Posts
  • .NET Security Blog

    XML Encryption in .Net

    • 11 Comments
    Using XML encryption to encrypt payment information...
  • .NET Security Blog

    Visual Studio Tip: Editing Project Files

    • 11 Comments
    Earlier I mentioned tweaking project files -- something that a lot of people do just by opening the project file up in Notepad and tweaking it. Although it's a bit hard to discover, you can actually do this right within Visual Studio 2005, saving you...
  • .NET Security Blog

    When is ReflectionPermission Needed?

    • 11 Comments
    Reflection and its interaction with security can sometimes be a bit of a confusing matter. The easiest portion to figure out is the permissions needed to use Reflection.Emit. In order to do anything with the reflection emit feature, you'll need to have...
  • .NET Security Blog

    SN v2.0 Works With PFX Files

    • 10 Comments
    One enhancement to the v2.0 SN tool that may not get noticed right away is that it now has the ability to work with PKCS #12 PFX files in addition to SNK files. The logic here is that a self signed certificate stored in a PFX file is the moral equivalent...
  • .NET Security Blog

    The Simple Sandboxing API

    • 10 Comments
    A while back I gave some sample code to show how to setup a sandboxed AppDomain . This technique has worked since v1.0, and will continue to work with Whidbey. However, Whidbey also introduces a simple sandboxing API which eliminates the need for this...
  • .NET Security Blog

    What's New in Security for v2.0

    • 10 Comments
    There's a ton of new and enhanced security features coming with the v2.0 release of the CLR. However, finding a definitive list of them all can be a somewhat challenging task. Dominick Baier has an excellent slide deck detailing some of the changes and...
  • .NET Security Blog

    Test Key Signing

    • 10 Comments
    One feature that will start to show up on the latest CTP of Whidbey is test key signing -- basically delay signing++. Lets do a quick review of what delay signing is , and then see where test key signing takes over. Recall a delay signed assembly is one...
  • .NET Security Blog

    CryptEncrypt and RSACryptoServiceProvider::Encrypt

    • 10 Comments
    The RSACryptoServiceProvider class provides two methods, Encrypt and Decrypt which seem to be the managed counterparts to CAPI's CryptEncrypt and CryptDecrypt functions. However, if you try to encrypt using CAPI and decrypt using managed code, you'll...
  • .NET Security Blog

    Don't Click Here If You Value Your Productivity

    • 10 Comments
    Here's a fun little timer waster over on Bungie's website: http://halo.bungie.org/misc/warthog_launch.html
  • .NET Security Blog

    Creating an AppDomain with limited permissions

    • 10 Comments
    Oftentimes in an application, it's necessary to run untrusted code. The CLR lets you do this safely by placing the code in its own AppDomain and sandboxing the AppDomain to have a limited set of permissions. Usually setting up the AppDomain with the Internet...
  • .NET Security Blog

    Deploying Policy on v1.0 and 1.1 of the CLR

    • 9 Comments
    A lot of the time, someone has written an application that won't run under the CLR's default security settings and needs to provide a mechanism for their users to modify the policy easily in order to allow their application to run. For Whidbey, ClickOnce...
  • .NET Security Blog

    Checking For A Valid Strong Name Signature

    • 9 Comments
    Recently a question came up from someone who was trying to have a plugin architecture for their application, but wanted to do some checks before loading a plugin. Specifically, they wanted to ensure that the plugin was signed with a specific public key...
  • .NET Security Blog

    FullTrust Means FullTrust

    • 9 Comments
    One of the items on my long list of blog todo's has been a change that the security team has been calling "FullTrust Means FullTrust" internally. Basically, this change means that demands for identity permissions will now always succeed in FullTrust,...
  • .NET Security Blog

    The Differences Between Rijndael and AES

    • 9 Comments
    When you need to write managed code that encrypts or decrypts data according to the AES standard, most people just plug the RijndaelManaged class in and go on their way. After all, Rijndael was the winner of the NIST competition to select the algorithm...
  • .NET Security Blog

    Browsing the SSCLI in Visual Studio

    • 9 Comments
    I've attached a simple Visual Studio 2005 project that I use for browsing the SSCLI v2 source tree . (Once you've downloaded it, rename the file to remove the .txt extension). The project is good for browsing, however it will not build or debug the SSCLI...
  • .NET Security Blog

    Column Guides in Visual Studio

    • 8 Comments
    A lot of coding guidelines specify the maximum length for a line of code. For instance in the CLR, we like to keep lines of code under 110 characters long. Visual Studio has a feature which lets you display a vertical line at the column of your choosing...
  • .NET Security Blog

    Elliptic Curve Diffie-Hellman

    • 8 Comments
    The second elliptic curve algorithm added to Orcas is elliptic curve Diffie-Hellman, as the ECDiffieHellmanCng class. This is the first time Diffie-Hellman is available as part of the .NET Framework, so lets take a quick look at what it is and what it...
  • .NET Security Blog

    Manifests for IE Hosted Controls

    • 8 Comments
    Earlier this week,I talked about the Orcas feature where controls can declaratively request permissions in a similar way to ClickOnce applications. In fact, the manifests used for this request are the same manifests used for ClickOnce applications, with...
  • .NET Security Blog

    Handling Entry Assemblies that Won't Load: Method 1

    • 8 Comments
    Last week, when I posted about failing to run in partial trust gracefully , the method I showed only worked if your main assembly could be loaded. However, if it has a minimum permission request that cannot be satisfied, your main method won't ever be...
  • .NET Security Blog

    Marking Your Code Transparent

    • 8 Comments
    Last week I discussed the concepts of security transparency and security critical code. Now it's time to get into the how-to's Marking an Entire Assembly Critical This is by far the easiest of the operations ... just do nothing [:D]. By default...
  • .NET Security Blog

    How Do You Customize Your Policy?

    • 8 Comments
    As part of planning for our next release, we're interested in collecting some data on how you customize your security policy. We're intereseted in as much information as you have to offer. For instance, do you mainly add code groups to the machine level...
  • .NET Security Blog

    Impersonation and Exception Filters in v2.0

    • 8 Comments
    A while back, I wrote about a potential security hole when malicious code can set up an exception filter before calling your code which does impersonation . In the final release of v2.0, we've added a feature to help mitigate this problem. The CLR...
  • .NET Security Blog

    Getting Information about an X509Certificate's Key Container

    • 8 Comments
    One of the more common things a lot of people want to do with their X509Certificate2 is figure out what key container its keys are stored in. You can access this information relatively trivially via the PublicKey property of the X509Certificate2 object...
  • .NET Security Blog

    Whidbey's Secure CRT

    • 8 Comments
    One of the features that the Whidbey release of Visual C++ is going to bring is the new Secure CRT. The C++ library team has put a lot of work into creating safe alternatives to the old C runtime library functions that seem to always be behind security...
  • .NET Security Blog

    More Secure XML Digital Signatures

    • 8 Comments
    I've gotten some comments about my XML Digital Signatures entry, pointing out that since I chose to embed the signing key into the document, nothing is preventing anyone from simply removing the signature, modifying the document, and then resigning with...
Page 3 of 15 (368 items) 12345»