|
This seems to be the best forum for my questions, so here goes.
My company's website is being redesigned, and I would like to add more security regarding some of the user information we store. My questions are about best practices and which of the .Net Framework's methods are preferable.
Some data, like contact information, will be encrypted. This allows the data to be stored securely and be converted back into plaintext for display in various contexts. Is there a particular method in System.Security.Cryptography that is considered better than the rest?
I'm not sure whether passwords will be encrypted or hashed. I believe hashing is faster, but if a user forgets his password it cannot be looked up and will have to be changed. Also, we have business rules saying that a user must change his password every 30 days and cannot change it to any password used in the last 6 months: whatever method I implement must be compatible with these rules. Any suggestions?
|
|
|
|
|
If you are concerned about encrypting data in the database I think you need to also look at your procedures for accessing the database. However, if you are using SQL Server you can encrypt the data there, http://technet.microsoft.com/en-us/library/bb510663.aspx[^]
Hashing password is the most secure. So what if the user forgets and must reset it. The old passwords can be stored in a separate table, still hashed, and compared against any new ones. You could create a SQL job that removes all passwords in this table older than six months.
I know the language. I've read a book. - _Madmatt
|
|
|
|
|
You can't un-hash something, so encryption is the best way.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- "Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass." - Dale Earnhardt, 1997
|
|
|
|
|
John Simmons / outlaw programmer wrote: You can't un-hash something
The stoner motto.
|
|
|
|
|
Encryption is the act of converting data from an understandable form to a non-understandable one in such a way that it can be converted back with no loss of information.
A related topic to encryption is one-way hashing. One-way hashing algorithms work in many ways the same as encryption with a few important differences.
For Details Help,-
http://www.zdnet.com/news/encryption-hashing-and-obfuscation/128604[^]
May be this can help you.
|
|
|
|
|
What is the latest Third party .Net Tools and Architecture (Like,- Dev Express, Telerik, Mygeneration). What is the easiest way to learn that?
modified on Wednesday, April 13, 2011 9:46 AM
|
|
|
|
|
You don't need to use the code block formatting for your question.
You also don't need to ask this question.
0) Search!
1) RTFM!
I know the language. I've read a book. - _Madmatt
|
|
|
|
|
prasanta_prince wrote: What is the easiest way to learn that?
Download the trials and build something with them. Any specific third party control problem then read either the user guide or visit their forum (or ask a question here!)
As barmey as a sack of badgers
Dude, if I knew what I was doing in life, I'd be rich, retired, dating a supermodel and laughing at the rest of you from the sidelines.
|
|
|
|
|
Check their websites to see which of them have latest releases or betas.
You need to visit their forums and knowledge base articles to learn them.
The funniest thing about this particular signature is that by the time you realise it doesn't say anything it's too late to stop reading it.
|
|
|
|
|
Hi,
I'm experimenting with remoting, trying to see if it's a valid tool to use for our application. But, as luck would have it, I'm lost again. I wonder, is it possible to create an object on the server side and send it to the client? So far, all the examples I've seen and information found, I only found information about instantiating an object on the server from the client.
But if I want to call a method from the client on the server (for instance: public User GetUser(string username) {}), is it possible for the server to return me the User object which the server has created (from a database-helper or equivalent)?
So far, I've only been successful in transferring .net only objects (strings, ints, guids etc). That worked, but now that other thing ..
A good programmer is someone who always looks both ways before crossing a one-way street. (Doug Linder)
|
|
|
|
|
Of course it's possible, but I'd consider looking at WCF instead. There's no compelling reason to use remoting now when you can accomplish the same quite easily via WCF.
|
|
|
|
|
Okay, then what would you suggest I use then? These are the conditions in which it should work:
1) no webserver present (or other software, just the .net runtime)
2) need to change port & protocol at runtime dynamically.
Thanx in advance!
A good programmer is someone who always looks both ways before crossing a one-way street. (Doug Linder)
|
|
|
|
|
Helfdane wrote: 1) no webserver present (or other software, just the .net runtime)
That's not a problem. You don't need a web server to run WCF - that's just a convenience called self hosting. It's entirely possible to talk from exe to exe using WCF.
Helfdane wrote: 2) need to change port & protocol at runtime dynamically.
Again, that's no problem. By convention, people tend to use the config files to convigure WCF services, but that's not a requirement of WCF. WCF settings can be set entirely from code (and it's easier to change protocols with WCF too).
|
|
|
|
|
I have actually been looking at something similar, specifically an in-house instant messaging set-up that would operate exclusively on our company network and off of the internet. The only examples of an IM system using WCF that I have been able to find involve web hosting and global internet capability; the stuff I've tried doesn't like our firewall. I don't suppose you can provide some links or other resources that might be useful? Even a few recent book titles would be nice, and I don't care whether they use C# or VB.net.
|
|
|
|
|
I care, C# plz
A good programmer is someone who always looks both ways before crossing a one-way street. (Doug Linder)
|
|
|
|
|
If you can wait a couple of days, I'll knock something up this weekend. I'm a touch slammed right now.
|
|
|
|
|
Even a list of links would be great, thanks!
|
|
|
|
|
I'll probably pop it on my blog.
|
|
|
|
|
I think I've solved my issue Took me a while to figure it out, but I now have a working solution. I'll post it on my own blog when I have the time to do it. Posted here.[^]
What my problem was, I was using MarshalByRef on the objects I tried to transmit, at least I'm guessing this was the culprit. The working solution for me was to replace MarshalByRef with [Serializable] and use the tcp-channel instead of the http-channel. In addition, in the client I replaced the code which registered the server object as WellKnownClientType with the Activator.GetObject() routine. The server object is still using MarshalByRef and is in the Singleton mode. Now I have a working client/server. I'm not sure if my solution is "legal", but it gets the job done
-edit with blog link-
A good programmer is someone who always looks both ways before crossing a one-way street. (Doug Linder)
modified on Sunday, April 17, 2011 5:33 PM
|
|
|
|
|
I've put up a demo project with my implementation here:
Clicky![^]
Hope it helps.
A good programmer is someone who always looks both ways before crossing a one-way street. (Doug Linder)
|
|
|
|
|
Helfdane wrote: 1) no webserver present (or other software, just the .net runtime)
Presumably you mean that you only want to use .Net to create the server. Because per your original requirements there is a server and a client. And if there is no server then the requirement does not exist.
Helfdane wrote: 2) need to change port & protocol at runtime dynamically.
What specific business need requires this?
Note that there is a signficant different between being able to run a server using a configured port and changing that same port (and handling clients as well) while the server is running.
|
|
|
|
|
The user should be able to change the port number in a console, not while the server is running. It happens often enough that some complementary software from another supplier takes the port we configured. So the sysadmin at the client site should be able to adjust it. Config files are a bridge too far and they get lost in them.
A good programmer is someone who always looks both ways before crossing a one-way street. (Doug Linder)
|
|
|
|
|
First what is "often enough"?
Once day or once a year?
Second that point still doesn't mean that the port needs to be changed while the application is running. One can provide a GUI to modify a config file and then provide a management app to bounce the server.
Changing the port while running means that you MUST deal with the complication of txns in flight. And also deal with providing a timely notification to clients.
|
|
|
|
|
read my post again
The service is not necessarily running when the port is changed.
And about often, if for every issue I need to send out a consultant to fix it, then even once a year is too often. If I could control everything from A to Z, then this would not be necessary, but I always try make sure the software is as robust as possible.
A good programmer is someone who always looks both ways before crossing a one-way street. (Doug Linder)
|
|
|
|
|
Helfdane wrote: read my post again
I suggest you read your own post again....
"port & protocol at runtime dynamically."
|
|
|
|