Encryption

by MikeHogg 31. May 2012 09:50

A really interesting project had me implementing encryption algorithms for a Point Of Sale vendor interface.  It was the closest thing I’ve done to ‘computer science’ and I was fascinated at manipulating integers that were one thousand digits long.  The vendor used a symmetric encryption wrapped in an asymmetric method, plus an additional byte manipulation algorithm, making it a few layers deep.  I used a proven Big Integer implementation, and some of the MS encryption libraries for certain steps of the algorithm, but a lot of it was byte level manipulation. 

In one of my favorite parts of the algorithm, I used a bit shift operator.  Never found a use for that in Business Intelligence!

        private static byte[] ApplyOddParity(byte[] key)
        {
            for (var i = 0; i < key.Length; ++i)
            {
                int keyByte = key[i] & 0xFE; // 254? mask  
                var parity = 0;
                for (var b = keyByte; b != 0; b >>= 1) parity ^= b & 1; // shift right until empty, setting parity  xor b bitand 1
                key[i] = (byte)(keyByte | (parity == 0 ? 1 : 0)); // set byte = byte bitor (unchange if match) 1 if not parity or 0 for odd
            }
            return key;
        }
        public static string EncryptEAN(string eanhex, string decryptedmwkhex)
        {
            byte[] decryptedmwk = ConvertHexStringToByteArray(decryptedmwkhex);            
            byte[] asciiean = Encoding.ASCII.GetBytes(eanhex.PadRight(8, ' '));   
            
            TripleDESCryptoServiceProvider p = new TripleDESCryptoServiceProvider();
            p.Padding = PaddingMode.None;
            p.IV = new byte[8];
            // p.Mode = CipherMode.CBC; //  default 
            byte[] random = p.Key;     // testing: random = FDCrypt.ConvertHexStringToByteArray("95:e4:d7:7c:6d:6c:6c")         
            byte checksum = GetCheckSum(asciiean);            
            byte[] eanblock = new byte[16];
            Array.Copy(random, 0, eanblock, 0, 7);
            eanblock[7] = checksum;
            Array.Copy(asciiean, 0, eanblock, 8, 8);   // BitConverter.ToString(eanblock)
            p.Key = decryptedmwk;
            ICryptoTransform e = p.CreateEncryptor();
            
            byte[] result = e.TransformFinalBlock(eanblock, 0, 16);
            return BitConverter.ToString(result, 0).Replace("-",String.Empty);
        }
 
  public static string GetEncryptedMWK(string decryptedmwkhex, byte[] kek)
        {
            byte[] decryptedmwk = FDCrypt.ConvertHexStringToByteArray(decryptedmwkhex);
            TripleDESCryptoServiceProvider p = new TripleDESCryptoServiceProvider();
            p.Padding = PaddingMode.None;
            p.IV = new byte[8];
            // p.Mode = CipherMode.CBC; //  default 
            byte[] random = p.Key;     //random = FDCrypt.ConvertHexStringToByteArray("e7:11:ea:ff:a0:ca:c3:ba")
            p.Key = decryptedmwk;  // BitConverter.ToString(decryptedmwk)
            ICryptoTransform e = p.CreateEncryptor();
            byte[] checkvalue = e.TransformFinalBlock(new byte[8], 0, 8);       // BitConverter.ToString(checkvalue)   
            byte[] keyblock = new byte[40];
            Array.Copy(random, keyblock, 8);  
            Array.Copy(decryptedmwk, 0, keyblock, 8, 24);
            Array.Copy(checkvalue, 0, keyblock, 32, 8);   // BitConverter.ToString(keyblock)
             
            p.Key = kek;              
            e = p.CreateEncryptor();
            byte[] encryptedkeyblock = e.TransformFinalBlock(keyblock, 0, 40);   
            string result = BitConverter.ToString(encryptedkeyblock,0, 40);            
            return result.Replace("-",String.Empty); // should be 81 bytes inc null term?
        }

 

For testing, I built a UI in WPF.  Here you see how I wanted to encapsulate all the encryption stuff in a separate library (later to be used in a web site), yet needed a UI stub to go through the lengthy 18 step, two month long testing and certification process with the vendor.  I knew that UI could leverage my experience with the MVVM pattern in WPF to expose over 20 fields and half a dozen steps in fast iterations as we went through the vetting process, and the WPF UI became more of a helpful tool than a code maintenance drain like most UI’s. 

 

 

 

 

 

 

 

 

 

 


Tags:

WPF | C# | Encryption

WCF vs MVC REST API

by MikeHogg 28. May 2012 15:25

 

What is this REST API that I keep hearing about?  I have been using WCF for years, but now the new buzzword is REST API for web services.

First, a good background found on this page: http://www.codeproject.com/Articles/255684/Create-and-Consume-RESTFul-Service-in-NET-Framewor

What is REST & RESTful?

Representational State Transfer (REST) is introduced by Roy Fielding on 2000; it is an architectural style of large-scale networked software that takes advantage of the technologies and protocols of the World Wide Web. REST illustrate how concentrated data objects, or resources, can be defined and addressed, stressing the easy exchange of information and scalability.

In 2000, Roy Fielding, one of the primary authors of the HTTP specification, wrote a doctoral dissertation titled Architectural Styles and the Design of Network-based Software Architectures.

REST, an architectural style for building distributed hypermedia driven applications, involves building Resource-Oriented Architecture (ROA) by defining resources that implement uniform interfaces using standard HTTP verbs (GET, POST, PUT, and DELETE), and that can be located/identified by a Uniform Resource Identifier (URI).

REST is not tied to any particular technology or platform – it’s simply a way to design things to work like the Web. People often refer to services that follow this philosophy as “RESTful services.”

My current user case asked for three clients served by one codebase- one WPF client and two web site clients, and so I figured WCF was the best way to go. But I wanted to see what new tech MS has for us...

I saw many examples of REST Controller actions in MVC, but they were using REST architecture, over Http, without typed endpoints and instant Clients from WSDL, whcih was the main reason why WCF would have been so good for my case.  WCF is so mature now that you rarely have to do more than click a few times and add some properties to a project config before you have strong typed client behaviors.  What do I get with this new REST stuff?  A lot of manual work and no strong typed objects.  It sounds like a step backwards to me.

Phil Haack agreed with me...

http://haacked.com/archive/2009/08/17/rest-for-mvc.aspx

"When your service is intended to serve multiple clients (not just your one application) or hit large scale usage, then moving to a real services layer such as WCF may be more appropriate." 

I finally found (the background I linked to above) what I was looking for in the WCF Starter Kit built on 4.0. It has strong typing, and automated client creation. It built REST on top of WCF and added some attributes you could decorate your WCF project with to work over a new protocol WebHttpEndpoint? http://www.codeproject.com/Articles/255684/Create-and-Consume-RESTFul-Service-in-NET-Framewor

This was what I was looking for, but since it built ON TOP of WCF I didn't see the point. To my point, Sam Meacham warned in Sep 2011 not to use WCF REST Starter Kit in the discussion on that page:

http://www.codeproject.com/Articles/255684/Create-and-Consume-RESTFul-Service-in-NET-Framewor?fid=1652761&df=90&mpp=50&noise=3&prof=False&sort=Position&view=Quick&fr=51#xx0xx

"The WCF REST Starter kit is abandoned, and will no longer be developed. WCF was designed to be protocol agnostic. REST services are generally built on the HTTP protocol, using all of the richness of http for your rest semantics. So WCF as it existed was actually a really bad choice for building rest services. You basically had to factor back in all of the http-ness that wcf had just factored out.

Glenn Block at Microsoft, who (with the community) developed the Managed Extensibility Framework (MEF) was reassigned to work on the WCF REST story at MS going forward. They are currently developing the WCF WEB API[^], which will be the new way to create REST services with WCF.

Also, keep in mind that REST has no service description language like WSDL or anything, so things like service location and automatic client generation don't exist. WCF certainly isn't your only chance for creating REST services in .NET. I created the RestCake? library for creating REST services based on IHttpHandler?. Also, IHttpHandler? is a very simple interface for creating REST services. A lot of people prefer to use MVC 3."

So, I conclude WCF is not going away, and is the appropriate tool for this case.  the WCF Web API that I heard rumor about appears to still be in development, coming in MVC4.

I will look at that for a future project but not this one... http://wcf.codeplex.com/wikipage?title=WCF%20HTTP

 

----

PS

Time passed, and I found myself playing with some Android development and wanted to hook up to some WCF service when I found out what is probably one of the big reasons why REST adoption is so strong- Android java libraries don't support SOAP well at all even with third party libraries! 

Tags:

Architecture | REST | WCF

An example of one of my most favorite projects

by MikeHogg 21. May 2012 18:58

One time I inherited a system of sorts that supported a single user, with her third party data warehouse application.  We didn’t support the warehouse, but we were supposed to get the data extracts that she imported into the warehouse at monthly intervals.  The existing IT process was very manual, and very time intensive.  As well as involving data from 4 different sources and the queries or processes to get them, it involved a dozen files per run, sometimes up to three people from different departments, with several runs per month, taking four to eight hours each run, and no history or state tracking except to keep the files in folders forever. 

 

The initial attempt to automate this also left behind a number of files and processes to maintain, and it had been running for over a year with 60 monthly man hours of IT dedicated to it and now several hundred files, folders, and processes in assorted locations.

 

This is one of my favorite jobs.  People put a mess in front of me and I turn it into something easy to use that saves time.  One of the things that bugged me about the existing process was that there was no history and it took too long.  I expanded our small database to include tables for each of our entities, and started automating the extracts in a nightly process.  This had the effect of making the user’s request time drop from several hours for the complicated queries to almost instant since we were now caching the data ourselves, as well as provided an easy way for IT to hook into historic runs. 

 

Another thing that I wanted to change was to streamline the steps.  The existing process exported from data sources, inserted into databases, extracted into files, joined with other datasources, imported into databases again.  So I built an SSIS package that did the data transformations on our Oracle database and inserted the data directly into the warehouse MSSQL server.  This removed the need for the files and a whole staging process, and made the whole process easier to maintain from an IT perspective.

 

Another thing that I wanted to change was to remove the IT resource component.  I don’t believe IT needs to be involved for day to day business operation requests, unless something breaks.  So I built a simple WPF click-once intranet application with a handful of features, enabling the user to run the whole extract/import instantly for any date they choose, and even view the data by Excel export if they want.  I like that it not only provided so much convenience for the user, but that it dropped the IT cost to maintain from an average of 60 monthly man hours to almost zero.

Tags:

Automation | Me

An example of one of my least favorite projects

by MikeHogg 16. May 2012 14:36

One of my least favorite projects where I had control over the outcome was my first WPF project. I had been doing aspnet web apps and winform apps for a few years. I hadn’t really learned a lot about patterns or architecture, but I was exposed to a senior consultant who had a particular effect on me. Under his influence, I started to open my eyes to new technology. I realized that I needed to accelerate my learning or my career was not going to go anywhere.

So among other things, I tried WPF for my next project instead of Winforms. The problem was, that I applied the event driven, static design of Winforms to WPF and it was not built for that.

Once I had invested enough time in the initial design and started to hit my first roadblocks, I realized that WPF was built to work against a pattern called MVVM, and I didn’t want to learn a new pattern on top of a new framework. I kept hitting roadblocks in UI development and each time I found solutions were always in MVVM and so they were not available to me. I ended up writing lots of hacks and disorganized code instead of learning about MVVM.

I delivered in nine months but it was a long nine months. My immediate next opportunity was a small deliverable, and I did that in WPF while learning MVVM, and realized my mistake. I was amazed at how easy it was if I used the correct pattern.  New technologies are as much, if not more, about patterns as they are about the nuts and bolts.

Tags:

Architecture | Me

Password hashing

by MikeHogg 11. May 2012 15:08

After some research this year, since the last time I had to write any password system was in 2006 or 2007, I am under the impression that the BCrypt library is the defacto standard in encryption and is available in C#.  the main point going for BCrypt is that it has a difficulty factor built in.  This prevents super hardware from brute forcing requests at sub millisecond attempts if it can get to it, and so limits dictionary attacks. 

 

Using it is simple.  I drop this BCrypt file into each of my projects.  BTW in it you will find the header with links to the project doc and license info.

BCrypt.cs (34.97 kb)

 

Now, your Membership provider just needs to store passwords BCrypted, like so

       public static bool SavePassword(string username, string newPassword)
        {
            string salt = lib.BCrypt.GenerateSalt(6);
            string hash = lib.BCrypt.HashPassword(newPassword, salt);
 
            return lib.DatabaseHelper.SavePassword(username, hash);
        }

(the SALT is the difficulty factor)

... and use the Bcrypt library to test passwords with its verify() method like this

public override bool ValidateUser(string username, string password)
{
    string hash = GetPassword(username, null);
    if (hash.Equals(string.Empty)) return false;
    return lib.BCrypt.Verify(password, hash);
}

Tags:

C# | Encryption

Logging From Day One (and Exception Handling)

by MikeHogg 9. May 2012 09:50

NLog is so easy to use, it really is like plug and play. Or drag and drop. Add dll to your References. Add this to your web.config, use either file, or db table(what I use). Then, in any class you want to use Logger, just add a line for the static instance:

    public class HomeController : MH.Controllers.AController
    {
        private static NLog.Logger logger = NLog.LogManager.GetCurrentClassLogger(); 

 

 

And then to use it:

 

    logger.Info("Some mess");

 

No reason not to have logging available in every web app from the start. I usually use a Log table described like my web.config shows here


<configuration>
  <configSections>
    <section name="nlog" type="NLog.Config.ConfigSectionHandler, NLog"/>...  </configSections>
...  <nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
    <targets> 
      <target name="db" xsi:type="Database" connectionStringName="CONN"
              commandText="insert into Log(Level, Source, Message, Audit_Date) values(@level, @logger, @message, @time_stamp);">
        <parameter name="@time_stamp" layout="${date}"/>
        <parameter name="@level" layout="${level}"/>
        <parameter name="@logger" layout="${logger}"/>
        <parameter name="@message" layout="${message}"/>
      </target> 
    </targets>
 
    <rules>
      <logger name="*"  writeTo="db"></logger> 
    </rules>
  
  </nlog>

If you can't get it to start working, try using a log file first, or you can add atts like this example:
  <nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        internalLogFile="c:\mike.log" internalLogToConsole="true" throwExceptions="true">
    <targets>
      <target xsi:type="File" name="file" fileName="${basedir}/n.log" />

Oh and while we're here, ELMAH is always in my projects even before NLog.  It's just as easy, and actually comes with more features.  I use it with teh DB Table, and automatic emails.  This is all you need to get up and running...

<configuration>
  <configSections>
    <sectionGroup name="elmah">
      <section name="security" requirePermission="false" type="Elmah.SecuritySectionHandler, Elmah" />
      <section name="errorLog" requirePermission="false" type="Elmah.ErrorLogSectionHandler, Elmah" />
      <section name="errorMail" requirePermission="false" type="Elmah.ErrorMailSectionHandler, Elmah" />
      <section name="errorFilter" requirePermission="false" type="Elmah.ErrorFilterSectionHandler, Elmah" />
    </sectionGroup>
  </configSections>...
 
    <httpModules>
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" />
    </httpModules>
...  <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <modules runAllManagedModulesForAllRequests="true"> 
        <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
        <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
        <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
    </modules> 
  </system.webServer>... and 
  <elmah>
    <!--
        See http://code.google.com/p/elmah/wiki/SecuringErrorLogPages for 
        more information on remote access and securing ELMAH.   -->
    <security allowRemoteAccess="true" />
    <errorLog type="Elmah.SqlErrorLog, Elmah" connectionStringName="CONN"   >
    </errorLog>
    <errorMail
       to="mike.hogg@havasdiscovery.com"
       subject="[ELMAH] ACMT_Web Exception"  >
    </errorMail> 
    
  </elmah>
  <location path="elmah.axd" inheritInChildApplications="false">
    <system.web>
      <httpHandlers>
        <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
      </httpHandlers>
      <!-- 
        See http://code.google.com/p/elmah/wiki/SecuringErrorLogPages for 
        more information on using ASP.NET authorization securing ELMAH.      -->
      <authorization>
        <allow roles="Admin" />
        <deny users="*" />
      </authorization>
    </system.web>
    <system.webServer>
      <handlers>
        <add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
      </handlers>
    </system.webServer>
  </location>
</configuration> 

There's a db script to create the necessaries. I think that's it.  Comes with an Admin Area automatically and a dashboard app, if you set up authorization in your web then you should be able to see it with the Admin role and no further configuration.  ELMAH is good for catching all uncaught exceptions.  It has replaced my standard libraries and error handling methods in global.asax.

 

I also set up my own ErrorController, and some views, for my handled (known) errors.

public class ErrorController : AController
    {
        public ActionResult Index()
        { 
            Models.Error e = GetError();
            e.Title = "Error!";
            e.Message = "We are sorry.  An error has occurred.  Please try again or contact support";
 
            return View(e);
        }
 
        public ActionResult NotFound()
        {
            Models.Error e = GetError();
            e.Title = "Page Could Not Be Found";
            e.Message = "Sorry, that page could not be found";
 
            return View(e);
        }
 
        private Models.Error GetError()
        {
            Models.Error result = new Models.Error();
            Exception ex = null;
 
            try
            {
                ex = (Exception)HttpContext.Application[Request.UserHostAddress.ToString()];
            }
            catch { }
 
            if (ex != null) result.Exception = ex;
            
            return result;
        }

If you want to manually log errors in your app using ELMAH, just do this (wrapped in my lib/logger library):

 

 

public static void LogWebException(Exception ex)
        {
            try
            {
                Elmah.ErrorSignal.FromCurrentContext().Raise(ex, System.Web.HttpContext.Current);

 

Or... add a filter to Exception handling and in that hook tell ELMAH to log handled. Now all of your handled exceptions will be logged also.

namespace MH.Web.Mvc3.Controllers
{
    public class ElmahHandledErrorLoggerFilter : IExceptionFilter
    {
        public void OnException(ExceptionContext context)
        {
            // Log only handled exceptions, because all other will be caught by ELMAH anyway.
            if (context.ExceptionHandled)
                Elmah.ErrorSignal.FromCurrentContext().Raise(context.Exception);
        }
 
        // ADD THIS TO GLOBAL ASAX
        ///public static void RegisterGlobalFilters (GlobalFilterCollection filters)
        //{
        //    filters.Add(new ElmahHandledErrorLoggerFilter());
        //    filters.Add(new HandleErrorAttribute());
        //}
    }
}

 

 

 

ELMAH has a habit of becoming bothersome with all the 404s for robot.txt.   Put this in  your web.config to stop them..

 

 

    <errorFilter>
      <test>
        <or>
          <and>
            <equal binding="HttpStatusCode" value="404" type="Int32" />
            <equal binding="Context.Request.Path" value="/favicon.ico" type="string" />
          </and>
          <and>
            <equal binding="HttpStatusCode" value="404" type="Int32" />
            <equal binding="Context.Request.Path" value="/robots.txt" type="string" />
          </and>
        </or>
      </test>
    </errorFilter>
    
  </elmah>

About Mike Hogg

Mike Hogg is a c# developer in Brooklyn.

More Here

Favorite Books

This book had the most influence on my coding style. It drastically changed the way I write code and turned me on to test driven development even if I don't always use it. It made me write clearer, functional-style code using more principles such as DRY, encapsulation, single responsibility, and more. amazon.com

This book opened my eyes to a methodical and systematic approach to upgrading legacy codebases step by step. Incrementally transforming code blocks into testable code before making improvements. amazon.com

More Here