Regarding hashing passwords .NET & Rfc2898DeriveBytes

I live outside the world of oAuth and need to hash passwords for authentication

For goodness sake don’t be tempted to write your own hash! Research the latest advise as it changes as machines and cracking advances. Swathes of passwords have been stolen from compromised sites in the past, and have been cracked and sold or given away. Don’t let your site be the source of misery!

Use well known hashing algorithm

Use the .NET class Rfc2898DeriveBytes that implements PBKDF2 for password hashing. This uses iterations to make it computationally expensive for any brute force attacks.

Use salt

To prevent attackers reverse engineering your users’ passwords using rainbow tables, and other colourful techniques, use the above class with a random salt per user hash. You need to store the salt in your data store, its ok to store it concatenated with password hash.

Use good random salt with high amount of entropy

Use a decent random generator such as that provided by the RNGCryptoServiceProvider  in the System.Security.Cryptography namespace to generate your salt, there are degrees of randomness, remember random is pseudo random in the random class in .NET.

Load the CPU with iterations

Choose a good number of iterations when generating the hash. To future proof your implementation, also store the number of iterations used to generate the hash against each user, with the hash and salt, in the data store. This makes it possible to “turn up” the number of iterations as machines get faster in the future and not “spoil” the existing hashes (obviously the hashes would be upgraded after login in this scenario).

Risks of Denial of Service (Dos)

Denial of Service, be aware that for this protection you are on purpose introducing a computationally expensive routine to the authentication methods of the site. This exposes a possible denial of service attack by bombarding the login method with authentication requests, some sort self healing technique to limit such an attack is required. Perhaps if high traffic is detected, temporarily add a capture to the login page to limit the DoS impact.

 

 

VEIS Webservice matchcode error

Something changed this week with the VEIS web service that provides validation of European tax registration numbers.

http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl

All of a sudden we get an error! The SOAP error on deserialization is:

'Invalid enum value '3' cannot be deserialized into type 'canford.checkVATWebservice.matchCode'

I regenerated the SOAP reference in Visual Studio, -still not working.

It seems the soap response is containing an invalid (according to the WSDL) value of 3 for the type match code that is returned.

I’ve emailed the address provided for support, no response yet, so to get us running again I’ve added in this as a valid enum, however I have no idea of what the value of 3 actually means!

To fix, edit the Reference.vb file generated after refreshing the reference, found under your service reference directory,  (this example in VB.NET)

<System.CodeDom.Compiler.GeneratedCodeAttribute("System.Runtime.Serialization", "4.0.0.0"),  _
System.Runtime.Serialization.DataContractAttribute(Name:="matchCode", [Namespace]:="urn:ec.europa.eu:taxud:vies:services:checkVat:types")> _
Public Enum matchCode As Integer

<System.Runtime.Serialization.EnumMemberAttribute(Value:="1")> _
_1 = 0

<System.Runtime.Serialization.EnumMemberAttribute(Value:="2")> _
_2 = 1

End Enum

 

Adding

<System.Runtime.Serialization.EnumMemberAttribute(Value:="3")> _        _3 = 2
to give this:
<System.CodeDom.Compiler.GeneratedCodeAttribute("System.Runtime.Serialization", "4.0.0.0"),  _
System.Runtime.Serialization.DataContractAttribute(Name:="matchCode", [Namespace]:="urn:ec.europa.eu:taxud:vies:services:checkVat:types")> _
Public Enum matchCode As Integer

<System.Runtime.Serialization.EnumMemberAttribute(Value:="1")> _
_1 = 0

<System.Runtime.Serialization.EnumMemberAttribute(Value:="2")> _
_2 = 1

<System.Runtime.Serialization.EnumMemberAttribute(Value:="3")> _
_3 = 2
End Enum

Now it will work again. I expect this will be fixed sometime after this post, but for those of you struggling with this issue at least you know what to do now!

update 9th Jan 2015

Refresh of references today brought in the “missing” enum – I guess it is fixed.

<xsd:enumeration value="3">
<xsd:annotation>
<xsd:documentation>NOT_PROCESSED</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>

Visual Studio Auto Shelve Extension

Quality and finance audits

In your annual audits, as a software manager the question always crops up of how is work in progress protected? All the project source code is normally safely locked away in team foundation server. The Team Foundation Server is in turn backed up and backup shipped off site. What about drive failure on the local developer machine? Normally hours or days of work could be lost since the last check was performed!
My answer to this is to use Auto Shelve extension and a weekly machine backup of my development machines.

Auto Shelve protects work loss from drive failure since last checkin

Auto shelve is a Visual Studio extension that periodically & automatically shelves your pending changes into source control as you work. It does this in background and so has minimal impact. Should my SSD drive fail catastrophically, work since my last check in will have been preserved in a shelf set in the team foundation server.

image 

After setting it up, Auto Shelve keeps overwriting the shelf set with the latest pending changes. After using it for some time now I can say it is effortless backup and I love it. I will love it even more when the day comes that I have a disaster on my hands.

Install

Install it through Tools>>Extensions and Updates

Search on the online node to the left, for autoshelve and install.

Go to the settings to set up your shelf set name and the frequency of shelving.

image

Dynamics GP Visual Studio Addin - Open Form Parameters

Opening a native GP form from VS addin

This post covers a self help pattern, to assist developers wishing to open a native GP form from .NET using Visual Studio Tools For GP addin.
An example is needed to work with, say it was required to open the Manufacturer’s Item Number Maintenance form from our .NET code:

image 

This form is normally only available from the Item Purchasing Options Maintenance Form but in this example it is required to launch it from our .NET code.

Identify the form name

Using the title caption from the form, go into Tools>Customise>Modifier to find the name of the form, or use the resource tool found under Tools>Resource Descriptions>Windows

IF using the resource tool, the product should be selected to which the form belongs, in this example Microsoft Dynamics GP, set Series Inventory, set View by display name.

image

Here we can see its called IV_MFG_Item_Nmbr_Mnt internally. Forms have display and internal names.

By typing in Visual Studio the window can be located by following intellisense, starting at the dictionary it belongs to (MicrosoftDynamicsGP) and taking out the underscores from the Dex name found above as it is typed.

Once the form is located, put a period after the form name to see what procedures it supports, typing “open” flushes out the procedures of interest.

image

It can be seen that to open the form, this form uses: OpenIvMfgItemNmbrMntProcedure

Intellisense also guides as to how to call it using  _Instance.Invoke
image

However, a familiar issue is hit at this point. The open procedure requires two parameters passing. What are the two parameters that intellisense is asking for? Luckily help is at hand, from the tooltip (see image above),

Invokes form procedure “Open_IV_MFG_Item_Mnt” of form “IV_MFG_Nmbr_Mnt”

Thus recalling that all that is happening here is a call down to procedures in the underlying dexterity code, we can find what we need to call this by checking the Software Developer Kit (SDK).

You of course have the GP SDK installed? – if not get it now…

Using the SDK to find parameters

Searching on the SDK folder, C:\program Files\Microsoft Dynamics\GP11.0 SDK\Content   for the start of the procedure name “Open_IV_MFG” a hit is returned in a file called “CoreForms_1100.txt”

Opening CoreForms_1100.txt, and search for the same term. The following text is found in the document …

------------------------------------------------------------------------
INVENTORY FORM PROCEDURE:  Open_IV_MFG_Item_Nmbr_Mnt
    of form IV_MFG_Item_Nmbr_Mnt
------------------------------------------------------------------------
in                       'Item Number'            l_item;
in                       'Item Description'       l_Description;

So the two parameters needed are Item Number and Item Description.

So now we call it like this:

MicrosoftDynamicsGpDictionary.IvMfgItemNmbrMntForm.OpenIvMfgItemNmbrMntProcedure._Instance.Invoke
("testpart", "testpart description")

Compile, deploy and you should find the form opens with the item selected!