Hashing - Using C# and .Net Framework

A Cryptographic one-way hash function is used to generate a fixed length hash value as a transformation from a specific input. It should be computationally feasible in that it should

• Not have the Avalanche Effect in producing the hash value
• Given h it should be hard to find any m such that h = hash(m)
• It should be collision resistant, i.e given an input m₁, It should be hard to find another input, m₂ (not equal to m₁) such that  hash(m₁) = hash(m₂)
• Resistant to Birthday attacks

.Net Framework BCL provides solid support to some cryptographic hash functions like MD5,SHA1,SHA128,SHA384 and SHA512. I've written a small demo program to compute hash and verify them using the listed cryptographic hash algorithms.

Class Diagram

 

 

 

 

 

 

 

 

  

 

Output

System.Security.Cryptography

Complete .Net Cryptography Classes,Interfaces and Enumerations listing from MSDN. Wanted to keep this live on my blog for future references.. Also Check out this article on MSDN [Protecting Private Data with Cryptography Namespaces of the .Net Framework]

Cool MS Security Videos

Check out the  Microsoft  Hello Secure World web site. They have some cool videos on

• RMS Architecture
• Symmetric Keys
• Digital Signatures
• Cross Site Request Forgery
• Hashing
• ASP.Net SQL Injection

SQL Injection Attacks

Often, the SQL Injection payload is designed in a generic manner to impact on more SQL Databases and Database Servers. The Security loophole in most cases lie in poor design of Data Access Code. Although it can be argued that there is much more to it than securing Data Access Code, I'm talking about the majority of such an attack and how imperative it is to secure the Data Access Code.
The impact of an SQL Injection Attack can be on
- The Database ( contents of the DB are compromised )
- The Users (malware injected directly,Users do not know because they trust this website )
The SDL aka Trustworthy computing Security Development Lifecycle ( a process that Microsoft has adopted for the development of software that needs to withstand malicious attack ) is a good thing to adapt and follow.
"Microsoft's experience indicates that the SDL is effective at reducing the incidence of security vulnerabilities. Initial implementation of the SDL (in Windows Server 2003, SQL Server 2000 Service Pack 3, and Exchange 2000 Server Service Pack 3) resulted in significant improvements in software security, and subsequent software versions, reflecting enhancements to SDL, appear to be showing further improvements in software security" - SDL Conclusion from MS.
Now, a quick look at Securing your Data Access Code, Referred from MSDN SDL Blog and Micheal Howard's Blog(Co-Author of Writing Secure Code).
Use the following in you Data Access Code:
1] SQL Parameterized queries
2] Stored Procedures
3] SQL Execute Only Permission
These are not mere recommendations, They are Requirements!!. More on the nitty-gritty of these techniques can be viewed on the SDL Blog, Micheal Howard's Blog and on the MS Security Research site.
One might argue that SQL Injection Attacks are also mainly due to 'N00b' Developers. This might be partly so. Periodic training for Developers,Testers,Security Analysts on current security issues , best practices from SDL etc is very imperative here. Training is also a strict requirement in the SDL. Afterall, Knowledge is Power, Knowing is dangerous, Knowing is everything...

Rejuvenated Feeling

After being in hibernation mode for quite some time now, mostly because of hectic coursework and uni. commitments. I am quite excited to start blogging again..