Showing posts with label ASP.NET. Show all posts
Showing posts with label ASP.NET. Show all posts

Thursday, 14 March 2024

How to Use BCrypt.NET For Password Hashing

 To use the BCrypt hashing function for the .NET framework we must include the BCrypt.Net-Next package in our project:

dotnet add package BCrypt.Net-Next

Once we add the package, we can generate a hash from a clear-text password using the HashPassword() static method in the BCrypt class:

var passwordHash = BCrypt.HashPassword("Password123!");

Moreover, verifying a hash is equally simple using the Verify() static method in the same class:

var result = BCrypt.Verify("Password123!", passwordHash);
Assert.True(result);

Increasing Computational Cost

We can create hashes more resilient to brute force by making the hash calculation purposedly slow so the many attempts attackers must perform to break a hash take as long as possible.

As computers become faster, a password-hashing function that used to be slow a few years ago, today may take very little time to compute.

BCrypt can adapt to the increase of available computational power by iterating over the input data several times. The more iterations the slower the calculation will be. We can control this with the workFactor parameter of the HashPassword() method:

var passwordHash = BCrypt.HashPassword("Password123!", workFactor: 13);

Here, we instruct BCrypt to apply the hashing function 2^13 times to the input string for a total of 8,192 iterations. In case we do not specify a work factor BCrypt uses a default value of 11.

Analyzing a BCrypt Hash

Whenever we use the HashPassword() method or one of its variants, BCrypt will generate a random salt and include it in the returned hash along with other data needed for the verification process.

This is what a BCrypt hash looks like. Essentially, it is a set of three values separated by a $ character:

$2a$13$gdtRuVYzDLFBUGnN1WxK/.1OFFoD7CbDZjRYGknrOwT9rus5AsqTu


2a stands for the BCrypt algorithm version used to generate the hash.

13 is the work factor.

gdtRuVYzDLFBUGnN1WxK/.1OFFoD7CbDZjRYGknrOwT9rus5AsqTu contains both the salt and the hashed input password concatenated and Base64 encoded. Both values have fixed lengths so they are easy to tell apart.

BCrypt.NET Enhanced Entropy Mode

Despite BCrypt being a fairly secure hashing function, the default BCrypt implementation truncates the input password to 72 bytes. This, potentially, reduces the brute-force attempts needed to break a hash.

To overcome this limitation, BCrypt.NET offers an enhanced entropy mode that pre-hashes the input password using SHA384. In this way, the input password turns into a fixed-length string that reflects all the variability of the original password regardless of its length.

Let’s use the enhanced entropy mode with EnhancedHashPassword() and EnhancedVerify() static methods instead of the basic HashPassword() and Verify():

var passwordHash = BCrypt.EnhancedHashPassword("Password123!");
var result = BCrypt.EnhancedVerify("Password123!", passwordHash);
Assert.True(result);

As mentioned, BCrypt uses SHA384 by default for the pre-hash step. However, there may be situations where we need to specify a different algorithm:

var passwordHash = BCrypt.EnhancedHashPassword("Password123!", HashType.SHA512);
var result = BCrypt.EnhancedVerify("Password123!", passwordHash, HashType.SHA512);


Source : https://code-maze.com/dotnet-secure-passwords-bcrypt/

Sunday, 10 March 2024

Explain Dictionary Object, ViewData, ViewBag, TempData in ASP.NET

 ViewBag, ViewData, and TempData all are Dictionary objects in ASP.NET MVC and these are used for data passing in various situations.

The following are the situations where we can use TempData and other objects.

  1. Pass the data from Controller to View.
  2. Pass the data from an action to another action in Controller.
  3. Pass the data in between Controllers.
  4. Pass the data between consecutive requests.

What is Dictionary Object?

In C#, Dictionary is used to store the key-value pairs. The Dictionary is the same as the non-generic hashtable. It can be defined under System.Collection.Generic namespace. It has a dynamic nature which means the size of the dictionary grows according to the need.

Here is an example:

What is ViewData?

In MVC, when we want to transfer the data from the controller to view, we use ViewData. It is a dictionary type that stores the data internally.

ViewData contains key-value pairs which means each key must be a string in a dictionary.

The only limitation of ViewData is, it can transfer data from controller to view. It can not transfer in any other way and it is valid only during the current request.

Syntax:

When we want to use the key-value pair to ViewData,

We can also use ViewData in the razor view from controller. Here is the syntax for that:

When we want to add custom objects, array, list, etc, in ViewData, and cast them back in the View. We can use the code snippet as below:

Figure 1: ViewData Flow

Here is an example of ViewData which shows how to transfer data from controller to view using ViewData.

In this example, ViewData[“employees”] is assigned to an employeeList where “employees” is a key and employeeList is a value.

To access the ViewData[“employees”] in the view, here is the snippet of code you can use.

In simple terms, these are the ways to store and retrieve data to and for respectively ViewData as shown:

Storing :

Retriving :

 

In MVC, ViewData does not check compile-time errors. If we misspell the key names, we would not get any errors but we can identify them at the run time.

For example,

Controller:

View

Figure 2: Output

What is ViewBag?

ViewBag is an object which is dynamically passing the data from Controller to View and this will pass the data as the property of object ViewBag. We do not need to typecast to read the data for null checking here.

Controller:

View:

Here is an example:

Controller:

View:

ASP View bag 2

Figure 3: Output

What is TempData?

TempData is a dictionary object derived from TempDataDictionary which contains key-pair values. It is useful when we want to transfer the data from the Controller to the View in ASP.NET MVC Application. It stays for a subsequent HTTP request as opposed to other options we discussed prior who stay only for the current request.

Although it removes the key-value pair once it is accessed, we can keep it using

Here is an example:

Controller:

View:

Differences between ViewData, ViewBag and TempData:

ViewData

ViewBag

TempData

Key-Value Dictionary Object

Type Object

Key-Value Dictionary Collection

A property of ControllerBase class

A Dynamic property of ControllerBase class

A property of the controllerBase class

Faster

Slower

Introduced in MVC 1.0, Available in MVC 1.0 and above

Introduced in MVC 3.0,

Available in MVC 3.0 and above

Introduced in MVC 1.0,

Available in MVC 1.0 and above.

Works with .NET Framework 3.5 and above

Works with .NET framework 4.0 and above

Works with .NET framework 3.5 and above

Type Conversion code is required

Type Conversion code is not required

Type Conversion code is required

Value becomes null if a redirection has occurred

Value becomes null if a redirection has occurred

TempData is used to pass data between two consecutive requests

Lies only during the current request

Lies only during the current request

Only works during the current and subsequent request

Conclusion

Figure 4: Summary

To conclude, it is clear that ViewData is used to pass the data from Controller action to View. Here, we discussed ViewData properties and how to use that in any MVC application.


Source : https://www.red-gate.com/simple-talk/blogs/what-is-viewdata-and-implement-viewdata-in-asp-net-mvc/