January 2005 Entries
Just been reading what looks like the second part in a series on security from
Eric Lippert on the use of hashes for
protecting password information (
first part is here) . I find this especially interesting since I've recently designed a system which uses salted-hash (as opposed to sticky-black hash which is a whole different thing ;-)) as a method to protect user passwords. As it turned out it wasn't all that easy to do this in .NET ; of course it might just be me...anyway here's the little function I came up with for hashing passwords (with a dash of salt...)
UPDATE: Simpler version is below with much of the duplication removed - in addition, the defaults are smaller and quicker (16 byte salt and SHA-1 hashing algorithm), you can change either of these - any length of salt and any of the HashAlgorithms (SHA256, MD5, etc...). Hope someone finds it useful... using System;
using System.Security.Cryptography;
using System.Text;
namespace HashMaker
{
public sealed class PasswordHasher
{
private const int DEFAULTBYTECOUNT = 16;
public static string GetRandomString()
{
return Convert.ToBase64String(GetRandomBytes(DEFAULTBYTECOUNT));
}
private static HashAlgorithm GetAlgorithm()
{
return new SHA1Managed();
}
public static byte[] GetRandomBytes(int byteCount)
{
byte[] byteBuff = new byte[byteCount];
RNGCryptoServiceProvider rn = new RNGCryptoServiceProvider();
rn.GetNonZeroBytes(byteBuff);
return byteBuff;
}
public static byte[] GetHashedPasswordBytes(byte[] passwordBytes, out byte[] saltBytes)
{
saltBytes = GetRandomBytes(DEFAULTBYTECOUNT);
return GetHashedPasswordBytes(passwordBytes, saltBytes);
}
public static byte[] GetHashedPasswordBytes(byte[] passwordBytes, byte[] saltBytes)
{
byte[] combByt = new byte[passwordBytes.Length + saltBytes.Length];
passwordBytes.CopyTo(combByt,0);
saltBytes.CopyTo(combByt,passwordBytes.Length);
Array.Reverse(combByt);
HashAlgorithm sm = GetAlgorithm();
byte[] buffArr = sm.ComputeHash(combByt,0,combByt.Length);
return buffArr;
}
public static byte[] GetHashedPasswordBytes(string password, out byte[] saltBytes)
{
byte[] passByt = UnicodeEncoding.Unicode.GetBytes(password);
return GetHashedPasswordBytes(passByt, out saltBytes);
}
public static byte[] GetHashedPasswordBytes(string password, byte[] saltBytes)
{
byte[] passByt = UnicodeEncoding.Unicode.GetBytes(password);
return GetHashedPasswordBytes(passByt, saltBytes);
}
}
}
private bool CompareArrays(byte[] Arr1, byte[] Arr2)
{
if (Arr1.Length == Arr2.Length)
{
int i = 0;
while ((i < Arr1.Length) && (Arr1[i] == Arr2[i]))
i += 1;
if (i == Arr1.Length)
return true;
}
return false;
}
Right, that's it, not more updates...promise!
I've been following a
thread on
Scoble's blog regarding the introduction of the
rel="nofollow" tag for blog comments - some of the points Robert makes are interesting, including the one that irked me most:
Developed in privacy. Um, not true. Webloggers have been asking for YEARS for a link that could tell the search engine spiders not to go there. Joi Ito and I have been asking for this repeatedly over the past four years. Certainly not in private.
Sorry, but that's total bollocks - this 'innovation; was announced, not submitted for comment / improvement, those involved have included Blog & Search Monopolists Google (who have most to gain and least to lose by the introiduction of this attribute). The most vocal support has come from people like Scoble - whos' blogs ranked highly on Google precisely because blog comments and posts generate trackbacks and navigabvle links. The fact that Robert now calls for a method of limiting the popularity of other blogs using such a method seems like the blog version of
protectionism - it's fair enough to benefit from the interconnectedness of blogs but it seems that being asked to give a little back is just too much.
I have up until now used this attirbute on this site without giving it much thought - I plan to remove it, comments are the life-blood of blogs that Spam could effectively ruin the blog system of interconnections just seems like cutting off your nose to spite your face. I'm sorry if Google is upset that blogs break it's page-rank algorithm (not all that great an algorithm if it can't deal with such emergent system...) but frankly when searching for something and being presented with a blog (actually I usually end up with that god-awful techie discussion board thing) is usually a good thing - it's ranked higly because it's good!
Blog spam has to be controlled, but I really don't think this is the best method - the little CAPTCHA thing I have on the comments here (though not yet perfect) has cut my Comment Spam down to a slow drip from a raging torrent - that just seems like a more effective method. I do plan on working on additional methods as well, with 'arbitrary membership' being high on the list...
So my little baby Mac arrived today, unfortunately this now means I have 6 machines, a single 4 port KVM (which the Mac seems to dislike a huge amount), a single monitor and not much space (well none verging on bugger all if truth be told). It really is a very neat little machine, I've tried it both at work and at home, connecting them with some pretty odd monitor / USB Keyboards and mice it's rock solid, seems to need no drivers for Monitors or Mice & Keyboards (even the scroll wheel works!); can't get any PS2 stuff to work though, even with a PS2 -> USB adaptor, must look into that!
Anyway as I say, useless and pretty (as all today's youth aspire to be :-)) - I'm downloading Mono and Monodevelop so I'll try those out tomorrow...
OK, so the previous versions of .NET Passport have been pretty nasty to work with and get working (and keep working!) - this as well as user disaffectation have led to several high-profile clients
dropping the use of the .NET passport sign-on mechanism.
I've just been having a look at Passport V3.0 (for a Microsoft owned site) - and it's very cool, the technology has taken a HUGE leap forward - I can't discuss specifics (NDA etc...). God, I wish they'd done this 2 years ago (when I first saw documents relating to this change) - they could really have moved things forward!
You've probably noticed the really brief posts I've done recently - basically I'm just trying something out...each time I find an interesting article I'm sticking it straight on this here blog. Reason for this? I realised I was not putting some useful stuff on simply because of the time it takes to write a 'proper' post.
Let me know if you like / detest these mini-posts.
Recently had the chance to dig into remoting in a bit more detail (for the Bulk Mail app I've mentioned before). I have to say, it's both more difficult and a lot easier than I imagined!
Having to modify my class to allow use from a remoting client was a little wierd; I wanted to use SingleCall mode - with a simple response to keep performance up, unfortunately this has led to quite a radical reworking of my main Engine class (and subsequent bug-fixing...it wasn't that tight in the first place). The actual set up of remoting is however amazingly easy, letting me simple switch from local to remoting versions with a simple bit of config...e.g.
<system.runtime.remoting>
<application>
<client>
<wellknown type="SurgeEngine.EngineFacade, SurgeEngine" url="tcp://localhost:9080/SurgeEngine"/>
<channels ref="tcp" port="0">
<serverProviders>
<formatter ref="binary" typeFilterLevel="Full" />
</serverProviders>
</channels>
</client>
</application>
</system.runtime.remoting>
Oh, I did use a Facade pattern to help reduce the type and number of changes I had to make to my core engine (specifically to reduce the amount of thread-handling code in the core engine...
One oddity I did come across though was trying to use remoting from an ASP.NET site - which is what this app was doing, acting as a web-service proxy to another remoting server on the same box (simplifies things for non-.NET clients using the app...config etc...). No idea where I found it but this code in my Global.asax.cs helped a lot:
protected void Application_Start(Object sender, EventArgs e)
{
string configFile = AppDomain.CurrentDomain.SetupInformation.ConfigurationFile;
RemotingConfiguration.Configure(configFile);
}
All this really does is aid the app in identifying the correct config file to use (which is actually tirckier than you'd expect.).
The only other hassle I had was an annoying error related to a change introduced in .NET 1.1 to do with typeFilterLevel - this article sorts it all out...
Bill Evjen has posted a great list of sites, articles and resources for
learning ASP.NET. Well apart from the omission of my blog ;-)
Well, finally got around to implementing a CAPTCHA control in my comments (using the excellent
HIPValidator by Stephen Toub). It's still experimental - so it might not work totally smoothly - but let's see if it works against comment spam! Anyway, any problems please email me at
blogcomments@mostllyucid.co.uk . Oh, should say I won't be able to provide the source for this (most of it is in the article I mentioned above) because my .TEXT source is heavily modified...
UPDATE: Looks like there's an issue around a font installed on my server - this causes the little image to not appear, just hit refresh until it does, I'll fix this later tonight.
Had a mail from someone today complaining that their IP appeared to blocked on my site - apologies, I have a fairly strict policy on spam / abusive comments you get one chance then I block your IP (this has been fairly effective in the past). I realise though that sometimes this will be a bit of a
blunderbuss against a mosquito (nice metaphor
) since there's issues with dial-up, non-static IPs etc...If you've been affected and umm...if you can read this post (hey it could be in Google,
Bloglines etc...)...please email me at
blogcomments@mosltlucid.co.uk and we can discuss your needs
.
Just been
reading a post by
Geoff Appleby on the pros and cons of reflection. He also points to a very
interesting use of reflection by
Darren Neimke to control the routing of messages within a system like BizTalk.
I have similar reservations to using reflection that Geoff has - mainly because I came from a Java world where reflection could just totally kill performance. However I also agree that there's some situations where it's just incredibly useful - I recently used reflection in an application which uses User Controls to provide functionality, well occasionally I had to set some specific properties on controls (just let me reuse the same control with different properties set..) here's the code I use
private void SetCustomProperties(UserControl uctrl, FControl defCtrl)
{
Type uctrlType = uctrl.GetType().BaseType;
if (defCtrl.Settings != null && defCtrl.Settings.Count > 0)
{
foreach (string s in defCtrl.Settings.AllKeys)
{
PropertyInfo theProperty = uctrlType.GetProperty(s);
if (theProperty != null)
{
object val = null;
Type testType = theProperty.PropertyType;
if (testType.IsEnum)
val = Convert.ChangeType(Enum.Parse(testType, defCtrl.Settings[s]), testType);
else
val = Convert.ChangeType(defCtrl.Settings[s], testType);
if (val != null)
theProperty.SetValue(uctrl, val, null);
}
}
}
}
So, obviously lots of wierd custom classes and stuff but you can probably see it's actually pretty simple in the end.
While in my 'getting back into coding' frame of mind I've been surfing around looking at various sources of information - I've come to realise something that I missed before - there's a lot less 'high quality' information avaialble today that say 3 years ago.
Back in the days of classic ASP there were a bunch of excellent sites when you could reliably find awesome articles on all the latest toys and techniques...now though it ain't so good! So sites like ASPToday, DotNetJunkies and 4GuysFromRolla just don't seem to publish that regularly anymore and what is there seems kind of 'old-fashioned', even 15Seconds (which was always a totally awesome site) feels a little tired! I guess a lot of people now just read a very few blogs and visit the ASP.NET main site for all their information. This is a real pity, I can't really imagine trying to learn ASP.NET from scratch using just the 'calssic' sources of information. Oh, there is one exception, EggHeadCafe - very cool stuff there!
Hopefully it's just something I'm missing and there's some other sites which do fill this niche - so what sites do you use most, where's the best non-blog source for great ASP.NET information?
Oh, and I just bought a mini-Mac yay!
Well, you've probably been bludgeoned about the head with the news this evening but
Apple has just launced a new machine - the
Mac Mini I have to say it looks really nice! Well, I'm currently trying to get onto the Apple UK store (looks like their
XServe machines may be having slight scalability issues :-)) this is just the right price-point and size for a little play-around thing! I also have a spare port on my 4-port KVM :-). From first impressions this thing looks like another coup from Apple !
Well, I'm back from holiday - trying to get interested in coding again, which is harder than it should be! Anyway, in an effort to get back into things I've been reading a few blog articles which are pretty cool.
The first is an
article on Viewstate serialization by
Victor Garcia, which is pretty much essential reading if you're trying to squeeze every bit of performance from your Viewstate handling - good stuff!
Apart from that, I'm building another little server...and playing with some new toys including the new desktop machine I've just built (mid-range, Geforce 6600GT-AGP, Athlon 64 3000+, 1Gb Ram, 400GB RAID-0 SATA Array) should do me for a bit though I'll probably upgrade the RAM to 2Gb pretty soon to let me play with Windows Server 2003 / Longhorn on Virtual PC at a decent speed. The new server is made from all the bits left over from my old machine - so it should be pretty handy...don't know for what exactly but...
Anyway, as I say I'm trying to get back into coding again and you'll be the first to know when I get my brain rebooted
