如何在C#中使用Salt密码匹配哈希 [英] How to Match Hash with Salt Password in C#
问题描述
public static class EncryptionUtilities
{
private const int SALT_SIZE = 8;
private const int NUM_ITERATIONS = 1000;
private static readonly RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
/// <summary>
/// Creates a signature for a password.
/// </summary>
/// <param name="password">The password to hash.</param>
/// <returns>the "salt:hash" for the password.</returns>
public static string CreatePasswordSalt(string password)
{
byte[] buf = new byte[SALT_SIZE];
rng.GetBytes(buf);
string salt = Convert.ToBase64String(buf);
Rfc2898DeriveBytes deriver2898 = new Rfc2898DeriveBytes(password.Trim(), buf, NUM_ITERATIONS);
string hash = Convert.ToBase64String(deriver2898.GetBytes(16));
return salt + ':' + hash;
}
/// <summary>
/// Validate if a password will generate the passed in salt:hash.
/// </summary>
/// <param name="password">The password to validate.</param>
/// <param name="saltHash">The "salt:hash" this password should generate.</param>
/// <returns>true if we have a match.</returns>
public static bool IsPasswordValid(string password, string saltHash)
{
string[] parts = saltHash.Split(new[] { ':' }, StringSplitOptions.RemoveEmptyEntries);
if (parts.Length != 2)
return false;
byte[] buf = Convert.FromBase64String(parts[0]);
Rfc2898DeriveBytes deriver2898 = new Rfc2898DeriveBytes(password.Trim(), buf, NUM_ITERATIONS);
string computedHash = Convert.ToBase64String(deriver2898.GetBytes(16));
return parts[1].Equals(computedHash);
}
}
protected void Button1_Click(object sender, EventArgs e)
{
con.Open();
SqlCommand cmd = new SqlCommand();
cmd.Connection = con;
cmd.CommandText = "select * from tb_employees where emp_email = @emp_email and emp_password = @emp_password";
cmd.Parameters.AddWithValue("@emp_email", TextBox1.Text);
cmd.Parameters.AddWithValue("@emp_password", EncryptionUtilities.IsPasswordValid(TextBox2.Text.ToString(), TextBox2.Text));
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
Response.Write("success");
}
dr.Close();
dr.Dispose();
con.Close();
}
推荐答案
我建议你先学习并了解你正在尝试做什么; < br $> b $ b
https://crackstation.net/hashing-security.htm [ ^ ]
以上链接有c#个例子,如果你谷歌c#哈希密码加盐,还有其他例子。
其次你'将bool函数(IsPasswordValue)的结果传递给SQL,这样你的SQL将会是
I'd advise you to first learn and understand what it is you're trying to do;
https://crackstation.net/hashing-security.htm[^]
The above link has c# examples, and there are other examples too if you google "c# hash passwords with salt".
Second of all you're passing the result of a bool function (IsPasswordValue) to your SQL so your SQL is going to be
select * from tb_employees where emp_email = 'me@here.com' and emp_password = true
我将假设您的emp_password字段包含hashed \ encrycry密码,而不仅仅是true或false。当用户创建其帐户时,您将生成其密码的哈希版本(包括salt)。您可以保存散列密码以及数据库中针对该用户使用的salt。当他们登录时,您检索他们的哈希密码和他们的盐,然后您使用从数据库中检索到的盐重新哈希他们在密码框中提供的密码,并查看它是否与您从数据库中检索到的哈希密码相匹配。如果他们与已登录的人匹配。
I'm going to assume your emp_password field contains the hashed\encrypted password and not just true or false. When the user creates their account you generate the hashed version of their password (including the salt). You save the hashed password as well as the salt that was used in the database against that user. When they login you retrieve their hashed password and their salt, you then re-hash the password they supplied in the password box with the salt you retrieved from the database, and see if that matches the hashed password you retrieved from the database. If they match the person has logged in.
这篇关于如何在C#中使用Salt密码匹配哈希的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
