As we're slowly moving towards Angular2 development in our new production systems using the new ASP.NET Core it's time to come up with a ready-to-go template. As you know from my previous articles I am not a fan of default .NET bundles hence my new Angular2 template uses Gulp as well.
The template: https://github.com/IvanSivak/ASP.NET-Core-Gulp-Angular2-Template.
Feel free to clone and try.
This article is just for fun as a result of some of my Stanford classes and is related to the One Time Pad cryptographic encryption and related issues with two time pad and recommended solutions to these issues.
As stated in Wikipedia
In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked if used correctly. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting ciphertext will be impossible to decrypt or break
..note that ^ is the XOR operator.
Breaking the Two Time Pad
OK so now that we have some basis example we can actually see what is the issue with the same key being used more than once. Imagine we will encrypt two different messages with the same key:
The problem is that by definition if you XOR the two ciphers you will in fact get the XOR of both plain texts: e(a) ⊕ e(b) = a ⊕ b
So in order to exploit the ciphers you basically need to guess a possible word and XOR it with the XOR of two ciphers. Now, how to guess a word? The best is to use the Frequency Analysis and use statistically most common words. In the English language the most used word is not surprisingly "the". Actually a nice list of words can be found on Wikipedia. This is exactly an idea behind the guessDictionary in my example:
..hence if we XOR the XOR of two cipher texts with our dictionary we will learn plain text message.
..and the result:
As you can see we have just exploited "This" to be contained within one of the messages.
So can we possibly achieve the secure ciphering with the same key and if so how? The answer is Nonce Based Encryption also known as Many Time Key. Well known application of this method is e.g. Cipher Block Chaining (CBC):
The key thing to notice here is the Initialization Vector, so called "IV". This acts as a random nonce for the same key. It can be either an arbitrary counter or some random number. If it is a counter you just need to make sure it's not predictable (which you also have to ensure for random number in fact). One drawback of CBC is that it is sequential. Means you can't use parallel processing. To be able to use parallel processing use the CBC In Counter Mode instead. The counter mode turns the CBC into Stream Cipher.
I'm not an expert on cryptography but it is clear that cryptography can be very fragile. Whether it was VENONA project where Soviets did use the same keys for multiple messages or TLS 1.0 bug with issue of predictability of IV or many other cases. Cryptography needs a proper implementation and should always be implemented by existing/official algorithms. Do not reinvent a wheel.
CONFIDENTIALITY vs. Integrity
The last but not least - never implement these mechanism alone. While these are very important concept they don't protect you against tampering the ciphers. As such they provide a great confidentiality of a message but no integrity. To provide an integrity you have to introduce a message authentication (MAC) or introduce a public key cryptography concept. This will perhaps be a topic for my next article related to the cryptography.
The whole empty template can be downloaded from my GitHub page: https://github.com/IvanSivak/ASP.NET-Core-MVC6-Gulp-Template.
The best way to get familiar with my template is just by opening the project and see the changes. Let me just briefly clarify.
Let me know if you have any issues with my template or recommendations. Unfortunately I was unable to export the project into a template (issue has been discussed on stack overflow) but since the project is very simple and clean you should be able to just download and rename the project or use it as a reference to set up your own new project.
After spending a couple of weeks experimenting with the new ASP.NET Core I am confident to say it's the best ASP.NET ever released. There are many reasons why the new version of ASP.NET is better from the previous versions. This article is focused on basic differences, improvements and shows the basic project set up example using gulp.
.NET vs. mono vs. NuGet
Before we start let's just remind the basic principles and basic options of .NET.
In order to run traditional .NET application there always needs to be a version of .NET Framework installed on a machine where program runs. Whether it's EXE or DLL it always contains so called intermediate language (IL). The IL itself needs to be compiled by just-in-time (JIT) compiler which is included in .NET Framework itself and is part of Common Language Runtime (CLR). In short, just before the program executes the JIT kicks in, compiles the IL and CLR runs the program. Hence, the CLR is responsible for almost every .NET functionality and FCL (Framework Class Library) contains all .NET types and classes.
Mono is open source project developed by community. It is compatible with .NET framework and uses the same principle as MS CLR. It offers distributions for Linux, Mac and Windows which makes it a cross-platform alternative for .NET applications. Mono also stands on basis of Xamarin.
As every packaging system the NuGet exists to make things easier. Since .NET framework itself is a very large set of classes, types, libraries etc. (the FCL and CLR) it is difficult to make updates. With every new FCL version Microsoft needs to distribute new .NET Framework version. This is what makes the NuGet so useful. You can deliver or update only particular libraries. Great example is MVC or WebAPI. These libraries are NuGet packages. They do not exist in FCL. This is what allowed these libraries to evolve so rapidly. Rapid updates of single NuGet packages not tied to .NET Framework allowed them to be developed and updated much faster.
There are many advantages and changes in ASP.NET Core over the previous ASP.NET. Here is a list to name the most important ones
WebAPI vs. mvc vs. system.web
Example asp.net core project
Let's get started with an example. First of all, if you don't use at least Visual Studio 2015 Update 4 you will need to download the ASP.NET Core template into your visual studio. Everything is nicely described on the official documentation page here: https://docs.asp.net/en/latest/ or you can simply go straight to the download link at: https://www.microsoft.com/net/core.
No CSPROJ file & global.json
One thing I really like among others is that there's no csproj file anymore. It makes it easier for source version control. How many conflicts of project file we already had in GIT? The ASP.NET Core simply reflects the file system. There's no need for "include in the project" function and so on. Instead the global.json is presented.
The project.json contains various meta data of a project, settings such as publishOptions and very important - references to NuGet packages. Note that NuGet packages are not installed into the packages folder anymore. Instead all NuGet packages are inside your user folder, e.g. c:\users\ivan\.nuget
In classic ASP.NET everything was pretty much contained within the project root. The new wwwroot folder brings more clarity into web publishing as only what stays in wwwroot folder is accessible by a web server. This can be changed in project.json/publishOptions though, e.g. we want Views folder to be exposed as well hence we can add it as follows:
Dependencies & Bower
Dependencies folder is about client side development. In principle the Bower is the same as NuGet. The difference is that Bower is focused on client side libraries and frameworks (such as jQuery, Bootstrap, Angular etc.) and runs under Node.JS. NPM (Node Package Manager) is the same thing but aims at Node.JS libraries, such as Gulp etc.
.Net Core Bundles vs. Gulp
There are alternatives, for example ASP.NET MVC Boilerplate template that uses gulp. The whole story behind .NET Core default web template and why it doesn't use gulp is described here. Since Boilerplate is quite heavy template I decided to create my own lightweight ASP.NET Core MVC6 Gulp Template. This will be described in my next article about such lightweight template.
Blog about my programming experiments, tests and so on.