Stored proceture execute time in asp.net core mvc vs in .net form

Since we have about 20 client data, the difference in execution time is visible. In the MVC application, objects are stored, while in the three-layer application or .Net form, each attribute data is stored in order. In the MVC application, when registering or saving a client in the database, it must go through several classes and folders, while in .Net form, when the client clicks the Register button, in that action button1_Click () there is a code for storing the procedure, ie saving a new client in the database . While in the MVC application, when a client presses the Register button, the first thing to do is to send the client object to Services, where each individual attribute is unpacked to check if they are entered correctly, if they are entered correctly the object is returned. it was our turn to check if the client object already exists in the database so that we do not have duplicates. Only when all this is checked, the data is ready for storage. When storing data, the Services method is called for registration, in which the Repository is called for saving data, and only in that method is the client object saved. In other words, we need more actions to add a new client to the database, while in .Net form everything is in one place, ie in the action onclick () the data is saved and should not be sent by other storage methods, so it takes less time for the stored procedure or data storage. In the MVC application, the object goes through various classes and methods, so then it is used and takes up more memory, then we have a slower stored data procedure, unlike in .Net form.

I just need to know if my theory is right, if its wrong can you tell me where im wrong.

Persistent connection string errors .NET Core

I am migrating a full framework application to .NET Core. Under the full framework, it used the following connection string with the IBM .NET Connector for DB2:

"Server=localhost:50000;Database=testdb;" 

The code then assigned UserID and Password properties from credentials vault.

Now, under Core, with the IBM .NET Core connector for DB2 specifically v.2.0.0.100 (long-term support, according to IBM), this connection string throws an exception when a connection string builder is created from it:

{System.ArgumentNullException: Value cannot be null.    at System.Threading.Monitor.ReliableEnter(Object obj, Boolean& lockTaken)    at IBM.Data.DB2.Core.DB2ConnPool.ReplaceConnStrPwd(String value, String newvalue, Boolean onlyPwd)    at IBM.Data.DB2.Core.DB2Connection.RemoveConnectionStringPassword(String value, Boolean bMask)    at IBM.Data.DB2.Core.DB2ConnectionStringBuilder..ctor(String connectionString) 

There is no InnerException. I presume that some mandatory parameters of the connection string that I am not aware of have to be populated under Core, whereas under full framework they were optional. A careful read of IBM documents on DB2 connector Core yielded no mentions of connection string changes, unless I missed them. This blog post mentioned no such breaking changes.

Is anyone aware of mandatory connection string parameters that are missing from my connection string specifically for .NET Core connector?

How should I sign a CSR using a signature created in HSM, in C# .NET Core?

I’m exhausted after looking for an answer for 3 days. I don’t know if my suggested flow is wrong or my Google skills have really deteriorated.

My API needs to create a valid certificate from a CSR it received, by signing it with a private key that exists ONLY inside an HSM-like service (Azure KeyVault), which unfortunately doesn’t offer Certificate Authority functions BUT does offer signing data with a key that exists there. My CA certificate’s private key is stored in the HSM. I’m using ECDSA.

My suggested flow:

  1. Client generates Key Pair + CSR and sends CSR to API
  2. API creates a certificate from the CSR
  3. API asks HSM to sign the CSR data and receives back a signature
  4. API appends the signature to the certificate and returns a signed (and including CA in chain) certificate to the Client

Flow

I’m using C# .NET Core and would like to keep it cross-platform (as it runs in Linux containers), so I have to keep it as native as possible or using Bouncy Castle (which I’m still not sure if runs in Linux .NET Core).

I really appreciate your help!

Are there any c# .net free software composition analysis tools to check opensource component used and its vulnerabilities and license

I have situation where I have to anlyse the third party components\libraries used in the code within the license terms and no know vulnerabilities.

I know there are tool name blackduck and whitesource which can meet the expectation, but we cannot afford costly tools.

Is there any free stable tools available for such analysis. One I came across is OWASP dependency.

Appreciate any help over here.

Asymmetric XML Encryption (in .NET)

I’m trying to decrypt XML EncryptedData in .NET Framework:

<xenc:EncryptedData Id="_741139241b38dfd707421728b0fd4041" Type="http://www.w3.org/2001/04/xmlenc#Element">     <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm">         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>     </xenc:EncryptionMethod>     <ds:KeyInfo>         <xenc:EncryptedKey Id="_db6a41a40ccb22cbef88275caff4d05d">             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256"/>             <ds:KeyInfo>                 <xenc:AgreementMethod Algorithm="http://www.w3.org/2009/xmlenc11#ECDH-ES">                     <xenc11:KeyDerivationMethod Algorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF">                         <xenc11:ConcatKDFParams AlgorithmID="0000002A687474703A2F2F7777772E77332E6F72672F323030312F30342F786D6C656E63236B772D616573323536" PartyUInfo="0000001673796D756C61746F722E6C6F67696E2E676F762E706C" PartyVInfo="0000000743552D554D5750">                             <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>                         </xenc11:ConcatKDFParams>                     </xenc11:KeyDerivationMethod>                     <xenc:OriginatorKeyInfo>                         <ds:KeyValue>                             <dsig11:ECKeyValue>                                 <dsig11:NamedCurve URI="urn:oid:1.2.840.10045.3.1.7"/>                                 <dsig11:PublicKey>xxxx</dsig11:PublicKey>                             </dsig11:ECKeyValue>                         </ds:KeyValue>                     </xenc:OriginatorKeyInfo>                 </xenc:AgreementMethod>             </ds:KeyInfo>             <xenc:CipherData>                 <xenc:CipherValue>xxxx</xenc:CipherValue>             </xenc:CipherData>         </xenc:EncryptedKey>     </ds:KeyInfo>     <xenc:CipherData>         <xenc:CipherValue>xxxx</xenc:CipherValue>     </xenc:CipherData> </xenc:EncryptedData> 

As I understand I need to implement these steps:

  1. recreate public key stored in OriginatorKeyInfo node using x, y parameters from PublicKey and specified curve, result is publicKey
  2. do KeyAgreement (algorithm:ECDH-ES) operation using my private key and publicKey from step 1, result is sharedKey
  3. do Key Derivation Function (algorithm: ConcatKDF) operation using sharedKey, result is unwrappingKey
  4. do Key Unwrap (algorithm kw-aes256) on EncryptedKey>CipherData>CipherValue using unwrappingKey, result is encryptionKey
  5. do decrypting (algorithm aes256-gcm) on EncryptedData>CipherData>CipherValue using encryptionKey

Currently I’m at step 1. Using jose-jwt I can create public key with EccKey.New(x, y, CngKeyUsages.KeyAgreement), but I don’t understand why there is no curve name parameter? If someone knows way of making this work or some examples (bouncy castle?) please comment.

Cracking .NET random

I know .NET has two PRNGs, one secure and one insecure. I would like to be referenced to a tool/article about cracking the insecure one (I want to use it to test an .aspx site). I searched it all over but I only found references to cracking The random of Java, C and PHP.

.NET application protection technique against cracking

I’m trying to protect my software against cracking. Protection against cracking is crucial before listing the product on market.

Info about the software:

  • Built using .NET C# (Framework 4.5.2)
  • WinForms
  • 32 bit

I have made a several protection layers:

  • Obfuscation, Renaming, anti-debugging
  • Encrypted communications between software and API server (RSA) public key hard-coded
  • The client will generate a temporary AES keys and encrypt it with server public key then sends it to server, The server will decrypt the data with his RSA Private key and respond with a new AES keys encrypted with the ones provided by the client at first request. Then any communication from client to server will be signed by server RSA pub key and encrypted by AES Keys provided by the server.

  • Verify libraries integrity by requesting libraries checksum from API and compare it.

And the most important part is, the application will once request “custom data” from API server and store it in memory, to be used by internal software functions. When a function in the application called it will use the “custom data” as input, so there’s no way for the software to operate correctly without having the “custom data”

The API server provides the “custom data” after verifying software activation code and machine unique ID.

The question is:

  • With all of these layers, can the software cracked?
  • Can the custom data layer bypassed?
  • If a cracker bypassed the protection layers until the “custom data” part, it’s possible to clone the software with the “custom data” meaning the software can operate without need to request the custom data from the API?

What i mean by custom data is making the software hybrid, always needs data from API to function

I am counting on the “custom data” protection layer.

Please let me hear your recommendations. thanks a lot

almacenar intentos en base de datos .net

tengo una consulta estoy haciendo un sistema en .net y sql server , lo que quiero hacer es cuando un usuario se logee, almacene en mi base al usuario que entro o al usuario que erro su cuenta en el login y me diga cuantas veces entro o la hora, les agradecería por la ayuda .

   Private Sub BTNINGRESAR_Click(sender As Object, e As EventArgs) Handles BTNINGRESAR.Click       Try          datos.Usuario_1 = TXTUSER.Text         datos.Contraseña_1 = TXTPASS.Text          If funcion.validar_sesion(datos) = True Then              Preguntas.Show()         ElseIf (contador = 3) Then              MsgBox("Demasiado intentos fallidos")             Me.Close()          Else 'contar loos numeros de intentos               MsgBox("Usuario o Contraseña Invalido, Intente de Nuevo")             TXTUSER.Clear()             TXTPASS.Clear()             contador += 1          End If       Catch ex As Exception         MsgBox(ex.Message)     End Try End Sub