2

So I want to create a dynamic image resizer and want to protect it.

Let's say I get request like

/SomeID/400x300/{MyToken}.jpg

{MyToken} should only be valid for width 400, height 300, extension jpg and ID SomeID. This token should not be editable by the client, so I can prevent a DOS attac (Requesting thousand of combinations).

With not editable I mean, the client is not able to change the token to something else, that would be valid for other parameters.

If I recall correctly, ASP.NET Formauthentifcation has a algorythm to generate a readonly token. I am searching for something like this.

How does the Formauthentifaction work? How is the principe called? I am stuck at google, because I am not sure what are the right keywords.

What I could do, is a HtmlHelper, which does a File.Exists() and generates the image if the file does not exist. But since IO is expensive, I would want to get the file on the request, and catch a FileNotFoundException by generating the image, if the token is valid.

Christian Gollhardt
  • 16,510
  • 17
  • 74
  • 111
  • Minimize storage : use encryption/hashing to generate the token. Minimize CPU usage : just create a GUID for each resource and store the GUID-resource relationship in a table. – Martheen Jan 18 '17 at 06:43
  • The problem I have with encryption is, what is if somebodys calculates the key? With hashing the salt? Is there something that is more dynamic @Martheen – Christian Gollhardt Jan 18 '17 at 06:45
  • [AES](http://crypto.stackexchange.com/questions/1512/why-is-aes-resistant-to-known-plaintext-attacks) seems safe enough against known plaintext attack. I don't know what can be more dynamic than storing a secret key/salt in the server and encrypt/hash it. – Martheen Jan 18 '17 at 06:51

1 Answers1

2

How does the Formauthentifaction work? How is the principe called?

The type of encryption that Forms Authentication uses depends on the config, eg:

<system.web>
    <machineKey validationKey="..." 
                decryptionKey="..." 
                validation="SHA1"
                decryption="AES" />

It defaults to SHA1, which uses the HMACSHA1 algorithm.

To generate a token simply encrypt the ID, Size & File Extension, this is the most famous question on here with examples of encryption: Encrypt and decrypt a string

Community
  • 1
  • 1
Jeremy Thompson
  • 61,933
  • 36
  • 195
  • 321
  • Interessting, thank you. I think I generate a key every app pool recycle then. And I need to rethink the default security of Formsauthentification then... But that is another topic. – Christian Gollhardt Jan 18 '17 at 06:54
  • 1
    See jbtules answer where he generates the salt, that's the dynamic goodness you're after: http://stackoverflow.com/a/10366194/495455 – Jeremy Thompson Jan 18 '17 at 06:57