Many articles and approaches claims that it doesn't matter what is the application security level, or what is the security level of the environment the application is stored in (like working under SSL using https protocol etc...), you should always save all passwords and secret data encrypted. That because there is always a chance, even little one, that someone could steal your confidential data.

There are many hashing functions and alogorithms, several are MD5, SHA1 and more... but, these algorithms are too old (compare to our modern days), there generates 'only' a 128 bits value, so the space of posible resulting values is 2¹²⁸ in size, which by creating a crack script, like the passcracking project the hash could be broken.

Because of these limitaions and cracking possibilities it is not recommended to use this type of hasing functions. Better solution you wiil see later... (hold on :) ).

One way Hash Functions

The following definitions are taken from the Bruce Schneier's Book: Applied Cryptography Second Edition:

A one-way hash function, H(M), operates on an arbitrary-length pre-image message, M. It returns a fixed-length hash value, h.

h = H(M), where h is of length m

Many functions can take an arbitrary-length input and return an output of fixed length, but one-way hash functions have additional characteristics that make them one-way [1065]:

Given M, it is easy to compute h.

Given h, it is hard to compute M such that H(M)= h.

Given M, it is hard to find another message, M’, such that H(M) = H(M’).

In some applications, one-wayness is insufficient; we need an additional requirement called collision-resistance.

It is hard to find two random messages, M and M’, such that H(M) = H(M’).

Now, by getting the main idea of the basic hashing algorithm by the Bruce Schneier's Book definitions, I want to show you better alternatives that comes to replace and enrich the old ones.

WHIRPOOL generates a 512 bits output, RIPEMD, uses 160, 128 or 320 bits output, but I want to focus in the SHA-2, function that generates 256, 512 bits ouputs, because there is available API in Microsoft.NET framework.

The main classes that implements this cryptografic algorithms are:

• System.Security.Cryptography.SHA256Managed
• System.Security.Cryptography.SHA384Managed

• System.Security.Cryptography.SHA512Managed

Now to the implementations. The following code below shows you an example how to use this function in porpuse to encrypt a password or just confidential data that you want to store hashed:

byte[] data, encryptedBytes;
string hashedPassword = string.Empty;

data = Encoding.Default.GetBytes(plainPassword);
System.Security.Cryptography.SHA256 sha2 = new System.Security.Cryptography.SHA256Managed();
encryptedBytes = sha2.TransformFinalBlock(data, 0, data.Length);
foreach (byte b in sha2.Hash)
   hashedPassword += Convert.ToString(b, 16).ToUpper().PadLeft(2, '0');

sha2.Clear();
// hashedPassword holds the hashed string

That's it, now use it properly and try to avoid as much as you can from brut attacking...

Hey all, how are you?

I bumped on very strange and awkward thing while working on Visual Studio 2005, you can see the pic attached:

Are you familier with this??? :)

p.s
This thing vanished just after I restart my Visual Studio, funny!

Didn't I tell you that I love .Net 2.0? If I didn't I am saying it now...

This is new a method in .NET 2.0, but who plays with it should know it by now. Instead of working hard trying to sort a collection (or a list which is a descendant of it) of some entities, now you have the Sort method, which does it for FREE and in better performence.
Any case I decided to show a simple example to whom that doesn't know it or just want to be impressed again from it.

* Comment: I assumes in this post that you are familier with Generics and delegates.

Let's assume that you have an entity structured like:

public struct Entity
{
   private int _id;
   private string _name;

   // and more...

   public int Id
   {
      get{return _id;}
      set{_id = value;}
   }
   public string Name
   {
      get{return _name;}
      set{_name = value;}
   }
}

Now, suppose you have a list of these entities and you want to sort it by their name and display it sorted. Follow the example code below and see how it easy using anonymous delegate:

Hello all!

I know that I didn't write for a long time, this is because I am very busy these days. In work, we are at the end of a big web application project, and the stress is start to overflow. At home, I am also working on my own project (Haverut.co.il, if you forgot or didn't know), but this Saturday, I decided to share a problem that I had encountered it while working at home with Typed Datasets to connect and retrieve data from the database.

I am developing my website project under Visual Studio 2005 and SQL Server 2000 (this is because my web-hosting server is supports only SQL Server 2000). When I had installed VS. 2005, SQL Server Express 2005 had automaticlly been installed, this situation created 2 versions of SQL server databases.

Now to the BUG...
When I had tried to debug a flow that connect to the DB and grab some data from it, the application had been crashed on run time error and the exception sayed: "Unable to connect to debugger on 'COMPUTERNAME' (Error = 0x80070057). Ensure that client-side components, such as SQLLE.DLL, are installed and registered on 'COMPUTERNAME'. Debugging disabled for connection 51."
Very annoying bug, firstly because I didn't encountered it before and basicly because there is no troubleshooting tips at Microsoft help & support (you can see it yourself here).

Microsoft are saying that because the 2 different versions of SQL Sever on the computer, the T-SQL debugger uses the SQL startup account of the default instance (which is SQL 2005 Express edition) and it doesn't appropriate the SQL Server that I am working with (which is SQL 2000).
After long seeking for a resolve in the web I didn't find anything, so firstly I uninstalled SQL Server 2005 Express from the computer - it didn't helped much, and after long combinations and attempts I decided to install again SQL Server 2000 SP 3... I returned to the application, debuged the specific flow and a MIRACLE - it worked...

Now I can continue working on my Haverut.co.il web site (evetually...). So, if you have any questions about it or some comments I will glad to hear.

Now I am going to enjoy my Shabbat vacation in a trek in Zavitan water fall with my wife and good friends, be well...

Hello!

Long time no posted new post to the blog regarding the hard work on Tigers project at work, but while programming and programming, I encoutered with new asp.net 2.0 Page property that called Previous Page.
This property holds all the web controls with its data and infromation of the previous page of the current page that you are in.

I found this property very useful and it can do you 'Easy Life' while getting data from the previous page that you came from (or the user that uses your application).

For example: suppose you want to use specific information from the page that you are just have been redirected from, like search term text. In the 'old fasioned' way, you needed to save this data in the Session variable or to send it by the query string of the url address and it will be expose to everyone, but PreviousPage property comes to avoid this ways by saving all the previous page data by looking for the specific control that holds the data, For example:

This post refers to all of you that holds a personal site or administrates sites and wants to know some analytics and statitctics about site fraffic.

Google (the amazing...) came out with very sophisticated site analytics tool that can tell you "everything you want to know about how your visitors found you and how they interact with your site. You'll be able to focus your marketing resources on campaigns and initiatives, and improve your site to convert more visitors" (Google's qoute).

I had very impressed, initially, of the user's interface graphic design and the diverse statistic summaries, and the most valuable thing here is that, this is very easy to implement - you need to add small script to your site and that's it!!!

For more info you can try it here. I already inserted the script code on my differents sites.

Bye for now...

Hey all!

While developing the Data Access Layer (DAL) in my "home developing" project - Haverut.co.il I deliberated wheather to use the old fashioned way - the Application Blocks of Microsoft, which I need to implement all the database contact by hand and use the 'jacket' of the Application Blocks adapters OR to use Typed datasets...
I decided to use the second choice, because (as knows) this module knows to generate code of database tables and to create by default the main CRUD (Create, Read, Update and Delete) methods and also custom SQL queries.

But this is not the main issue of this post...

While working, I needed to do several connected commands against the database, therefore I needed to use the Transaction term to knot these commands and to avoid database's commands failure or 'half-way actions'.

Now, the biggest deliberation: To use SQLTransction module or TransactionScope module (which is new module that cane out in .NET 2.0)?

In the first thought I decided to use TransactionScope, because it's very easy to use and it doesn't make "pain in the neck". The usage it easy: you need to wrap the wanted scope with this module and all the job will be done safely under this transaction.
further documentation you can find here:

• http://msdn2.microsoft.com/en-us/library/system.transactions.transactionscope.aspx
• http://msdn2.microsoft.com/en-us/library/ms172152.aspx

But this module holds not much of disadvantages like:

• Low performence of this action in the application, in large amount of users and actions the performance of this actions will be very bad and slow.
• By default, when using this module, the system tries to look for a transaction that is otherwise current, or a TransactionScope object that dictates that Current (a static property of this namespace) is null. If it cannot find either one of these, System.Transactions queries the COM+ context for a transaction. Note that even though System.Transactions may find a transaction from the COM+ context, it still favors transactions that are native to System.Transactions. This thing is not recommended because we need to handle the COM+ context in addition to our application context. More info you can find here.

Because of that, I decided to use SQLTransactions over my Typed Datasets' actions.

To do this in appropriate way, I used a partial class (very nice innovation in .NET 2.0) with the same name of the Typed DS class, to 'continue' its code and overload some of the members like the main member that does the connection with the database: _adapter.
This member is private and is not accessible to outside requests.

Instead of a BeginTransaction method, I have implemented a Transaction property on my TableAdapters, like this:

partial class CitiesTableAdapter
{
   public SqlTransaction Transaction
   {
      get { return _adapter.SelectCommand.Transaction; }
      set
      {
         if (_adapter == null)
         {
            InitAdapter();
         }

         _adapter.InsertCommand.Transaction = value;
         _adapter.UpdateCommand.Transaction = value;
         _adapter.DeleteCommand.Transaction = value;
      }
   }
}

This property assigns the given transaction to the Transaction property on all its commands. Now I can do CRUD method as I like with knowing that is under SQLTransaction control:

CitiesTableAdapter citiesAdapter = new CitiesTableAdapter();

citiesAdapter.Connection.Open();
try
{
   SqlTransaction trans = citiesAdapter.Connection.BeginTransaction();
   try
   {
      citiesAdapter.Transaction = trans;

      // CRUD the table, commit transaction or rollback if there's a problem

Nice way of implementing, hope it helped someone...

See you

Hello!

Today my blog has ranked on google for the first time, everything is a result of good SEO (Search Engines Optimization) actions on my web site..

Try to find me :)