeleteyeezy
lebron james shoes
longchamp handbags
yeezy boost 500
golden goose sneakers
moncler
adidas yeezy
yeezy supply
pandora jewelry
Thanks for the post. It was very interesting and meaningful. I really appreciate it! Keep updating stuff like this.
ReplyDeleteData Science Course in Pune
Python Classes in Pune
Alasan Kenapa Kamu Harus Bermain Judi Di Museumbola
ReplyDelete* Permainan Lengkap dari A sampai Z
* Opsi Deposit Banyak Seperti Bank, E-Cash , PULSA
* Semua Rekening Bank termasuk Bank Daerah Bisa Di Daftarkan
* Bonus Banyak
* Deposit 2 Menit
* Withdraw 5 Menit Paling Lama
* Cs Professional 24 Jam Online
Daftar Museumbola
Link Alternatif Museumbola
Judi Bola Online
Slot pulsa tanpa potongan
Demo Slot Habanero
Baccarat | FEBCASINO
ReplyDeleteBaccarat is a table 제왕카지노 game that is 메리트 카지노 쿠폰 considered to febcasino be a very entertaining game, and one that allows players to get involved with a lot of betting options. You can
you can try this out from this source explanation read review check this link right here now top article
ReplyDeleteจุดเด่นของ เกมสล็อตทดลองเล่นอย่าง ลึกซึ้ง ทำให้เกมของเรา มีคุณภาพทั้งเรื่อง กราฟิกสีสันของเกม ซึ่งทาง BETFLIX เสนอและสอนวิธีเล่น
ReplyDelete뱃할맛이 나는곳 먹튀검증 안전한메이져
ReplyDeleteتحتسب شركتنا الشركة الهندسية واحده من ابرز شركات الماكينات والالات المتخصصة في تصنيع البلاستيك فبامتلاكنا لمجموعة من ماكينات تصنيع البلاستيك تصدرنا السوق بقوة كبيره.
ReplyDeleteWhen it comes to on line casino games, blackjack is one of the|is amongst the|is probably certainly one of the} hottest decisions. Let it Ride additionally be|can be} a well-liked recreation, but it's usually only present in larger casinos like Turning Stone. Blackjack is well-liked end result of|as a outcome of} it is a comparatively easy recreation to learn and there is be} a|and there's a} high diploma of ability involved. Roulette and craps are each games of chance, but they offer a high diploma of 카지노사이트 pleasure.
ReplyDelete옥천출장샵
ReplyDelete양구출장샵
천안출장샵
논산출장샵
전남출장샵
여수출장샵
군산출장샵
김제출장샵