
ASP.NET MVC security and user management done the right way - jelf
http://aspsecuritykit.com
======
javert
If you're the author of that site... You should get someone who's really good
at editing English to polish up the language. There are some obvious, little
mistakes. For example, "some bonus" should be "a bonus" or "a (bigger) bonus"
or something like that.

Maybe I'm the only one who actually cares about this kind of thing, but to me,
little mistakes make something look unprofessional, or make me assume I'm
dealing with a person who can _only_ write code and doesn't have a broader
perspective on things.

~~~
varunkho
Hi author here. Thanks for the feedback. Definitely get this corrected.

------
varunkho
Hi author here! if you have any feedback or suggestion, do let me know. you
can also drop me a mail – varun@ASPSecurityKit.net

ASP Security Kit is my humble attempt to solve membership management problem
for applications built on ASP.NET Mvc platform. I have periodically observed
that There are many common but essential requirements for most real-world web
applications that aren't served well. Like action-based and resource (entity
record) aware authorization. ASK handles all such must-to-have requirements
pretty transparently and is highly flexible. This is because it's been
developped and actively improved as a basis of many consultancy projects I
have undertaken over the years.

It has also many nice-to-have things and many more things planned. I'm pretty
excited about it and looking at the trafic I have received, many other feel
the same way. So thanks everyone for logging on to the site and special thanks
to those who have shown interest and provided their email! I'll soon get in
touch with you all personally sharing the progress and launch date.

~~~
SideburnsOfDoom
You say that it "Implements salted password hashing" but you don't mention the
details of the method. Which method is it - bcrypt, md5, scrypt, sha1, pbkdf2
or something in-house? Why not say which?

I confess that I had to look up "key stretching". Is it usual to do this, and
why do you do it?

~~~
varunkho
Glad you asked this. That is just a pre-launch page so it does not go into
detail in length. Nothing built in-house – it uses Salted password hashing
with PBKDF2-SHA1 and key stretching as mentioned on [0]. Password hashing is
too delicate to write a custom algorithm.

[0] [http://crackstation.net/hashing-
security.htm](http://crackstation.net/hashing-security.htm)

"Salt ensures that attackers can't use specialized attacks like lookup tables
and rainbow tables to crack large collections of hashes quickly, but it
doesn't prevent them from running dictionary or brute-force attacks on each
hash individually. High-end graphics cards (GPUs) and custom hardware can
compute billions of hashes per second, so these attacks are still very
effective. To make these attacks less effective, we can use a technique known
as key stretching. The idea is to make the hash function very slow, so that
even with a fast GPU or custom hardware, dictionary and brute-force attacks
are too slow to be worthwhile. The goal is to make the hash function slow
enough to impede attacks, but still fast enough to not cause a noticeable
delay for the user."

~~~
SideburnsOfDoom
Good answer, thanks.

I intentionally gave you some good options (PBKDF2, bcrypt) and some really
bad ones (MD5, in house) to chose from. I assume that you are using a tested
and trusted library to implement PBKDF2?

But isn't the work factor - the "number or iterations" in PBKDF2 is doing the
same thing as key stretching, i.e. "make the hash function very slow". There
is also a similar parameter in bcrypt. So you don't need to add anything else
special to the crypto, and indeed shouldn't.

~~~
varunkho
No third party library. It uses standard algorithms like Rfc2898DeriveBytes
(for pbkdf2), RNGCryptoServiceProvider ETC defined in
System.Security.Cryptography (bundled into the .NET framework)

~~~
NicoJuicy
I'd advice bcrypt for it's slow hashing though.

I'd makes bruto forcing harder - longer :-)

~~~
varunkho
No Problem – the power of ASP Security Kit hlies in its flexibility and
extensibility. You can provide your own implementation for most things
including hashing routines if you don't find existing implementation suited
for your particular needs. Till now, it is either not possible (in some cases)
or difficult (in other cases) in the default ASP.NET implementation for
membership management.

~~~
NicoJuicy
I'll check it out soon.

My i ask, what do you use asp.net mvc for?

Myself (@Belgium):

ASP.Net MVC mostly for: \- Ecommerce \- Invoicing application (SMB
development) - DDD application

------
styles
[https://github.com/brockallen/BrockAllen.MembershipReboot/](https://github.com/brockallen/BrockAllen.MembershipReboot/)

------
codeulike
Not Open-Source then. So how do we know that it is secure?

~~~
varunkho
Most of it is installed as source files in your mvc project so you are free to
change and inspect things. This is where protection against XSS/XSRF/over-
posting attacks is handled as in Mvc. Only the core module is delivered as
closed library. But that is more of a business layer than the security layer.
The best thing about the core module is that every piece is swappable
(including salted password hashing with key stretching piece) as everything is
based on service pattern (interfaces and contracts).

~~~
egeozcan
These days, it's really hard to make people trust any library that they can't
see the source of, especially those that manage "sensitive stuff" like
authentication.

~~~
danabramov
I'm not at all sure it's legal but it has been trivial to view decompiled
source code for any .NET class with tools like Reflector for years. If you
need to see how it's done, you will see it.

