CryptoAPI


DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 11 of 11

Thread: CryptoAPI

  1. #1
    Eli Allen Guest

    CryptoAPI

    Is there any plans for MS to make the CryptoAPI scriptable so it can be used
    directly in ASP? I mean there are times when I want a one way hash or
    private key encryption to keep data secure and since the CryptoAPI is
    considered secure (i.e. uses good algorithms and its implementation has been
    tested) that would be much better then trying to implement it myself
    (finding the code implement the algorithm, not to mention speed of the code)
    or trusting some other third party component, especially since you don't
    know what algorithm they are using.

    Plus there would be the added benefit of being able to use it client side
    using a MS supplied ActiveX control thats already there instead of forcing a
    download. Of course thats still not that good in terms of cross platform
    support.
    --
    Eli Allen
    eallen@bcpl.net



  2. #2
    Michael Howard Guest

    Re: CryptoAPI


    www.persits.com has a wonderful component named ASPCrypt, it's designed for
    web servers and clients alike. btw, capi is great, but it's only as good
    as how well you do things like saving keys!!

    "Eli Allen" <eallen@bcpl.net> wrote:
    >Is there any plans for MS to make the CryptoAPI scriptable so it can be

    used
    >directly in ASP? I mean there are times when I want a one way hash or
    >private key encryption to keep data secure and since the CryptoAPI is
    >considered secure (i.e. uses good algorithms and its implementation has

    been
    >tested) that would be much better then trying to implement it myself
    >(finding the code implement the algorithm, not to mention speed of the code)
    >or trusting some other third party component, especially since you don't
    >know what algorithm they are using.
    >
    >Plus there would be the added benefit of being able to use it client side
    >using a MS supplied ActiveX control thats already there instead of forcing

    a
    >download. Of course thats still not that good in terms of cross platform
    >support.
    >--
    >Eli Allen
    >eallen@bcpl.net
    >
    >



  3. #3
    Eli Allen Guest

    Re: CryptoAPI

    It may be wonderful, but it doesn't work so well if your only a student
    still in college. Guess I should get started on making my own wrapper....

    As for saving keys, thats what sql is for since you can generally trust
    that.
    --
    Eli Allen
    eallen@bcpl.net

    "Michael Howard" <mikehow@microsoft.com> wrote in message
    news:39d23477$2@news.devx.com...
    >
    > www.persits.com has a wonderful component named ASPCrypt, it's designed

    for
    > web servers and clients alike. btw, capi is great, but it's only as good
    > as how well you do things like saving keys!!
    >
    > "Eli Allen" <eallen@bcpl.net> wrote:
    > >Is there any plans for MS to make the CryptoAPI scriptable so it can be

    > used
    > >directly in ASP? I mean there are times when I want a one way hash or
    > >private key encryption to keep data secure and since the CryptoAPI is
    > >considered secure (i.e. uses good algorithms and its implementation has

    > been
    > >tested) that would be much better then trying to implement it myself
    > >(finding the code implement the algorithm, not to mention speed of the

    code)
    > >or trusting some other third party component, especially since you don't
    > >know what algorithm they are using.
    > >
    > >Plus there would be the added benefit of being able to use it client side
    > >using a MS supplied ActiveX control thats already there instead of

    forcing
    > a
    > >download. Of course thats still not that good in terms of cross platform
    > >support.
    > >--
    > >Eli Allen
    > >eallen@bcpl.net
    > >
    > >

    >




  4. #4
    Michael Howard Guest

    Re: CryptoAPI


    hang in there - i'll see if i can get some sample code i wrote for encrypting/decrypting/hashing
    posted. It's a c++ com+ component which calls capi.

    blind trust in any process is A Very Bad Thing (tm) what threats do you think
    the server will be up against? do you have appropriate countermeasures in
    place to mitigate the threats to the keys in sql server tables?

    "Eli Allen" <eallen@bcpl.net> wrote:
    >It may be wonderful, but it doesn't work so well if your only a student
    >still in college. Guess I should get started on making my own wrapper....
    >
    >As for saving keys, thats what sql is for since you can generally trust
    >that.




  5. #5
    Eli Allen Guest

    Re: CryptoAPI

    The idea is not blind trust but to trust stuff that has been certified to be
    secure like the rating the CryptoAPI got and SQL server 2k's C2 rating. And
    then subscribing to the mailing list that tells when patches come out.

    To keep the keys in the SQL server from being read I limit who can login and
    use the replace(strvar,"'","''") command to keep someone from posting
    something that could be interpreted in the SQL statement as something
    besides a value.

    They don't teach enough security at school
    --
    Eli Allen
    eallen@bcpl.net

    "Michael Howard" <mikehow@microsoft.com> wrote in message
    news:39d3a454@news.devx.com...
    >
    > hang in there - i'll see if i can get some sample code i wrote for

    encrypting/decrypting/hashing
    > posted. It's a c++ com+ component which calls capi.
    >
    > blind trust in any process is A Very Bad Thing (tm) what threats do you

    think
    > the server will be up against? do you have appropriate countermeasures in
    > place to mitigate the threats to the keys in sql server tables?
    >
    > "Eli Allen" <eallen@bcpl.net> wrote:
    > >It may be wonderful, but it doesn't work so well if your only a student
    > >still in college. Guess I should get started on making my own

    wrapper....
    > >
    > >As for saving keys, thats what sql is for since you can generally trust
    > >that.

    >
    >




  6. #6
    Chris Kinsman Guest

    Re: CryptoAPI

    I believe in ASP+ there is a .NET Framework class to handle this...
    "Eli Allen" <eallen@bcpl.net> wrote in message
    news:39d1039f$1@news.devx.com...
    > Is there any plans for MS to make the CryptoAPI scriptable so it can be

    used
    > directly in ASP? I mean there are times when I want a one way hash or
    > private key encryption to keep data secure and since the CryptoAPI is
    > considered secure (i.e. uses good algorithms and its implementation has

    been
    > tested) that would be much better then trying to implement it myself
    > (finding the code implement the algorithm, not to mention speed of the

    code)
    > or trusting some other third party component, especially since you don't
    > know what algorithm they are using.
    >
    > Plus there would be the added benefit of being able to use it client side
    > using a MS supplied ActiveX control thats already there instead of forcing

    a
    > download. Of course thats still not that good in terms of cross platform
    > support.
    > --
    > Eli Allen
    > eallen@bcpl.net
    >
    >




  7. #7
    Michael Howard Guest

    Re: CryptoAPI


    that's correct, however, it ain't shipping just yet - so the functionality
    may very well change before final rtm.

    cheers, mh

    "Chris Kinsman" <ckinsman@devx.com> wrote:
    >I believe in ASP+ there is a .NET Framework class to handle this...
    >"Eli Allen" <eallen@bcpl.net> wrote in message
    >news:39d1039f$1@news.devx.com...
    >> Is there any plans for MS to make the CryptoAPI scriptable so it can be

    >used
    >> directly in ASP? I mean there are times when I want a one way hash or
    >> private key encryption to keep data secure and since the CryptoAPI is
    >> considered secure (i.e. uses good algorithms and its implementation has

    >been
    >> tested) that would be much better then trying to implement it myself
    >> (finding the code implement the algorithm, not to mention speed of the

    >code)
    >> or trusting some other third party component, especially since you don't
    >> know what algorithm they are using.
    >>
    >> Plus there would be the added benefit of being able to use it client side
    >> using a MS supplied ActiveX control thats already there instead of forcing

    >a
    >> download. Of course thats still not that good in terms of cross platform
    >> support.
    >> --
    >> Eli Allen
    >> eallen@bcpl.net
    >>
    >>

    >
    >



  8. #8
    Eli Allen Guest

    Re: CryptoAPI

    As in they may remove it or just change how it works?
    --
    Eli Allen
    eallen@bcpl.net

    "Michael Howard" <mikehow@microsoft.com> wrote in message
    news:39de3fbd$1@news.devx.com...
    >
    > that's correct, however, it ain't shipping just yet - so the functionality
    > may very well change before final rtm.
    >
    > cheers, mh
    >
    > "Chris Kinsman" <ckinsman@devx.com> wrote:
    > >I believe in ASP+ there is a .NET Framework class to handle this...





  9. #9
    Michael Howard Guest

    Re: CryptoAPI


    either/both :-))

    seriously, for various reasons i've seen core functionality pulled from products
    between a beta and final release.

    cheers, mh

    "Eli Allen" <eallen@bcpl.net> wrote:
    >As in they may remove it or just change how it works?
    >--
    >Eli Allen
    >eallen@bcpl.net
    >
    >"Michael Howard" <mikehow@microsoft.com> wrote in message
    >news:39de3fbd$1@news.devx.com...
    >>
    >> that's correct, however, it ain't shipping just yet - so the functionality
    >> may very well change before final rtm.
    >>
    >> cheers, mh
    >>
    >> "Chris Kinsman" <ckinsman@devx.com> wrote:
    >> >I believe in ASP+ there is a .NET Framework class to handle this...

    >
    >
    >



  10. #10
    Chris Kinsman Guest

    Re: CryptoAPI

    Could be either however I suspect this is important enough that more likely
    the interface would change as opposed to functionality being pulled...

    "Eli Allen" <eallen@bcpl.net> wrote in message
    news:39df7d78@news.devx.com...
    > As in they may remove it or just change how it works?
    > --
    > Eli Allen
    > eallen@bcpl.net
    >
    > "Michael Howard" <mikehow@microsoft.com> wrote in message
    > news:39de3fbd$1@news.devx.com...
    > >
    > > that's correct, however, it ain't shipping just yet - so the

    functionality
    > > may very well change before final rtm.
    > >
    > > cheers, mh
    > >
    > > "Chris Kinsman" <ckinsman@devx.com> wrote:
    > > >I believe in ASP+ there is a .NET Framework class to handle this...

    >
    >
    >




  11. #11
    Michael Howard Guest

    Re: CryptoAPI


    I've posted some sample code COM+ (written in C++) for doing basic crypto
    stuff from, say, ASP, script or VB.

    http://security.devx.com/crypt.zip has the code.

    cheers, mh

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center