Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


New Store Encryption Helper class - Part 1

Two month ago while the Store module was in the release tracker, Brandon Haynes from the Core Team conducted a security review. Brandon is well aware about security risks, PCI compliancy and CWE rules. His helpful advices have revealed some possible security holes. Thanks again Brandon for your hard work!

One of his advices was about cookie encryption. Currently only order ID and cart ID are stored in a session cookie. This is not a real security breach, but this violates some CWE rules. An attacker can forge a cookie and try to access to the cart content of someone else. The cart ID is a GUID generated by the .Net framework when a visitor adds the first product to his cart. Even if it’s difficult to discover a valid cart ID, it’s more secure to encrypt it. Concerning the order number, no one (except Admin) can access orders from someone else; but expose this value could be a limitation if a PCI security audit is conducted.

First I looked at the PortalSecurity class from the DotNetNuke.Security namespace; two methods allow you to manage encryption, Encrypt(string strKey, string strData) and Decrypt(string strKey, string strData). The main drawback of those methods is the encryption algorithm used. Many applications, including DotNetNuke, uses the DES algorithm to encrypt sensitive data while it is well known that this algorithm can be easily broken. This is not really a problem for most web sites, but again it could be a limitation in case of PCI security audit.

The .Net framework provides several classes to manage encryption needs. They are of three kinds: Hash, Symmetric and Asymmetric. The Store encryption helper class covers only symmetric algorithms. Given that the store module requires strong encryption, I write a class to facilitate the use of these algorithms. Use an encryption algorithm is never really easy and requires a general understanding of their functioning. Because the misuse of such an algorithm may expose you to security holes while you expect to be protected by encryption.

In the next part we will see how works symmetric algorithms and what are requirements to use them. If you can’t wait, download the class from the SVN repository at Codeplex. The SymmetricHelper class is full of comments, read them!

Gilles

Comments

There are currently no comments, be the first to post one.

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out