You must Sign In to post a response.
  • Category: .NET

    How can we generate safe random numbers in C#

    Hi Team,
    can you assist me on this issue..

    Description:
    Random number generated here is using insecure Random() method. Only based on the random number, reports are getting deleted from "report" table. If the atatcker can guess the random number , then he will be able to delete the reports. It is suggested to use safe random number generators instead.

    public class report : System.Web.UI.Page
    {
    private int randomID;

    private void Page_Load(object sender, System.EventArgs e
    {
    string year = Request["year"];
    int oldYear = int.Parse(year) - 1;

    Random rand = new Random();
    randomID = rand.Next(1000, 1000000);
    --------------
    }

    SqlCommand command2 = sqlConnection.CreateCommand();
    command2.CommandText = "delete from report where ReportID=" + (object) this.randomID;
  • #761318
    Hi
    You can try for this GUID in C# and Sqlsever.

    We can use this GUID and split particular string for this

    I have mention code below for how to create GUID and split and assign separate string value this


    string ss = Guid.NewGuid().ToString();
    string ss1 = ss.Split('-')[0];
    string ss2 = ss1;


    In Sql server you can use this code

    Select NEWID()


    Both Code Generated Automatically Unique string
    so we can retrieve using split function and use it.

    Name : Dotnet Developer-2015
    Email Id :kumaraspcode2009@gmail.com

    'Not by might nor by power, but by my Spirit,' says the LORD Almighty.

  • #761319
    How can we generate it without effecting other pages and SQL..

  • #761320
    Encrypt the id which shows in url. decrepit it while processing also helps u.
    Do Good... Enjoy your life.....

  • #761322
    hi

    where did you need this code created them.

    For ex: if you need generated GUID Page1.aspx
    means we can use this cope for ex: button click event

    this is noting effected to your sql and c# code.

    Name : Dotnet Developer-2015
    Email Id :kumaraspcode2009@gmail.com

    'Not by might nor by power, but by my Spirit,' says the LORD Almighty.

  • #761323
    Creating GUID wont change the db. but u need to save it for future use if am right. so a column need to be added. so before doing think about the impact.. regarding which tables and procedures need to be changed.....

    @Dotnet Developer-2015 , please clarify

    Do Good... Enjoy your life.....

  • #761324
    Hello Shashi,

    Refer the below code i have used it for random password :

    public static string CreateRandomPassword(int PasswordLength)
    {
    string _allowedChars = "abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZ0123456789";
    Random randNum = new Random();
    char[] chars = new char[PasswordLength];
    int allowedCharCount = _allowedChars.Length;

    for (int i = 0; i <= PasswordLength - 1; i++)
    {
    chars[i] = _allowedChars[Convert.ToInt32((_allowedChars.Length) * randNum.NextDouble())];
    }

    return new string(chars);
    }

    TextBox1.Text = CreateRandomPassword(6).ToString();

    Hope this will help you.

    Regards,
    Nirav Lalan
    DNS Gold Member
    "Failure is the path of least persistence"

  • #761325
    Hi Nirav,

    Which variable we have to assign to which textbox.Can you please compare with our code and where we assigned the variable.And also password length (random number must be in between 1000 to 1000000)

  • #761331
    Hello Shashi,

    As per your requirement i have made code for you :

    Page 1 :

    using System.Text;
    using System.Security.Cryptography;
    using System.IO;

    public static string CreateRandomString(int StringLength)
    {
    string _allowedChars = "abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZ0123456789";
    Random randNum = new Random();
    char[] chars = new char[StringLength];
    int allowedCharCount = _allowedChars.Length;

    for (int i = 0; i <= StringLength - 1; i++)
    {
    chars[i] = _allowedChars[Convert.ToInt32((_allowedChars.Length) * randNum.NextDouble())];
    }

    return new string(chars);
    }

    private string Encrypt(string clearText)
    {
    string EncryptionKey = "MAKV2SPBNI99212";
    byte[] clearBytes = Encoding.Unicode.GetBytes(clearText);
    using (Aes encryptor = Aes.Create())
    {
    Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
    encryptor.Key = pdb.GetBytes(32);
    encryptor.IV = pdb.GetBytes(16);
    using (MemoryStream ms = new MemoryStream())
    {
    using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write))
    {
    cs.Write(clearBytes, 0, clearBytes.Length);
    cs.Close();
    }
    clearText = Convert.ToBase64String(ms.ToArray());
    }
    }
    return clearText;
    }

    protected void Button1_Click(object sender, EventArgs e)
    {
    TextBox1.Text = "";
    TextBox1.Text = CreateRandomString(6).ToString();

    // Put encrypted value to session
    Session["Secure Key"] = Encrypt(TextBox1.Text);

    Response.Redirect("Default2.aspx");
    }


    Page 2 :

    using System.Text;
    using System.IO;
    using System.Security.Cryptography;

    private string Decrypt(string cipherText)
    {
    string EncryptionKey = "MAKV2SPBNI99212";
    byte[] cipherBytes = Convert.FromBase64String(cipherText);
    using (Aes encryptor = Aes.Create())
    {
    Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
    encryptor.Key = pdb.GetBytes(32);
    encryptor.IV = pdb.GetBytes(16);
    using (MemoryStream ms = new MemoryStream())
    {
    using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateDecryptor(), CryptoStreamMode.Write))
    {
    cs.Write(cipherBytes, 0, cipherBytes.Length);
    cs.Close();
    }
    cipherText = Encoding.Unicode.GetString(ms.ToArray());
    }
    }
    return cipherText;
    }

    protected void Page_Load(object sender, EventArgs e)
    {
    // Set encrypted value to label after decrypting
    Label1.Text = Decrypt(Session["Secure Key"].ToString());
    }


    Hope this will make sense now and will help you.

    Regards,
    Nirav Lalan
    DNS Gold Member
    "Failure is the path of least persistence"


Sign In to post your comments