CryptoAPI

[Eli Allen]

Is there any plans for MS to make the CryptoAPI scriptable so it can be used
directly in ASP? I mean there are times when I want a one way hash or
private key encryption to keep data secure and since the CryptoAPI is
considered secure (i.e. uses good algorithms and its implementation has been
tested) that would be much better then trying to implement it myself
(finding the code implement the algorithm, not to mention speed of the code)
or trusting some other third party component, especially since you don't
know what algorithm they are using.

Plus there would be the added benefit of being able to use it client side
using a MS supplied ActiveX control thats already there instead of forcing a
download. Of course thats still not that good in terms of cross platform
support.
--
Eli Allen
eallen@bcpl.net

[Michael Howard]

www.persits.com has a wonderful component named ASPCrypt, it's designed for
web servers and clients alike. btw, capi is great, but it's only as good
as how well you do things like saving keys!!

"Eli Allen" <eallen@bcpl.net> wrote:
>Is there any plans for MS to make the CryptoAPI scriptable so it can be
used
>directly in ASP? I mean there are times when I want a one way hash or
>private key encryption to keep data secure and since the CryptoAPI is
>considered secure (i.e. uses good algorithms and its implementation has
been
>tested) that would be much better then trying to implement it myself
>(finding the code implement the algorithm, not to mention speed of the code)
>or trusting some other third party component, especially since you don't
>know what algorithm they are using.
>
>Plus there would be the added benefit of being able to use it client side
>using a MS supplied ActiveX control thats already there instead of forcing
a
>download. Of course thats still not that good in terms of cross platform
>support.
>--
>Eli Allen
>eallen@bcpl.net
>
>

[Eli Allen]

It may be wonderful, but it doesn't work so well if your only a student
still in college. Guess I should get started on making my own wrapper....

As for saving keys, thats what sql is for since you can generally trust
that.
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:39d23477$2@news.devx.com...
>
> www.persits.com has a wonderful component named ASPCrypt, it's designed
for
> web servers and clients alike. btw, capi is great, but it's only as good
> as how well you do things like saving keys!!
>
> "Eli Allen" <eallen@bcpl.net> wrote:
> >Is there any plans for MS to make the CryptoAPI scriptable so it can be
> used
> >directly in ASP? I mean there are times when I want a one way hash or
> >private key encryption to keep data secure and since the CryptoAPI is
> >considered secure (i.e. uses good algorithms and its implementation has
> been
> >tested) that would be much better then trying to implement it myself
> >(finding the code implement the algorithm, not to mention speed of the
code)
> >or trusting some other third party component, especially since you don't
> >know what algorithm they are using.
> >
> >Plus there would be the added benefit of being able to use it client side
> >using a MS supplied ActiveX control thats already there instead of
forcing
> a
> >download. Of course thats still not that good in terms of cross platform
> >support.
> >--
> >Eli Allen
> >eallen@bcpl.net
> >
> >
>

[Michael Howard]

hang in there - i'll see if i can get some sample code i wrote for encrypting/decrypting/hashing
posted. It's a c++ com+ component which calls capi.

blind trust in any process is A Very Bad Thing (tm) what threats do you think
the server will be up against? do you have appropriate countermeasures in
place to mitigate the threats to the keys in sql server tables?

"Eli Allen" <eallen@bcpl.net> wrote:
>It may be wonderful, but it doesn't work so well if your only a student
>still in college. Guess I should get started on making my own wrapper....
>
>As for saving keys, thats what sql is for since you can generally trust
>that.

[Eli Allen]

The idea is not blind trust but to trust stuff that has been certified to be
secure like the rating the CryptoAPI got and SQL server 2k's C2 rating. And
then subscribing to the mailing list that tells when patches come out.

To keep the keys in the SQL server from being read I limit who can login and
use the replace(strvar,"'","''") command to keep someone from posting
something that could be interpreted in the SQL statement as something
besides a value.

They don't teach enough security at school
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:39d3a454@news.devx.com...
>
> hang in there - i'll see if i can get some sample code i wrote for
encrypting/decrypting/hashing
> posted. It's a c++ com+ component which calls capi.
>
> blind trust in any process is A Very Bad Thing (tm) what threats do you
think
> the server will be up against? do you have appropriate countermeasures in
> place to mitigate the threats to the keys in sql server tables?
>
> "Eli Allen" <eallen@bcpl.net> wrote:
> >It may be wonderful, but it doesn't work so well if your only a student
> >still in college. Guess I should get started on making my own
wrapper....
> >
> >As for saving keys, thats what sql is for since you can generally trust
> >that.
>
>

[Chris Kinsman]

I believe in ASP+ there is a .NET Framework class to handle this...
"Eli Allen" <eallen@bcpl.net> wrote in message
news:39d1039f$1@news.devx.com...
> Is there any plans for MS to make the CryptoAPI scriptable so it can be
used
> directly in ASP? I mean there are times when I want a one way hash or
> private key encryption to keep data secure and since the CryptoAPI is
> considered secure (i.e. uses good algorithms and its implementation has
been
> tested) that would be much better then trying to implement it myself
> (finding the code implement the algorithm, not to mention speed of the
code)
> or trusting some other third party component, especially since you don't
> know what algorithm they are using.
>
> Plus there would be the added benefit of being able to use it client side
> using a MS supplied ActiveX control thats already there instead of forcing
a
> download. Of course thats still not that good in terms of cross platform
> support.
> --
> Eli Allen
> eallen@bcpl.net
>
>

[Michael Howard]

that's correct, however, it ain't shipping just yet - so the functionality
may very well change before final rtm.

cheers, mh

"Chris Kinsman" <ckinsman@devx.com> wrote:
>I believe in ASP+ there is a .NET Framework class to handle this...
>"Eli Allen" <eallen@bcpl.net> wrote in message
>news:39d1039f$1@news.devx.com...
>> Is there any plans for MS to make the CryptoAPI scriptable so it can be
>used
>> directly in ASP? I mean there are times when I want a one way hash or
>> private key encryption to keep data secure and since the CryptoAPI is
>> considered secure (i.e. uses good algorithms and its implementation has
>been
>> tested) that would be much better then trying to implement it myself
>> (finding the code implement the algorithm, not to mention speed of the
>code)
>> or trusting some other third party component, especially since you don't
>> know what algorithm they are using.
>>
>> Plus there would be the added benefit of being able to use it client side
>> using a MS supplied ActiveX control thats already there instead of forcing
>a
>> download. Of course thats still not that good in terms of cross platform
>> support.
>> --
>> Eli Allen
>> eallen@bcpl.net
>>
>>
>
>

[Eli Allen]

As in they may remove it or just change how it works?
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:39de3fbd$1@news.devx.com...
>
> that's correct, however, it ain't shipping just yet - so the functionality
> may very well change before final rtm.
>
> cheers, mh
>
> "Chris Kinsman" <ckinsman@devx.com> wrote:
> >I believe in ASP+ there is a .NET Framework class to handle this...

[Michael Howard]

either/both :-))

seriously, for various reasons i've seen core functionality pulled from products
between a beta and final release.

cheers, mh

"Eli Allen" <eallen@bcpl.net> wrote:
>As in they may remove it or just change how it works?
>--
>Eli Allen
>eallen@bcpl.net
>
>"Michael Howard" <mikehow@microsoft.com> wrote in message
>news:39de3fbd$1@news.devx.com...
>>
>> that's correct, however, it ain't shipping just yet - so the functionality
>> may very well change before final rtm.
>>
>> cheers, mh
>>
>> "Chris Kinsman" <ckinsman@devx.com> wrote:
>> >I believe in ASP+ there is a .NET Framework class to handle this...
>
>
>

[Chris Kinsman]

Could be either however I suspect this is important enough that more likely
the interface would change as opposed to functionality being pulled...

"Eli Allen" <eallen@bcpl.net> wrote in message
news:39df7d78@news.devx.com...
> As in they may remove it or just change how it works?
> --
> Eli Allen
> eallen@bcpl.net
>
> "Michael Howard" <mikehow@microsoft.com> wrote in message
> news:39de3fbd$1@news.devx.com...
> >
> > that's correct, however, it ain't shipping just yet - so the
functionality
> > may very well change before final rtm.
> >
> > cheers, mh
> >
> > "Chris Kinsman" <ckinsman@devx.com> wrote:
> > >I believe in ASP+ there is a .NET Framework class to handle this...
>
>
>

[Michael Howard]

I've posted some sample code COM+ (written in C++) for doing basic crypto
stuff from, say, ASP, script or VB.

http://security.devx.com/crypt.zip has the code.

cheers, mh