Hacker News new | comments | show | ask | jobs | submit login
ASP.NET MVC security and user management done the right way (aspsecuritykit.com)
16 points by jelf 1366 days ago | hide | past | web | 16 comments | favorite

If you're the author of that site... You should get someone who's really good at editing English to polish up the language. There are some obvious, little mistakes. For example, "some bonus" should be "a bonus" or "a (bigger) bonus" or something like that.

Maybe I'm the only one who actually cares about this kind of thing, but to me, little mistakes make something look unprofessional, or make me assume I'm dealing with a person who can only write code and doesn't have a broader perspective on things.

Hi author here. Thanks for the feedback. Definitely get this corrected.

Hi author here! if you have any feedback or suggestion, do let me know. you can also drop me a mail – varun@ASPSecurityKit.net

ASP Security Kit is my humble attempt to solve membership management problem for applications built on ASP.NET Mvc platform. I have periodically observed that There are many common but essential requirements for most real-world web applications that aren't served well. Like action-based and resource (entity record) aware authorization. ASK handles all such must-to-have requirements pretty transparently and is highly flexible. This is because it's been developped and actively improved as a basis of many consultancy projects I have undertaken over the years.

It has also many nice-to-have things and many more things planned. I'm pretty excited about it and looking at the trafic I have received, many other feel the same way. So thanks everyone for logging on to the site and special thanks to those who have shown interest and provided their email! I'll soon get in touch with you all personally sharing the progress and launch date.

You say that it "Implements salted password hashing" but you don't mention the details of the method. Which method is it - bcrypt, md5, scrypt, sha1, pbkdf2 or something in-house? Why not say which?

I confess that I had to look up "key stretching". Is it usual to do this, and why do you do it?

Glad you asked this. That is just a pre-launch page so it does not go into detail in length. Nothing built in-house – it uses Salted password hashing with PBKDF2-SHA1 and key stretching as mentioned on [0]. Password hashing is too delicate to write a custom algorithm.

[0] http://crackstation.net/hashing-security.htm

"Salt ensures that attackers can't use specialized attacks like lookup tables and rainbow tables to crack large collections of hashes quickly, but it doesn't prevent them from running dictionary or brute-force attacks on each hash individually. High-end graphics cards (GPUs) and custom hardware can compute billions of hashes per second, so these attacks are still very effective. To make these attacks less effective, we can use a technique known as key stretching. The idea is to make the hash function very slow, so that even with a fast GPU or custom hardware, dictionary and brute-force attacks are too slow to be worthwhile. The goal is to make the hash function slow enough to impede attacks, but still fast enough to not cause a noticeable delay for the user."

Good answer, thanks.

I intentionally gave you some good options (PBKDF2, bcrypt) and some really bad ones (MD5, in house) to chose from. I assume that you are using a tested and trusted library to implement PBKDF2?

But isn't the work factor - the "number or iterations" in PBKDF2 is doing the same thing as key stretching, i.e. "make the hash function very slow". There is also a similar parameter in bcrypt. So you don't need to add anything else special to the crypto, and indeed shouldn't.

No third party library. It uses standard algorithms like Rfc2898DeriveBytes (for pbkdf2), RNGCryptoServiceProvider ETC defined in System.Security.Cryptography (bundled into the .NET framework)

I'd advice bcrypt for it's slow hashing though.

I'd makes bruto forcing harder - longer :-)

No Problem – the power of ASP Security Kit hlies in its flexibility and extensibility. You can provide your own implementation for most things including hashing routines if you don't find existing implementation suited for your particular needs. Till now, it is either not possible (in some cases) or difficult (in other cases) in the default ASP.NET implementation for membership management.

I'll check it out soon.

My i ask, what do you use asp.net mvc for?

Myself (@Belgium):

ASP.Net MVC mostly for: - Ecommerce - Invoicing application (SMB development) - DDD application

I appreciate the effort, but I would never use something like this which is not open source.

Not Open-Source then. So how do we know that it is secure?

Most of it is installed as source files in your mvc project so you are free to change and inspect things. This is where protection against XSS/XSRF/over-posting attacks is handled as in Mvc. Only the core module is delivered as closed library. But that is more of a business layer than the security layer. The best thing about the core module is that every piece is swappable (including salted password hashing with key stretching piece) as everything is based on service pattern (interfaces and contracts).

These days, it's really hard to make people trust any library that they can't see the source of, especially those that manage "sensitive stuff" like authentication.

I'm not at all sure it's legal but it has been trivial to view decompiled source code for any .NET class with tools like Reflector for years. If you need to see how it's done, you will see it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact