Standing on the shoulders of giants. RSS 2.0
# Tuesday, June 10, 2008

When hashing a password, you usually use a salt to to make it harder for an attacker to attack the password (see [0]), since the salt is needed to calculate the hash, the same salt is needed to verify a password.

The submitted Hash( Salt + Password ) must be equal to the stored Hash( Salt + Password ).

The common place to store the salt is in a separate field alongside the hash, but this may cause either one to get out-of-sync with the other. A better solution is to concatenate the salt and the hash and store both in one byte array.

static void Main(string[] args)
{
    RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

    byte[] salt = new byte[0x10];
    rng.GetBytes(salt);

    Rfc2898DeriveBytes deriveBytes = new Rfc2898DeriveBytes("the password", salt, /*iterations*/ 5);

    byte[] passHash = deriveBytes.GetBytes(0x100);

    byte[] result = Merge(passHash, salt);
}

private static byte[] Merge(byte[] first, byte[] second)
{
    byte[] result = new byte[first.Length + second.Length];
    Buffer.BlockCopy(first, 0, result, 0, first.Length);

    Buffer.BlockCopy(second, 0, result, first.Length, second.Length);

    return result;
}

Extracting the salt from the hash is relatively simple:

private static byte[] ExtractSalt(byte[] hash, int length)
{
    byte[] salt = new byte[length];

    Buffer.BlockCopy(hash, hash.Length - length, salt, 0, length);

    return salt;
}

You use this salt to generate the hash for the password you want to check and after adding the salt to the end both byte arrays must be equal.

[0] See p.350-352 in Practical Cryptography by Niels Ferguson and Bruce Schneier why salting a password is a good idea.

Sample: HashSample.cs.txt (1.78 KB)

Tuesday, June 10, 2008 4:39:06 AM (Pacific Daylight Time, UTC-07:00)  #    Comments [4] - Trackback
Codesnippet | Security
# Thursday, June 05, 2008

Yesterday I moved this blog to IIS 7 in integrated mode on Windows 2008 and the fact that you can still read this shows it worked without a problem. This is Scott Hanselman’s guide for the migration, but the only thing you’ll have to change is the httpmodule- and httphandler mapping in the web.config, which is something the “appcmd.exe” tool can do for you (the errorpage when running your site with the old web.config shows you how).

Thursday, June 05, 2008 7:32:54 AM (Pacific Daylight Time, UTC-07:00)  #    Comments [0] - Trackback
dasBlog
# Tuesday, June 03, 2008

In his keynote at Tech•Ed today, Bill Gates made a number of interesting announcements:

  • Silverlight 2 Beta 2 will be released this week, together with Expression Blend 2.5 June 2008 Preview and Microsoft Silverlight Tools beta 2 for Visual Studio 2008 (this version is expected to work with VS 2008 sp 1 beta).
  • The first CTP of the Microsoft project code-named “Velocity,” a distributed, in-memory application cache platform.
  • Visual Studio 2008 extensions for Windows SharePoint Services 3.0 v1.2, which will allow developers to use Visual Studio 2008 for SharePoint development.

Especially "Velocity" looks very interesting and was new for me, the other announcements were expected updates to previously released version.

The keynote is available online at the Microsoft Tech•ED 2008 Virtual Pressroom.

Tuesday, June 03, 2008 10:02:44 AM (Pacific Daylight Time, UTC-07:00)  #    Comments [0] - Trackback
Conference
# Friday, May 30, 2008

John Lam has an interesting announcement about the current state of IronRuby:

"IronRuby dispatched some simple requests through an unmodified copy of Rails a few days ago. Today, we’re going to show off our progress live at RailsConf. This is an important milestone for IronRuby; it’s our ‘ticket to entry’ to the world of alternative Ruby implementations."

This shows the IronRuby team and Microsoft are serious about making the IronRuby implementation a real implementation, that follows the standards and that is capable of running real Ruby programs. It's especially great to see that compatibility is considered more important, than performance at this time.

All other great things about IronRuby are still true:

"IronRuby doesn’t just let you run Rails; it lets you interact with the rich set of libraries provided by .NET. You’ll be able to use IronRuby to build server-based applications that run on top of ASP.NET or ASP.NET MVC. You’ll be able to use IronRuby to build client applications that run on top of WPF or Silverlight. You’ll be able to use IronRuby to test, build and deploy your .NET applications. You’ll be able to run Ruby code in your web browser and have it talk to your Ruby code on your web server. That’s a feature that we feel that many folks will enjoy."

Friday, May 30, 2008 7:10:52 AM (Pacific Daylight Time, UTC-07:00)  #    Comments [0] - Trackback
IronRuby
# Thursday, May 29, 2008

Since the beta of sp1 for Visual Studio and the .NET Framework has been released earlier this month, there have been a number of articles about what's included. What makes this service pack more interesting than for example the service pack for Visual Studio 2005, is that new features have been added. New features have not only been added to Visual Studio but also to the .NET Framework.

Since a lot of posts have been made about the changes and improvements, I won't compile another list. I'll just point out some of the more interesting changes. (If you are interested in a list of changes, Scott Gu has a pretty complete list.)

The most interesting changes and additions for me are:

  1. The improved performance of the installation of the service pack compared to the vs2005 sp. And the fact that the final sp will install over the beta, no need to uninstall.
  2. Inclusion of the Entity Framework, this is no longer a separate download. Some of the fixes in this version of the Entity Framework include support for SQL Server 2008 and improved support for iterative development (the "Update model from database" wizard).
  3. Inclusion of ADO.NET Data Service Framework (Astoria)
  4. Improvements to DataContracts in WCF. The serializer now supports types that aren't annotated with any serialization attributes and better support for object references (and circular references) in DataContracts.

Additional info about the service pack here (yes, more lists ;-)):

Update: Scott Hanselmann used nDepend to see what API's have changed with this servicepack. All changes are additive, so the service pack shouldn't break any existing applications. Patrick Smacchia has a complete list of changes.

Thursday, May 29, 2008 8:23:34 AM (Pacific Daylight Time, UTC-07:00)  #    Comments [0] - Trackback
Development | Visual Studio 2008
# Wednesday, May 28, 2008

Meet me in Los AngelesA preliminary list of technical sessions has been announced and the registration has been opened for PDC 2008. Some of the interesting sessions:

Architecting Services for the Cloud
From design to implementation, building a scalable, available web service is different from building other kinds of applications. This session will discuss the impact that designing for the cloud has on all stages of the service lifecycle, and how Microsoft's cloud platform works for you to meet the scaling and availability goals of your service

Logical Queuing: Developing Occasionally Connected Clients
With Sync Services for ADO.NET, Sync Framework, etc., what technology should you use to develop applications that enable end-user productivity regardless of network connectivity? The reality is no one technology solves the problem. We will demonstrate how you can build offline-capable rich client applications by combining technologies like ADO.NET and SQL Server Compact Edition with the Microsoft Sync Framework. Next we take an architectural approach for "using the right tool for the right job" and show how many of these technologies actually work best when brought together in a cohesive solution that highlights the values each technology has to offer.

Under the Hood: Architecture of Storage in the Cloud
Get a deeper understanding of the storage architecture and understand how the storage platform can be used to the best of its capabilities. From low-level streams all the way to partitioned tables, cloud storage must be designed and optimized for the scaling demands of the cloud. This session will examine the underlying architecture of each layer of the storage service as well as the data modeling and programming interfaces exposed.

Under the Hood: Building SQL Server Data Services
Learn how we built SQL Server Data Services to address hard distributed systems and operations challenges. We will describe how we solved problems like failure detection, leader election, and automatic failover using a new innovation called Distributed Data Fabric. We will go deep and elaborate on the changes we made to the core SQL Server RDBMS to ship this massively scalable data service. We will also describe the operational systems we use to provision, monitor, and manage SSDS without interrupting the service. Finally, you will learn how we manage and run this service in our datacenters.

The rest of the sessions can be found on the Microsoft PDC 2008 site.

Wednesday, May 28, 2008 5:22:23 AM (Pacific Daylight Time, UTC-07:00)  #    Comments [0] - Trackback
Conference | PDC2008
# Wednesday, May 14, 2008

Recently I finished 2 books about programming with the Windows Presentation Foundation (WPF), "Programming WPF 2nd edition by Chris Sells & Ian Griffiths" and "Essential Windows Presentation Foundation by Chris Anderson". Both books offer a great introduction to programming WPF, but I think "Programming WPF" is the better book.

Programming WPFThe first obvious difference is the difference in size between both books, Programming WPF with its 835 pages dwarfs Essential WPF pages with (only) 458 pages. After the foreword, the first chapter of both books gives you a tour of WPF and an introduction on the topics that will be covered in each. Here the difference all ready shows, the additional pages in Programming WPF have not only been used to go into more detail the subjects covered in both, but also covers additional subjects like: 3D and Silverlight (by Shawn Wildermuth).

Essential WPF

The thing makes Essential WPF a very interesting book nonetheless, is that because it's written by one of the architects of the WPF team it gives insight in why some choices are made, where Programming WPF is more a book which describes how to do things (often far better than the documentation).

In the end I am very happy I read both books. Initially I wasn't going to read this edition of Programming WPF because I read the first edition and had Essential WPF and the Petzold book in my reading stack. But after reading it, this book is huge addition to the first edition by covering more subjects and updating all code to the final version.

If you are only buying one book about WPF buy Programming WPF; if you are interested in some of the architectural choices you should also buy Essential WPF. Hopefully both books will soon have an updated version which will cover the changes made to WPF in .NET 3.5 and .NET 3.5 SP1.

Note: a review of "Application = Code + Markup by Charles Petzold" is coming as soon as finish reading it.

Wednesday, May 14, 2008 4:59:32 AM (Pacific Daylight Time, UTC-07:00)  #    Comments [0] - Trackback
Reading | WPF
# Tuesday, April 29, 2008

Sample code to get the first day of the week given a date and a DateTimeFormatInfo.

public static DateTime StartOfWeek(DateTime date, DateTimeFormatInfo dateTimeFormat) {

    Debug.Assert(dateTimeFormat != null, "dateTimeFormat != null");
    if (dateTimeFormat == null) {
        throw new ArgumentNullException("dateTimeFormat");
    }

    DayOfWeek currentDay = date.DayOfWeek;
    DayOfWeek firstDay = dateTimeFormat.FirstDayOfWeek;

    int difference = (int)firstDay - (int)currentDay;

    // we always have to move back, 
    // since we're interested in the first day of the week
    if (difference > 0) { difference -= 7; }

    return date.AddDays(difference);
}

 

The attached sourcefile contains the testcases. StartOfCurrentWeek.cs.txt

Tuesday, April 29, 2008 12:47:31 AM (Pacific Daylight Time, UTC-07:00)  #    Comments [0] - Trackback
Codesnippet
Ads
About
© Copyright 2014
Paul van Brenk
Sign In
newtelligence dasBlog 2.3.12105.0
All Content © 2014, Paul van Brenk
DasBlog theme 'Business' created by Christoph De Baene (delarou)