This post assumes you are somewhat familiar with how character encodings work. You might want to check out my Introduction to character encoding if you're not. I wrote it mainly because I didn't want to explain the basics of encodings in this post.
The encoding issues/features I discuss here are all well documented in the article Character Encoding in the .NET Framework, but I believe that the issues aren't that well known. Stack overflow, blogs, and discussion forums are riddled with insecure code samples. Do a Google search for "ASCII.GetBytes" password, and you'll get a lot of results. I even found insecure code examples in a text book, the C# 2008 Programmer's Reference (page 344). So I definitely believe we need to raise awareness of these issues in the .NET community.
Encoding subtleties
In the MSDN article on character encoding you'll find that the first suggestion on how to use the encoding objects in .NET is:
Use the static properties of the Encoding class, which return objects that represent the standard character encodings available in the .NET Framework (ASCII, UTF-7, UTF-8, UTF-16, and UTF-32). For example, the Encoding.Unicode property returns a UnicodeEncoding object. Each object uses replacement fallback to handle strings that it cannot encode and bytes that it cannot decode.And people love to use the static properties! But if you don't read this carefully and pause with the "replacement fallback", you might get into trouble. "Replacement fallback" means that every character that cannot be encoded to bytes will be replaced with the "?" character silently. But what does that mean? Time for a demo using the ASCII encoding:
Oh my. What just happened here?
- First you see different strings I've chosen to demonstrate how "default" encoding works. Some strings contain characters that do not exist in the ASCII encoding.
- Next you see the output from System.Text.Encoding.ASCII.GetBytes(...), the strings have become bytes shown as hex. Hint: look at how the last three strings' bytes suddenly are identical after running them through GetBytes()!
- Just to underscore that hashing does not help here (identical bytes give identical hash values). Out of our five different input strings, three have the same hash value!
- System.Text.Encoding.ASCII..GetString(...), to turn our byte tables back into String objects. If you compare the input strings and output strings, only one of them is unchanged.
... might not have the appropriate behavior for your application. It uses replacement fallback to replace each string that it cannot encode and each byte that it cannot decode with a question mark ("?") character.Still, this is often how people recommend you hash passwords. Read the docs people!
The MSDN article on character encodings is really good, so go read it. I've included the source code for the demo at the end of the post in case you want to try it yourself. I've also added a commented out Exception fallback example, try that out too.
This was bad. Now what?
Well, first I'll point out the implications here. If all your user's were to use ASCII characters only, this wouldn't be a problem. Ironically, as you add non-ASCII characters to passwords — supposedly making them "more secure" — you make them less secure since the non-ASCII characters become "wildcards." All you guys who are native English speakers have to keep in mind that there are more of us who aren't, so use UTF-8 in your code samples instead of ASCII. Then we can still use our classic Norwegian trick to make passwords "uncrackable" by adding a Norwegian letter to it: æ/ø/å.
So, while I've pointed out what could be a potentially serious security issue, it's probably not the end of the world. But you should move away from the ASCII-encoding if that's what you're using for your password hashing.
Building an authentication system based on passwords is not as straight forward as many might think, here's a couple of important challenges:
- You need to avoid the problem I've outlined in this post, so you don't mess up the password before you're even started (it can be solved by using a Unicode encoding with the Exception Fallback).
- You need to salt the passwords to avoid the problem of rainbow tables
- You need to decide on how you want to compute the value you store in the database, should you use a plain SHA-256 transform, the PBKDF2 algoritm, bcrypt, or maybe scrypt? That decision directly affects the effectiveness of brute-force and dictionary attacks.
You'll find a detailed article by Troy Hunt on the issues with password hashing in his OWASP top ten for .Net developers. And here's a definite take away:
..when it comes to security, the more stuff you can pull straight out of the .NET framework and avoid rolling yourself, the better. There’s just too much scope for error and unless you’re really confident with what you’re doing and have strong reasons why the membership provider can’t do the job, stick with it.Amen.
Anything else?
Well, yes. You might not always be making the decisions yourself for how encoding errors should be handled, so you need to keep an eye out for how others deal with these issues. As I've been writing this post there's been a relase of the AntiXSS library. One of the changes is that "Invalid Unicode no longer throws an exception", here's the details from the release notes:
Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.I'm not sure what the change is in lines of code, but I would guess that they emit the � explicitly after catching an error. The documentation is quite clear for the Unicode encodings:
To enable error detection and to make the class instance more secure, the application should use the UnicodeEncoding constructor that takes a throwOnInvalidBytes parameter, and set that parameter to true. With error detection, a method that detects an invalid sequence of characters or bytes throws a ArgumentException. Without error detection, no exception is thrown, and the invalid sequence is generally ignored.I'll try to ping @blowdart and see if he'll write something about this on his blog. What it definitely does mean, is that if you output invalid unicode for some reason, it's probably only your users, and not you, who'll notice. To detect errors you will have to search the output from the AntiXSS library for the �.
What the TransformTool bug looked like
Here's two screenshots from TransformTool, the first showing that non-ASCII characters are replaced with questionmarks.
And here's after my bugfix, using the Exception Fallback, where a System.Text.EncoderFallbackException is thrown:
The code
Here's the code for the console application. I've commented out the safe way to obtain an ASCII encoding. You can give the code a try to see the behaviour for yourself, switching between the safe and unsafe way of instantiating an ASCII encoding.
var exampleStrings = new String[] { "abcde", "abcdé", "?????", "ééééé", "üüüüü"}; byte[][] ASCIIBytes = new byte[exampleStrings.Length][]; var ASCIIEncoding = System.Text.Encoding.ASCII; //var ASCIIEncoding = System.Text.Encoding.GetEncoding("ASCII", // new EncoderExceptionFallback(), // new DecoderExceptionFallback()); Console.WriteLine("Strings to encode:"); Console.WriteLine("0: " + exampleStrings[0] + " -> all ASCII chars"); Console.WriteLine("1: " + exampleStrings[1] + " -> é is not a valid ASCII char"); Console.WriteLine("2: " + exampleStrings[2] + " -> all questionmarks (valid ASCII)"); Console.WriteLine("3: " + exampleStrings[3] + " -> all chars invalid ASCII"); Console.WriteLine("4: " + exampleStrings[4] + " -> all chars invalid ASCII"); Console.WriteLine(); Console.WriteLine("Get bytes (ASCII encoding):"); int i = 0; foreach (var s in exampleStrings) { ASCIIBytes[i] = ASCIIEncoding.GetBytes(s); Console.WriteLine(i + ": " + BitConverter.ToString(ASCIIBytes[i])); i++; } Console.WriteLine(); Console.WriteLine("Let's pretend they are passwords and hash them with SHA-1!"); i = 0; using (var sha = SHA1CryptoServiceProvider.Create()) { foreach (byte[] bytes in ASCIIBytes) { Console.WriteLine(i + ": " + BitConverter.ToString(sha.ComputeHash(b))); i++; } } Console.WriteLine(); Console.WriteLine("Uhm... Why are 2,3,4 identical?"); Console.WriteLine(); Console.WriteLine("Back to ASCII strings: "); i = 0; foreach (byte[] bytes in ASCIIBytes) { Console.WriteLine(i++ + ": " + ASCIIEncoding.GetString(bytes)); } Console.WriteLine(); Console.ReadLine();
And here is an API for .NET to do it properly :)
ReplyDeletehttps://sourceforge.net/projects/pwdtknet/
Deletenarnj
narnjmusic
دانلود آهنگ جدید
The information shared is very much helpful Thanks for sharing it
ReplyDeleteDot Net Training in Chennai
ralph lauren polo
ReplyDeletecoach outlet
rolex watches
pittsburgh steelers jerseys
toms shoes
oakley sunglasses
prada sunglasses
michael kors bags
tiffany and co
toms uk
chenlina20170421
From this article you will get info about spy apps to catch a cheater.
ReplyDeleteInteresting information. keep sharing new things.
ReplyDeleteรับแทงบอล
sbobet mobile
royal1688
ทางเข้า maxbet
PROMO BONUS TURN OVER S1288POKER ONLINE
ReplyDeletePromo Spesial Bonus Turnover Poker Online Untuk Semua Games
(Berlaku Tanggal 01 s/d 28 Febuari 2018)
*Turnover diatas 9.999.999 -> Bonus Chip Rp 10.000
*Turnover diatas 24.999.999 -> Bonus Chip Rp 25.000
*Turnover diatas 49.999.999 -> Bonus Chip Rp 50.000
*Turnover diatas 99.999.999 -> Bonus Chip Rp 100.000
*Turnover diatas 249.999.999 -> Bonus Chip Rp 250.000
*Turnover diatas 499.999.999 -> Bonus Chip Rp 750.000
*Turnover diatas 749.999.999 -> Bonus Chip Rp 1.125.000
*Turnover diatas 999.999.999 -> Bonus Chip Rp 1.500.000
*Turnover diatas 4.999.999.999 -> Bonus Ios Iphone 8
LIVE CHAT ALTERNATIF DI WWW(dot)S1288POKER(dot)NET
Jika Live Chat Non Aktif Kamu Bisa Contact Kami
Come & Join Us :
-WhatsAPP : 087782869981
-WeChat : s1288poker
-Line : s1288poker
-Twitter : @s1288poker
-Facebook : @s1288poker
-BBM : 7AC8D76B
Thank you for giving me valuable information that is something that I am very interested in.
ReplyDeleteRuby888
Pest Control services in Kirti Nagar
ReplyDeletePest Control services in Modi Nagar
Pest Control services in Patel Nagar
Pest Control services in Rajouri Garden
Pest Control services in Tilak Nagar
Pest Control services in Janakpuri
Pest Control services in Paschim Vihar
Ayam ayam jago bertarung
ReplyDeletevideo sabung ayam
Ayan ayam Petarung terbaik se indonesia ^^
ReplyDeletesabung ayam peru
cara melihat ayam bagkok jago tarung
ReplyDeleteAyam ayam jago Terbaik di Indonesia
ReplyDeleteayam bangkok petarung
20180831xiaoke
ReplyDeletemichael kors outlet clearance
coach factory outlet online
burberry outlet sale online
adidas shoes
cheap air jordans
coach factory outlet
michael kors outlet online
michael kors outlet clearance
pandora outlet
jordan shoes
Ayam ayam jago Terbaik di Indonesia
ReplyDeletetarung ayam bangkok
Ayam ayam jago Terbaik di Indonesia
ReplyDeletetaji ayam sabung
Ayam ayam jago Terbaik di Indonesia
ReplyDeletewww ayam bangkok
Ayam ayam jago Terbaik di Indonesia
ReplyDeletesabung ayam bangkok
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteadu ayam bangkok
Ayam ayam jago Terbaik di Indonesia
ReplyDeletes128 sabung ayam
surveillancekart security system
ReplyDeletesurveillancekart cctv installation services
cp plus
Pestveda pest control services
dezigly
The feedgasm Latest News And Breaking News
quicksodes
latest news in hindi
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteadu ayam pisau
Ayam ayam jago Terbaik di Indonesia
ReplyDeletes1288 sabung ayam
Ayam ayam jago Terbaik di Indonesia
ReplyDeletesabung ayam birma
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteayam sabung taji
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteadu ayam online
Tonton Secara Live Video Adu Ayam Birma Di Bandar Judi Sabung Ayam BOLAVITA
ReplyDeleteAyam ayam jago Terbaik di Indonesia
ReplyDeleteayam sabung peru
Ayam ayam jago Terbaik di Indonesia
ReplyDeletesabung ayam jago
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteadu ayam pisau
Ayam ayam jago Terbaik di Indonesia
ReplyDeleteyoutube sabung ayam
mau yang asik ? ayam bangkok petarung
ReplyDelete
ReplyDeleteAyam ayam jago Terbaik di Indonesia
jago bangkok
Ayam ayam jago Terbaik di Indonesia
ReplyDeletesabung ayam s128
ReplyDeleteAyam ayam jago Terbaik di Indonesia sabung ayam filipin
Ayam ayam jago Terbaik di Indonesia ayam bangkok vietnam
ReplyDeleteAyam ayam jago Terbaik di Indonesia tarung sampai mati
ReplyDeleteAyam ayam jago Terbaik di Indonesia sabung ayam s128
ReplyDeleteayam jago tarung
ReplyDeleteGreat Article
ReplyDeleteIEEE Projects on Information Security
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
a number of objects to the fractures and scratches and a lot of damage to furniture and electrical appliances, which makes it worse, you see your home like an old house, it may be difficult to repair many pieces of furniture .شركة نقل عفش
ReplyDeleteOur declaration to providing the best customer experience when it comes to the best custom essay writing service are guided by these principles we entrench daily in our delivery for the best online essay writing service firm.
ReplyDeleteWe are Webspace Inc. organization working as the Best Digital Marketing Company in USA and we give many services to our client that is website designing, website development, Search Engine Optimization, E-commerce web Designing, Software Development, Google Adword and Mobile Application.
ReplyDeleteWeb Development company in Los Angeles
web design New York
web development New York
online marketing New York
ecommerce web development New York
internet marketing New York
SEO company New York
seo company USA
Web development company
Web development company California
Web development company Los angeles
Professional Web Design Services USA
Website Design Comapny
Web Design Company
webiste design services
Web Development Company in USA
Web Development Services in USA
website development company in usa
Ecommerce Website Development Company in USA
Ecommerce Website Development Services
custom ecommerce development
Ecommerce Website Development Company In Usa
CMS Web Design Services USA
CMS Website development company In Usa
Digital Marketing compnay in Usa
Online Marketing Services
Digital Marketing Company Usa
Seo Comapny In usa
Professional Software Development Company USA
software development company
custom software development company
custom software development In Usa
App Development Services USA
Mobile App development Company
Mobile Application Development Services
One unique characteristic of the firm's Custom Research Paper Services and College Paper Writing Services is that they offer the best market rates and actual research on all their Custom College Paper Writing Services.
ReplyDeleteThanks for sharing valuable information.
ReplyDeleteDigital Marketing training Course in Chennai
digital marketing training institute in Chennai
digital marketing training in Chennai
digital marketing course in Chennai
digital marketing course training in omr
digital marketing certification in omr
digital marketing course training in velachery
digital marketing training center in Chennai
digital marketing courses with placement in Chennai
digital marketing certification in Chennai
digital marketing institute in Chennai
digital marketing certification course in Chennai
digital marketing course training in Chennai
Digital Marketing course in Chennai with placement
digital marketing courses in Chennai
This helps me a lot. Thank you so much for sharing the post! The most common wired networks use cables connected at one end to an Ethernet port on the network router and at the other end to a computer or other device. You can find the tutorials to change its password on 192.168.l.l
ReplyDeleteNikmati Bonus Menarik Dari Bolavita Sekarang...
ReplyDelete-Nikmati Bous New member 10%
-Nikmati Bonus Cashback Hingga 10%
-Nikmati Juga Bonus jackpot Hingga Ratusan juta Rupiah Setiap harinya...
Info Lengkap Hubungi:
WA : 0812-2222-995
Line : cs_bolavita
Link : www.bolavita1.com
TERIMA KASIH
Our team of Ethics Essay Writing Services is comprised of professionals who have experience in delivering Ethics Research Writing Services. The company also offers Online Essay Writing Services At affordable cost.
ReplyDeleteTechnology has changed our lives in every manner. There is a lot of pregnancy tracker app that can make yourself comfortable in this crucial time period of Pregnancy. The baby pregnancy tracker app has been expanding its feet in the IT industry.
ReplyDeleteTechgropse is a well-known healthcare app development company that provides specialized healthcare applications and is one of the leading healthcare app development companies in the region. We aim to make healthcare applications accessible to all, with incredible solutions. With our highly skilled staff, we strive with healthcare leaders and providers to the flawless execution of the healthcare business.
ReplyDeleteTechGropse is a one-stop service provider in the field of mobile app development. With its wide range of services and extensive portfolio, it is a popular choice for app development among its customers. The company has expanded its strength by putting exceptional efforts to bring the best to the market. It made several prestigious websites and institutions to recognize TechGropse as a leading app development company in the region. Talking of our versatile portfolio, the company has developed marijuana apps for a few of its clients with different objectives. Since the company has done a spectacular job in the healthcare app development, industry leaders prefer TechGropse as a top-rank and competent marijuana app development company.
ReplyDeleteOrganizations are using the Flutter framework to attain high revenues in a short period and go through the lucrative results in real-time. It takes a small amount of time to code UI designs after being saved to update the application itself. In general cases, the significant modifications allow the Flutter developers to reload the app.
ReplyDeleteYou’ve made some really good points there. It should reach to mass audience. You can take help from SEO Services company to boost the traffic.
ReplyDeleteNikmati Bonus Menarik Dari Bolavita Sekarang...
ReplyDelete-Nikmati Bous New member 10%
-Nikmati Bonus Cashback Hingga 10%
-Nikmati Juga Bonus jackpot Hingga Ratusan juta Rupiah Setiap harinya...
Info Lengkap Hubungi:
WA : 0812-2222-995
Line : cs_bolavita
Link : www.bolavita1.com
TERIMA KASIH
skycut plotter india
experts
mobileskinsoftware
silhouette cameo 4
mobileskinsoftware
ambition gifts
top sublimation
wemaketrips
Baccarat | FEBCASINO
ReplyDeleteBaccarat is a table 제왕카지노 game that is 메리트 카지노 쿠폰 considered to febcasino be a very entertaining game, and one that allows players to get involved with a lot of betting options. You can
you can try this out from this source explanation read review check this link right here now top article
ReplyDeleteจุดเด่นของ เกมสล็อตทดลองเล่นอย่าง ลึกซึ้ง ทำให้เกมของเรา มีคุณภาพทั้งเรื่อง กราฟิกสีสันของเกม ซึ่งทาง BETFLIX เสนอและสอนวิธีเล่น
ReplyDeleteتحتسب شركتنا الشركة الهندسية واحده من ابرز شركات الماكينات والالات المتخصصة في تصنيع البلاستيك فبامتلاكنا لمجموعة من ماكينات تصنيع البلاستيك تصدرنا السوق بقوة كبيره.
ReplyDelete