如何在C#中验证加盐和哈希密码 [英] How to validate salted and hashed password in c#
问题描述
我使用以下方法对密码进行加盐和哈希处理
I used the below method to salt and hash the passwords
public string CreateSalt(int size)
{
var rng = new System.Security.Cryptography.RNGCryptoServiceProvider();
var buff = new byte[size];
rng.GetBytes(buff);
return Convert.ToBase64String(buff);
}
public string GenerateSHA256Hash(String input, String salt)
{
byte[] bytes = System.Text.Encoding.UTF8.GetBytes(input + salt);
System.Security.Cryptography.SHA256Managed sha256hashstring =
new System.Security.Cryptography.SHA256Managed();
byte[] hash = sha256hashstring.ComputeHash(bytes);
return Convert.ToBase64String(hash);
}
public void Submit1_click(object sender, EventArgs r)
{
try
{
String salt = CreateSalt(10);
String hashedpassword = GenerateSHA256Hash(password1.Text, salt);
string MyConString = "SERVER=localhost;DATABASE=mydb;UID=root;PASSWORD=abc123;";
MySqlConnection connection = new MySqlConnection(MyConString);
string cmdText = "INSERT INTO authentication(agentlogin ,password ,question ,answer)VALUES ( @login, @pwd, @question, @answer)";
MySqlCommand cmd = new MySqlCommand(cmdText, connection);
cmd.Parameters.AddWithValue("@login", labeluname.Text);
cmd.Parameters.AddWithValue("@pwd", hashedpassword);
cmd.Parameters.AddWithValue("@question", ddlquestion.Text);
cmd.Parameters.AddWithValue("@answer", txtanswer.Text);
connection.Open();
int result = cmd.ExecuteNonQuery();
connection.Close();
lblmsg.Text = "Registered succesfully";
lblmsg.ForeColor = System.Drawing.Color.Green;
Response.Redirect("index.aspx");
}
catch (Exception)
{
Console.Write("not entered");
lblmsg.Text = "Registration failed!";
lblmsg.ForeColor = System.Drawing.Color.Red;
Response.Redirect("index.aspx");
}
}
所以我从上面获得了完全加密的密码,但是现在我无法使用在此输入的密码登录.登录时如何取消密码的密码?我想我可以使用与加密相同的方法来取消哈希处理,但是盐化处理不会返回相同的值. 以下是验证页面上的代码
So I get the fully encrypted password from the above, but now I can't login using the passwords that was entered in there. How can I unsalt the password when logging in? I figured I can just use the same method used to encrypt to unhash it but the salting doesn't return the same values. The below is the code on validation page
public string GenerateSHA256Hash(String input)
{
byte[] bytes = System.Text.Encoding.UTF8.GetBytes(input);
System.Security.Cryptography.SHA256Managed sha256hashstring =
new System.Security.Cryptography.SHA256Managed();
byte[] hash = sha256hashstring.ComputeHash(bytes);
return Convert.ToBase64String(hash);
}
public void Login_click(object sender, EventArgs r)
{
String hashedpassword = GenerateSHA256Hash(txtpassword.Text);
string MyConString = ConfigurationManager.ConnectionStrings["connStr"].ConnectionString;
MySqlConnection con = new MySqlConnection(MyConString);
MySqlCommand cmd = new MySqlCommand("select * from authentication where agentlogin=@username and password=@word", con);
cmd.Parameters.AddWithValue("@username", txtusername.Text);
cmd.Parameters.AddWithValue("@word", hashedpassword);
MySqlDataAdapter sda = new MySqlDataAdapter(cmd);
DataTable dt = new DataTable();
sda.Fill(dt);
con.Open();
int i = cmd.ExecuteNonQuery();
con.Close();
if (dt.Rows.Count > 0)
{
Session["id"] = txtusername.Text;
Response.Redirect("calendar.aspx");
Session.RemoveAll();
}
else
{
lblmsg.Text = "Credential doesn't match!";
lblmsg.ForeColor = System.Drawing.Color.Red;
}
}
推荐答案
在用户表Username
和Hash
和Salt
用户注册
1)在注册表格中输入用户输入的username
或password
.
1) Take input username
or password
from user in your registration form.
2)使用以下方法为输入的密码创建哈希和盐值.
2) Create Hash and Salt for input password with below method.
public class HashSalt
{
public string Hash { get; set; }
public string Salt { get; set; }
}
public static HashSalt GenerateSaltedHash(int size, string password)
{
var saltBytes = new byte[size];
var provider = new RNGCryptoServiceProvider();
provider.GetNonZeroBytes(saltBytes);
var salt = Convert.ToBase64String(saltBytes);
var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, saltBytes, 10000);
var hashPassword = Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(256));
HashSalt hashSalt = new HashSalt { Hash = hashPassword, Salt = salt };
return hashSalt;
}
Rfc2898DeriveBytes类用于使用RFC2898规范生成哈希,该规范使用一种称为PBKDF2(基于密码的密钥派生功能#2)的方法,并且当前由IETF(Internet工程任务组)推荐用于新应用. /p>
Rfc2898DeriveBytes class is used to generate the hash using the RFC2898 specification, which uses a method known as PBKDF2 (Password Based Key Derivation Function #2) and is currently recommend by the IETF (Internet Engineering Task Force) for new applications.
3)然后将此Hash
和Salt
与用户记录一起存储在数据库中.
3) Then stored this Hash
and Salt
with user record in database.
public void Submit1_click(object sender, EventArgs r)
{
//Your code here
HashSalt hashSalt = GenerateSaltedHash(64, password1.Text);
//Your code here
cmd.Parameters.AddWithValue("@hash", hashSalt.Hash);
cmd.Parameters.AddWithValue("@salt", hashSalt.Salt);
//You code here
}
用户登录
1)从用户的登录表单中输入username
或password
.
1) Take input username
or password
from user in your login form.
2)在Login_click
中,从数据库中按用户名获取用户.
2) In Login_click
get user by username from database.
3)将存储的Hash
和Salt
传递给以下功能.
3) Pass stored Hash
and Salt
to below function.
public static bool VerifyPassword(string enteredPassword, string storedHash, string storedSalt)
{
var saltBytes = Convert.FromBase64String(storedSalt);
var rfc2898DeriveBytes = new Rfc2898DeriveBytes(enteredPassword, saltBytes, 10000);
return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(256)) == storedHash;
}
4)然后通过验证密码登录您的用户.
4) Then login your user by verifying his/her password.
public void Login_click(object sender, EventArgs r)
{
//You code here
User user = GetUserByUsername(txtUsername.Text);
bool isPasswordMatched = VerifyPassword(txtpassword.Text, user.Hash, user.Salt);
if (isPasswordMatched)
{
//Login Successfull
}
else
{
//Login Failed
}
//Your code here
}
参考:有效的密码哈希
这篇关于如何在C#中验证加盐和哈希密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!