Strip for Android Preview

2012-07-25 15:15:56 -0400

We mentioned awhile back that we were busy working on a port of Strip for the Android platform. Development has been coming along smoothly and we launched a beta testing program to get feedback from some of our most enthusiastic users which has been very successful. Below you can see what some of the interface looks like:

If you are interested in using the same technology that was identified in the most resilient application to password cracking at the BlackHatEU conference on the Android platform be sure to sign up here to be notified when Strip for Android is released.

Secure Password Hashing for ASP.NET in One Line

2012-07-03 11:38:35 -0400

Following up to my earlier post about improving the security of the ASP.NET SqlMembershipProvider, and to Troy Hunt's excellently thorough article Our Password Hashing Has No Clothes and further discussions with @thorsheim, @blowdart, and @klingsen (all of whom I recommend following), I took a second look at how to use the algorithms in the Zetetic.Security package without mucking about with machine.config and the .NET Global Assembly Cache, which really complicate the deployment picture.

The bad news is that the .NET base class libraries only read "name-to-algorithm" mappings from machine.config.  I was pretty surprised to see this, but it's plain as day in System.Security.Cryptography.CryptoConfig.OpenCryptoConfig().

The good news is that adding to the HashAlgorithms an application can use is super, super easy.  Start by grabbing the Zetetic.Security package from NuGet; next, one line of code will do the trick (in Global.asax's Application_Start, for example):

System.Security.Cryptography.CryptoConfig.AddAlgorithm( typeof(Zetetic.Security.Pbkdf2Hash), "pbkdf2_local");

Adjust the membership settings in Web.config as per usual:

<membership hashAlgorithmType="pbkdf2_local"><!-- other stuff --><membership>

Voila, your ASP.NET application is now using a much, much stronger password hash algorithm than the (really rather embarrassing) defaults of SHA1 and SHA256.

 

STRIP for Windows 4th of July Sale

2012-07-03 10:03:52 -0400

Starting now until July 6th, STRIP Password Manager for Windows is on sale, just enter the discount code STRIPHAPPY4TH at check-out for 25% off. If you've been using STRIP on your iPhone and you want reliable backups, and a desktop editor, STRIP for Windows is for you. 

SQLCipher comes to Mono

2012-06-07 16:01:08 -0400

As mobile development continues to grow at a rapid pace, the increased need for developers to take advantage of their existing expertise in programming languages grows with it. To this point, we've ported SQLCipher to run on both MonoTouch and Mono for Android. You can now develop .NET applications, secured by SQLCipher running on both iOS and Android platforms. We have prepared licensed binaries for sale here and have tutorials on integrating SQLCipher for MonoTouch as well as SQLCipher on Mono for Android. If you've been looking for a good way to secure your data on major mobile platforms running .NET with SQLCipher we now have the solution. Take a look!

SQLCipher Core/Android 2.0.5 Released

2012-05-24 17:51:26 -0400

We released version 2.0.5 of SQLCipher Core and SQLCipher for Android. This release builds on the many new changes we introduced in SQLCipher 2.0. Source for SQLCipher Core can be found here. SQLCipher for Android is available as a binary package here and in source format here. Here are some of the changes/additions highlighted in this release:

SQLCipher Core:

  • Based on SQLite 3.7.12.1
  • Add PRAGMA cipher_version to identify the SQLCipher version
  • Improved reporting of HMAC validation failure
  • Enable secure delete (wipes deleted page contents)
  • Detect and report errors if cipher context becomes corrupted

SQLCipher for Android:

  • Everything listed above in SQLCipher Core
  • Add SQLiteDatabaseHook interface providing preKey/postKey hooks into SQLiteDatabase
  • Adjustment to how RO/RW databases are handled in SQLiteOpenHelper
  • Restructure package from info.guardianproject.* to net.sqlcipher.*
  • Removed the build step for OpenSSL, we dynamically link to it
  • Add SQLiteDatabase.upgradeDatabaseFormatFromVersion1To2 to automate migrations from the 1.x to 2.0 database format
  • Add overload to SQLiteDatabase.loadLibs to specify an alternative directory for unzipping the ICU dat file

Please take a look, we welcome feedback. Thanks!

About Zetetic

Zetetic LLC is a small company specializing in applied data security. As the developers behind the SQLCipher encrypted database library and Codebook Password Manager, hundreds of organizations and millions of users trust Zetetic’s software and frameworks.

Recent Posts

Search Other Posts