Strong Password Hashing for ASP.NET, 2014 Refresh

2014-02-17 14:39:01 -0500

As a follow-up to the original Zetetic.Security library that adds PBKDF2 and BCrypt-based HashAlgorithms to .NET, we're pleased to announce the release of Zetetic.Security 1.1.0.0, which provides options for greater work factors when generating password hashes.

The original hash implementations use 5,000 rounds of PBKDF2, and a BCrypt work factor of 10^10.  The 1.1 release adds support for 64,000, 128,000, and 256,000 rounds of PBKDF2, and BCrypt work factors from 10^11 to 10^16.  As before, the best way to use these hash algorithms is by installing Zetetic.Security to the Global Assembly Cache, and updating machine.config to register the new classes.  (Hint: you can find the path to the effective machine.config file in System.Runtime.InteropServices.RuntimeEnvironment.SystemConfigurationFile).

 

Once installed and registered, the new HashAlgorithms can be used in code as per the following sample (I wrote this one in LinqPad for simplicity's sake):

Of course, bear in mind two important caveats before updating your applications to use any new password hashing strategies:

1. .NET MembershipProviders don't have any way to know what HashAlgorithm generated any particular user's hashed password in storage.  Therefore, changing the hash algorithm will cause your users' logins to fail until they reset their passwords.

2. A stronger hashing algorithm is likely to eat up significantly more CPU cycles.  Plan accordingly so that applying 10^16 rounds of BCrypt doesn't open the door to a denial-of-service attack (or blow your AWS or Azure budget!).

Download from Github

View on NuGet

STRIP Status Update

2014-01-28 15:12:23 -0500

At our STRIP meeting today we discussed providing more regular, up-to-date information about what versions of STRIP are currently available and what's on the way, a sort of status page. We haven't decided exactly how we'll implement this but for now we'd like to provide an update here on the blog.

STRIP for iOS 2.2.0 - Released - Jan 22, 2014

Minimum iOS version: 6.0

  • Features a new interface customized for iOS 7
  • Various bug fixes, minor feature improvements
  • Sync-compatible with 2.1.0
  • Crashes on sync with Google Drive on 64-bit devices

STRIP for Android 2.2.0 - Released - Jan 22, 2014

Minimum Android version: 2.1

  • Various bug fixes, minor feature improvements
  • Sync-compatible with 2.1.0

STRIP for Windows 2.1.0 - Released - Nov 12, 2013

Minimum Windows version: Windows XP

  • Updates encryption engine to SQLCipher 3
  • Increases PBKDF2 key derivation from 4,000 to 64,000
  • Requires min version 2.1.0 for sync

STRIP for OS X 2.1.0 - Released - Nov 12, 2013

Minimum OS X version: 10.6 Snow Leopard

  • Updates encryption engine to SQLCipher 3
  • Increases PBKDF2 key derivation from 4,000 to 64,000
  • Requires min version 2.1.0 for sync

STRIP for iOS 2.2.1 - Submitted

Minimum iOS version: 6.0

  • Awaiting review from Apple
  • Fixes crash on 64-bit devices during Google Drive sync

Tempo Maintenance, Tuesday January 28th at 10 PM EST

2014-01-27 15:53:13 -0500

This Tuesday night, January 28th 10pm EST, Tempo and other web systems will be temporarily unavailable while we perform critical patch updates to ensure the stability of our services.

This maintenance outage will also affect the Tempo API, the the Connect website, and the site for Codebook.

Down time could last up to 1 hour, however we believe it will be completed much more quickly. If you need to get in touch with us for any reason, please don’t hesitate.

STRIP 2.2.0 for iOS and Android Released

2014-01-23 12:12:54 -0500

We just released STRIP 2.2.0 in the iTunes App Store and the Google Play store for Android. The iPhone and iPad versions feature a new interface adapted to iOS 7, and both iOS and Android versions bring various bug-fixes, stability improvements, and minor feature updates and adjustments. We're quite curious to hear what our customers have to say about the new look, so we'll spare you the screenshots and ask that you go check it out and tell us what you think.

Compatibility:

STRIP 2.2.0 is sync-compatible with all versions of STRIP 2.1.0. For iOS versions, the new minimum OS version is iOS 6.0. For Android versions, the minimum OS version remains Android 2.1.

iOS changes:

  • Clean, elegant new iOS 7 style user interface
  • 64 bit support for newer iPhone and iPad devices
  • Allow sorting of field labels alphabetically
  • Moves auto-lock settings to encrypted database
  • New preference to clear pasteboard on exit
  • Allows masking of note fields on entry view
  • Fixes issue where backup database might not properly be removed
  • Fixes issue authorizing Drive sync with 2-step authentication
  • Fixes keyboard switching login bug

Android changes:

  • New integrity check feature in Settings
  • Secures STRIP from screenshot capture during application switching
  • Various bug fixes and stability improvements

Download the latest:

Note: Amazon 2.2.0 version update may take a little while to appear in the Amazon App Store for Android, if it's not available now please check again later.

Introducing SQLCipher for Windows Phone 8 and Windows Runtime

2014-01-13 10:59:06 -0500

We are happy to announce the immediate availability of new SQLCipher Commercial Edition packages for Windows Phone 8 and Windows Runtime 8/8.1. Over the past year, interest and adoption of these platforms has increased dramatically, and SQLCipher is now able to provide a quick and easy way to secure application data. This is particularly exciting because SQLCipher libraries now offer a common, interoperable, secure database solution across major mobile, tablet, and desktop platforms.

Application Integration

The new SQLCipher libraries integrate seamlessly within Visual Studio. The client API based is on the popular sqlite-net library that provides a compact ORM and both synchronous and asynchronous interfaces. As with other integrations, applications use the high level API to manipulate data using the ORM and/or SQL, while SQLCipher works behind the scenes to manage all aspects of security, including key derivation and on-the-fly encryption and decryption of the database pages.

vsix listing

This architecture supports rapid implementation on both platforms, and applications that already use SQLite on Windows Phone or Windows Runtime can be converted to SQLCipher in as little as a few hours. Application using these new SQLCipher libraries for Windows Runtime can easily inter-operate and access SQLCipher databases generated on other platforms, including iOS, Android, and Windows Desktop. Furthermore, both packages include CipherCare Plus, providing prioritized and confidential email support directly from the SQLCipher development team to help integrators get up and running quickly.

Technical Details

SQLCipher for Windows Phone 8 and Windows Runtime are based on the latest version of SQLCipher 3, and take advantage of many of the newest features. For example, porting SQLCipher to run on Windows Phone 8 and Windows Runtime introduced some unique challenges. On some other platforms, SQLCipher relies on OpenSSL for underlying cryptographic operations, however, it is not easily supported on either Windows Phone 8 or Windows Runtime. Thus, the new packages take advantage of SQLCipher's pluggable crypto providers, allowing the use of LibTomCrypt's AES implementation and the Fortuna PRNG. Particular care is taken to seed the PRNG entropy pool with a rich, externally sourced cryptographically secure random data block, which is feed into the the crypto provider using the new PRAGMA cipher_add_random. Finally, databases created using SQLCipher benefit from strong default key derivation using 64,000 iterations of PBKDF2 to protect against brute force and dictionary based attacks.

Get Started

SQLCipher continues to support critical application developer requirements for easy to use data storage security. If you are interested in using SQLCipher on Windows Phone 8 or Windows Runtime, please checkout our Commercial Edition page to order now or request a trial. If you have any questions reach out to us and we'd glad to help!