Category Archives: .NET

Where Are The Constant Time Comparisons on .NET?

Written by William Roush on May 25, 2017 at 9:31 am

When cryptography is involved, a major rule is king: never write your own cryptography code. Well if this is the case why am I writing my own constant time comparisons in .NET?

StackOverflow took down my post as “Opinion based” so I’m posting it here so it doesn’t end up delisted on Google. I should probably do a write-up on why I struggle to contribute to StackOverflow at some point…

Constant-time comparisons are extremely important in cryptography code. A normal comparison will bail early from the comparison process if a mismatch is found, however this can leak information about how many bytes you got right before the comparison failed. If you’re guessing some kind of key (eg: comparing an API key), this can be catastrophic.

There are currently two open implementations for constant-time comparison methods, one in BouncyCastle and one in SecurityDriven.Inferno:

https://github.com/bcgit/bc-csharp/blob/1cdf80bc3f540b5531c158dacf4d67976b028fef/crypto/src/util/Arrays.cs -Org.BouncyCastle.Utilities.Arrays

https://github.com/sdrapkin/SecurityDriven.Inferno/blob/cfba069191247c8e24b096fd0f2dd899b5a25747/Utils.cs – SecurityDriven.Inferno.Utils.ConstantTimeEqual

http://securitydriven.net/inferno/ see: Constant-time Equality

My biggest hangup with SecurityDriven.Inferno is that ConstantTimeEqual will throw if the lengths aren’t the same. Throwing incurs a lot of overhead and disrupts program flow and I’d rather stay away from it. So generally your option is BouncyCastle (Edit: Lex pointed out below that BouncyCastle leaks the length of the byte array, so if that is a concern to you then Inferno is probably more of what you’re looking for).

Ignoring SSL Certificate Errors On .NET Core On HttpClient

Written by William Roush on December 20, 2016 at 8:28 pm

Had a certificate expire at 8PM EST tonight on a critical project I was supposed to demo, wasn’t going to stop me… lots of articles don’t really go over how to do this now on .NET Core 1.0, so lets cover the code to do so:

using (var httpClientHandler = new HttpClientHandler())
{
   httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
   using (var client = new HttpClient(httpClientHandler))
   {
       // Make request here.
   }
}

Pretty simple, really.

server.urls Paramter Not Working On Kestrel Server for dotnet Command on ASP.NET Core RC2

Written by William Roush on May 21, 2016 at 3:53 am

Was struggling really hard with getting this command to work:


dotnet run -- --server.urls http://*:5000

Simple command, but it isn’t taking! Well I missed one major thing when upgrading from RC1 to RC2, I need to now pass configuration down to the Kestrel stack, to do that is pretty easy:

        public static void Main(string[] args)
        {
            var config = new ConfigurationBuilder()
                .AddCommandLine(args)
                .AddEnvironmentVariables(prefix: "ASPNETCORE_")
                .Build();

            var host = new WebHostBuilder()
                .UseConfiguration(config)
                .UseKestrel()
                .UseContentRoot(Directory.GetCurrentDirectory())
                .UseIISIntegration()
                .UseStartup<Startup>()
                .Build();

            host.Run();
        }

Needed to define the “config” variable and pass it to WebHostBuilder using UseConfiguration(). All fixed!

.NET Core And Why I Think it’s Huge!

Written by William Roush on April 18, 2016 at 10:20 pm

.NET Core is not just a large change for how you write code, but for the entire .NET ecosystem. I’m excited about this change from every front and I’m going to tell you why!

What is .NET Core?

.NET Core (previously known as .NET 5.0) is the new streamlined .NET platform by Microsoft. .NET Core takes a lot of lessons learned from pain points on the older .NET 1.0-4.6 platform and fixes a massive amount of it, giving .NET a new breath of life and hoping to make this platform beneficial for all. It appears to not only take lessons from what didn’t work on .NET’s platform, but what did work on other platforms.

What does that mean for developers?

Well here is the painful part: .NET Core is different, very different, for cross-platform support you’ll have to keep an eye out on what is .NET Core and what is .NET 4.5, thankfully Intellisense does a great job of letting you know that:

Watch out for missing implementations between frameworks.

.NET Core is designed to rely on Nuget heavily though and have you pick and plug 3rd party libraries, designed around smaller assemblies to keep down on application size bloat and allowing you to pick and choose. This is seen with the new Entity Framework Core libraries and how they give you a small slice of functionality (data abstraction) and the individual engines are kept as separate libraries (which is common for ORMs on say, Node.js).

The shift into heavily using dependency injection as part of normal application process is wonderful for decoupling your code and having it easily testable, everything is right there ready to go from the start.

Configuration files being JSON is a huge step up, ASP.NET integrating Gulp as part of it’s build process for javascript libraries for both build and client side (they rely on Bower for client side scripts). The new project.json file allows for easy extension of your application’s behavior. If you’re used to .NET’s old way of doing things you’ll start with “This doesn’t work anymore? Ugh… how do you do that…. oh… that’s much better!”

What does that mean for platform support?

It means that we’re seeing .NET on more platforms that we’re used to as a first class citizen from Microsoft, this means huge things (I’ll touch on those later) for the popularity of .NET. Microsoft has even been quoted saying this:

When used third-party tools such as Xamarin, .NET Core should be portable to IOS and Android devices.

And with Microsoft’s recent acquirement of Xamarin and pushing it as free, we’re probably going to see .NET Core as a solid mobile platform in the near future.

What does this mean for the .NET Community?

A new .NET developer said this to me recently:

Not much of a supportive community around .NET, at least nothing like other languages I have learned.

And I can’t help but agree, while I appreciate our local .NET Users Group here in Chattanooga (which has been pretty quiet for awhile), I find the subjects of our local Developers Group more interesting. While .NET generally gets paid decently and seems to be in a decent amount of demand here, it seems to be more of the slower older corporate companies that are hiring and less smaller agile companies.

I think getting .NET on Linux platforms and putting out solid community editions of Visual Studio may breathe new life into the community. Bringing fresh young blood, new ideas and more open source software, maybe we’ll go back to solving hard problems too. It’s a huge weak spot in .NET and really hurts adoption, which I think really hurts the available libraries and third party tools (while Microsoft provides some good tools, it still lacks heavily on 3rd party tooling that isn’t just babysitting people who can’t write basic menus… where is my Code Climate for .NET?!).

I’ve been wanting to write an article on the abysmal state of the .NET community, it’s developers, the skill sets of a lot of them and what kind of code they churn out, this is an excellent opportunity to do so.

What does this mean for businesses?

Well if you’re a startup, maybe in a few years .NET on Linux will be a hot thing. C# 6.0 is a wonderful language and with every iteration it gets more powerful (usually stealing from F#). Getting MSSQL on Linux seems to be the first in many steps for Microsoft to not just push it’s operating system by locking it’s solutions onto it, but push solutions that you’d be happy to pay for due to their ease of use or specific desired features (which sometimes for some companies may be completely worth it).

If you’ve been knee-deep in .NET for years it can mean a few things: .NET Core’s performance is insane, which can mean a reduction in required resources for your applications. The build process is a lot easier to keep consistent and extend so less work to automate it. Applications being shipped with their runtimes means less effort determine what runtimes are installed and handling them. It is however a large shift and I would suggest that a lot of .NET developers aren’t ready for all this change (more on the community later…).

Of course you can completely ignore it and mostly not deal with it for awhile, .NET 4.5 isn’t going away anytime soon.

Overall…

I’m excited to no end about this, first was the fixing of all the problems we’ve had, but secondly because this may really help the .NET community flourish. Fun new times in the land of .NET.