Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Hacking the Code ASP.NET Web Application Security [Electronic resources] - نسخه متنی

James C. Foster, Mark M. Burnett

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید






Coding Standards Fast Track



Using Cryptography in ASP.NET


Employing Symmetric Cryptography




Never rely on XOR, ROT-13, base-64 encoding, or any homegrown encryption/obfuscation algorithm.



Avoid using DES unless absolutely necessary for backward compatibility; consider 3DES as a compatible alternative.



Use Rijndael/AES encryption for the best security and performance.



If using RC2 encryption, use 128-bit keys whenever possible.



When security is a high priority and performance a low priority, consider layering encryption algorithms using CryptoStreams.



When creating a key and IV, do not derive one from the other. Use the random key and IV generated when the class is initialized.



Use CryptDeriveKey to create an encryption key from a user password.



Working with Hashing Algorithms




Use hashing algorithms to verify integrity of data and to store and verify passwords.



For data verification, store the hashes in a secure location so they cannot be modified.



Use keyed hashing algorithms such as HMACCHA1 to protect the hashes.



For password authentication, keep the hashes secret to prevent brute-force attacks.



Add salt to a hash manually or using a keyed hashing algorithm to ensure randomness.




Working with .NET Encryption Features


Creating Random Numbers




Use only the RNGCryptoServiceProvider to generate strong random numbers; avoid using System.Random.



Use external sources of entropy to further increase randomness of the PRNG.



Keeping Memory Clean




Use the Clear() method to clear out any sensitive data on cryptographic objects.



Use the Dispose() method to immediately free memory resources.



Explicitly zero out any variables that do not provide a Clear() method.



Protecting Secrets




Avoid storing secrets in code, even if it is compiled into binary.



Never store any secret in plaintext.



Use a combination of file, registry, database, or DPAPI to store secrets.



Use obscurity, but only sparingly as an additional layer of protection.



Protecting Communications with SSL




Always use SSL for protecting sensitive HTTP traffic.



Upgrade hardware or use an SSL accelerator to handle the processing overhead of SSL.



Once the session is established, keep using SSL as much as possible.



Be careful to use SSL for all included page elements.



/ 96