Re: Querystring hash?

From: David Adams (mel1daa@hotmail.com)
Date: 02/07/03

• Next message: David Adams: "Re: Querystring hash?"
• Previous message: Mark Levison: "ASP .NET and downloading config files (2nd post)"
• In reply to: Willem Poorten: "Re: Querystring hash?"
• Next in thread: Kim Bach Petersen: "Re: Querystring hash?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "David Adams" <mel1daa@hotmail.com>
Date: Thu, 6 Feb 2003 18:08:42 -0600

Thanks Willem,

Yes - I need to brush up on the cryptography classes in .NET, that's for
sure.

I appreciate your response - it's starting to make sense. I've always had
trouble with this subject. I need integrity more than anything. I don't
want someone keying in a different client id in the querystring and bringing
up someone elses client.

Thanks!

"Willem Poorten" <solissimo@tijd.com> wrote in message
news:3E426E06.8010808@tijd.com...
> Hi david
>
> First of all i suggest you read a bit about cryptographic primitives ;)
>
> The sensistive information you sent to the user can be protected by:
>
> 1)
> encryption with a secret key on your server.
> only you can decrypt it when it returns
> an exception will be thrown when the encrypted string has been
> corrupted. Nobody can fake it because he hasn't got that secret key
>
> 2)
> A digital signature
> digital signing is almost the same as a hash, buth in calculating the
> hash, a secret key is involved. This primitive is called a Mac. so only
> you can calculate that hash, in contrast to a secure hash algorithm as
> SHA1. The difference with option 1) is that the original data cannot be
> restored out of the MAC/digital signature. (one-way encryption)
>
> The question is : do you only need integrity (option 2), or also privacy
> (option 2) ?
>
>
>
>
>

---

• Next message: David Adams: "Re: Querystring hash?"
• Previous message: Mark Levison: "ASP .NET and downloading config files (2nd post)"
• In reply to: Willem Poorten: "Re: Querystring hash?"
• Next in thread: Kim Bach Petersen: "Re: Querystring hash?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Querystring hash? ... First of all i suggest you read a bit about cryptographic primitives;) ... encryption with a secret key on your server. ... Nobody can fake it because he hasn't got that secret key ... hash, ... (microsoft.public.dotnet.framework.aspnet.security) RE: Signing before Encryption and Signing after Encryption ... The property that a hash match is supposed to verify (is this ... Signing before Encryption and Signing after Encryption ... Signing with symmetric keys is a lot more ... (Security-Basics) Re: Newbie - Is this Reasonable? ... because this hash is stored in the database. ... So you use PKCS5v2 to generate a key hash from a salt and the user's passphrase, then store the salt and the hash in a database. ... are even more critical in database applications because the payoff from tampering with selected fields may be much higher, fields tend to be fixed-length so it's easier to tamper with them in a meaningful way, and databases lend themselves to off-line analysis, so the attacker can marshall more resources and take more time to attack your system. ... You're using a stream cipher for encryption. ... (sci.crypt) Re: Signing before Encryption and Signing after Encryption ... Hash: SHA1 ... Encryption and Signing after Encryption ... are signature schemes that only require symmetric keys. ... (Security-Basics) Re: Encrypting incoming messages with GnuPG ... Hash: SHA1 ... Trick is to not write to disk prior to encryption. ... the 'nobody' user, and I've setup the GPG keys ... (Debian-User)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2003-02