1. 首頁
  2. 問答
  3. MembershipProvider.ValidateUser密碼編碼實現

MembershipProvider.ValidateUser密碼編碼實現

2011-05-25 104 views
2

我在自定義MembershipProvider類上實現了ValidateUser方法。我見過很多這樣的例子,我正在尋找一些關於如何正確編碼/散列/加密我的密碼的指導。我不是密碼專家,我有點擔心偏離默認實現。我應該只複製SqlMembershipProvider的相關源代碼,還是將其中的任何一個工作?MembershipProvider.ValidateUser密碼編碼實現

http://mattwrock.com/post/2009/10/14/Implementing-custom-Membership-Provider-and-Role-Provider-for-Authinticating-ASPNET-MVC-Applications.aspx

public override bool ValidateUser(string username, string password) 
{ 
    if(string.IsNullOrEmpty(password.Trim())) return false; 
    string hash = EncryptPassword(password); 
    User user = _repository.GetByUserName(username); 
    if (user == null) return false; 
    if (user.Password == hash) 
    { 
    User = user; 
    return true; 
    } 
    return false; 
} 

protected string EncryptPassword(string password) 
{ 
    // Produses an MD5 hash string of the password 
    //we use codepage 1252 because that is what sql server uses 
    byte[] pwdBytes = Encoding.GetEncoding(1252).GetBytes(password); 
    byte[] hashBytes = System.Security.Cryptography.MD5.Create().ComputeHash(pwdBytes); 
    return Encoding.GetEncoding(1252).GetString(hashBytes); 
}

ASP.NET membership salt?

public string EncodePassword(string pass, string salt) 
{ 
    byte[] bytes = Encoding.Unicode.GetBytes(pass); 
    byte[] src = Encoding.Unicode.GetBytes(salt); 
    byte[] dst = new byte[src.Length + bytes.Length]; 
    Buffer.BlockCopy(src, 0, dst, 0, src.Length); 
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length); 
    HashAlgorithm algorithm = HashAlgorithm.Create("SHA1"); 
    byte[] inArray = algorithm.ComputeHash(dst); 
    return Convert.ToBase64String(inArray); 
}

ASP.NET membership salt?

private const int ITERATIONS = 10000; 
private const int SALT_SIZE = 32; 
private const int HASH_SIZE = 32; 

public void SaltAndHashPassword(string password, out byte[] salt, out byte[] hash) 
{ 
    Rfc2898DeriveBytes rdb = new Rfc2898DeriveBytes(password, SALT_SIZE, ITERATIONS); 

    salt = rdb.Salt; 
    hash = rdb.GetBytes(HASH_SIZE); 
}

ASP.NET membership salt?

internal string GenerateSalt() 
{ 
    byte[] buf = new byte[16]; 
    (new RNGCryptoServiceProvider()).GetBytes(buf); 
    return Convert.ToBase64String(buf); 
} 

internal string EncodePassword(string pass, int passwordFormat, string salt) 
{ 
    if (passwordFormat == 0) // MembershipPasswordFormat.Clear 
     return pass; 

    byte[] bIn = Encoding.Unicode.GetBytes(pass); 
    byte[] bSalt = Convert.FromBase64String(salt); 
    byte[] bAll = new byte[bSalt.Length + bIn.Length]; 
    byte[] bRet = null; 

    Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length); 
    Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length); 
    if (passwordFormat == 1) 
    { // MembershipPasswordFormat.Hashed 
     HashAlgorithm s = HashAlgorithm.Create("SHA1"); 
     // Hardcoded "SHA1" instead of Membership.HashAlgorithmType 
     bRet = s.ComputeHash(bAll); 
    } 
    else 
    { 
     bRet = EncryptPassword(bAll); 
    } 
    return Convert.ToBase64String(bRet); 
}

來源

2011-05-25 kenwarner

回答

1

下載BCrypt.Net。與typica SHA哈希算法不同的是,它過快地使任何加密的東西都容易暴力破解。由於可配置的工作因素,BCrypt速度較慢,因此儘管用戶無法接受,但當嘗試扯扯700m按鍵時,您根本無法做到這一點。

一旦bcrypt所有你需要做的哈希值是:

... 
private static readonly int BCRYPT_WORK_FACTOR = 10; 
string hashedPassword = BCrypt.Net.BCrypt.HashPassword(account.HashedPassword, BCRYPT_WORK_FACTOR); 
...

,並檢查密碼:

bool matched = BCrypt.Net.BCrypt.Verify(password, match.HashedPassword))

此處瞭解詳情:http://www.danharman.net/2011/06/25/encrypting-hashing-passwords-for-your-website/

來源

2011-06-25 01:19:54 DanH

0

我用下一個:

var salt = Encoding.UTF8.GetBytes(this.Name); 
var bytes = Encoding.UTF8.GetBytes(password); 
return Convert.ToBase64String(new HMACSHA1(salt).ComputeHash(bytes));

來源

2011-05-26 06:27:34 abatishchev

相關問題

 相關問題