添加在C#ASP.NET自定义hashAlgorithmType [英] Adding a custom hashAlgorithmType in C# ASP.NET
问题描述
我有一个网页,我需要以加强安全性上。我使用的是内置的MembershipProvider功能,目前拥有 hashAlgorithmType 设置为SHA512。我已经得到了BCrypt.NET库(HTTP://bcrypt.$c$cplex.com/),似乎当我打电话从code的功能进行很好的工作,但我有最坏的时候盘算如何建立相应的< cryptographySettings>在Web.config中部分让我创建一个 hashAlgorithmType
我在网上找到了以下code片断:
<&mscorlib程序GT;
< cryptographySettings>
< cryptoNameMapping>
< cryptoClasses>
< cryptoClass MyHash =MyHashClass,MyAssembly程序
文化=中性公钥= a5d015c7d5a0b012,
版本= 1.0.0.0/>
< cryptoClass MyCrypto =MyCryptoClass,MyAssembly程序
文化=中性公钥= a5d015c7d5a0b012,
版本= 1.0.0.0/>
< / cryptoClasses>
< nameEntry NAME =System.Security.Cryptography.HashAlgorithm
类=MyHash/>
< / cryptoNameMapping>
< oidMap>
< oidEntry OID =1.3.36.3.2.1NAME =MyCryptoClass/>
< / oidMap>
< / cryptographySettings>
< / mscorlib程序>
打电话给我一个小白,如果你想要的,但我显然不具备必要的知识,使头或尾巴的。所有我需要的是告诉会员提供了一种方法,像< hashAlgorithmType =bcrypt> 对应像字符串哈希= BCrypt .HashPassword(密码,BCrypt.GenerateSalt(12)); 来加密和布尔匹配= BCrypt.CheckPassword(候选,散列); 解密。请告诉我有一个简单的答案。我可以从头开始重写登录系统,如果我有,但我已经有一个工作实现,我真的很想只是改变的哈希算法。
我相信配置模式必须被应用到machine.config文件;如果您需要能够轻松地推出这个code这不一定是一个很好的举措。
您可以通过编程注册用的通过调用CryptoConfig 类<一个href=\"http://msdn.microsoft.com/en-us/library/system.security.cryptography.cryptoconfig.addalgorithm.aspx\"相对=nofollow> AddAlgorithm 用,可以为您以后可以使用一个名称。
只要BCrypt哈希提供者实现 HashAlgorithn 你应该能够简单地注册,也可以通过调用 HashAlgorithm.Create测试这个(字符串)与您使用来验证它建立正确的算法名。
的成员资格提供程序应然后就可以使用它没有问题。
下面是关于这个话题的好文章。
更新
(深吸一口气) - 道歉,如果这是TL;博士
好了,看了周围约BCrypt.Net的密码哈希 - 这显然是不错的,并遵循公认的做法。这也与如何使用的HashAlgorithm 类的工作,因为它需要额外的状态,为了工作它的魔力,并不能简单地进行扩展以实现在<$完全不符C $ C>的HashAlgorithm 合同。
因此,你有一个选择 - 坚持与的MembershipProvider ,并使用SHA512因为你已经是 - 你是在谈论一个的页,所以我想有可能是与认证本身的问题,而不是密码的存储(必须,当然,仍然可以正常完成) - 所以考虑只要确保认证流量通过HTTPS发送的,如果它是没有。
使用密码拉伸算法盲目有自己的问题 - 看到的我自己最近的SO关于这一主题 - !如果你的服务器上拉伸你可能最终导致网站上的DOS攻击
另一种选择是,如你所说,完全管理会员你自己 - 这样你可以使用任何你想要的类型和手动管理的密码信息所需的存储
。我的网站现在使用的算法非常相似,PBKDF2,我从布鲁斯和尼尔斯·弗格森的著作实用加密解除,为此我使用512位随机盐和SHA512(存储很便宜),加上成千上万次迭代的散列明确文本。服务器基准测试本身的每一次AppDomain中建立等同于毫秒范围内的保护水平 - 因此,随着时间的新哈希密码将得到保护水平不变,即使硬件改善。图书馆是独立的,也和我已经能够将其部署到SQL Server 2008 R2提供的SP CLR如果我们在SQL级别来生成密码记录。
但是,这不仅保护了密码 - 那么你需要一个认证机制,可以保护记录的行为;加上保护认证会话令牌另一个系统(NET的验证cookie系统实际上是pretty好这一点)。
从继所以我现在已经花了一个星期实施 SCRAM 元,我有话插入我的MVC的Web服务进行身份验证,我打算做同样的启用从使用Javascript网页浏览器登录(锁定了非JS客户端)。关键是有客户端拼尽全力的哈希计算;因此,我一直坚持着,因为SHA成熟的实现是在几乎任何环境中容易获得(例如,我们有iPhone应用程序 - 并且他们需要进行身份验证以及)
。在你的情况,但是,随着的MembershipProvider现有的投资,我会考虑加SHA SSL加Asp.Net的身份验证cookie的足够的512位 - 只要数据库的真正 安全(!),你已经得到了在现场没有SQL注入漏洞。
I've got a page that I need to beef up security on. I'm using the built-in MembershipProvider functionality and currently have hashAlgorithmType set to SHA512. I've got the BCrypt.NET library (http://bcrypt.codeplex.com/) and it seems to be working nicely when I call its functions from code but I'm having the worst time figuring out how to create the appropriate <cryptographySettings> section in Web.config to let me create a hashAlgorithmType.
I found the following code snippet on the web:
<mscorlib>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
<cryptoClass MyHash="MyHashClass, MyAssembly
Culture=neutral, PublicKeyToken=a5d015c7d5a0b012,
Version=1.0.0.0"/>
<cryptoClass MyCrypto="MyCryptoClass, MyAssembly
Culture=neutral, PublicKeyToken=a5d015c7d5a0b012,
Version=1.0.0.0"/>
</cryptoClasses>
<nameEntry name="System.Security.Cryptography.HashAlgorithm"
class="MyHash"/>
</cryptoNameMapping>
<oidMap>
<oidEntry OID="1.3.36.3.2.1" name="MyCryptoClass"/>
</oidMap>
</cryptographySettings>
</mscorlib>
Call me a noob if you want, but I apparently don't have the requisite knowledge to make heads or tails of that. All I need is a method to tell the membership provider that something like <hashAlgorithmType="bcrypt"> corresponds to something like string hashed = BCrypt.HashPassword(password, BCrypt.GenerateSalt(12)); to encrypt and bool matches = BCrypt.CheckPassword(candidate, hashed); to decrypt. Please tell me there's an easy answer. I can rewrite the login system from scratch if I have to, but I already have a working implementation that I'd really like to just change the hashing algorithm of.
I believe that config pattern must be applied to the machine.config file; which isn't necessarily a great move if you need to be able to roll out this code easily.
You can programmatically register the BCrypt encryption primitive(s) with the CryptoConfig class through a call to AddAlgorithm with a name that can you can later use.
So long as the BCrypt hash provider implements HashAlgorithn you should be able to register it simply, you can also test this by calling HashAlgorithm.Create(string) with the name you use to verify that it builds the algorithm correctly.
The membership provider should then be able to use it without issue. Here's a good article about this topic.
Update
(deep breath) - apologies if this is tl;dr.
Okay, so having read around about BCrypt.Net's password hashing - it's obviously good, and follows accepted practise. It is, also, completely incompatible with how the HashAlgorithm class works because it requires additional state in order to work it's magic, and can't simply be extended to implement the HashAlgorithm contract.
Thus, you have a choice - stick with MembershipProvider and use SHA512 as you already are - you're talking about beefing up security on a page, so I'm thinking there might be issues with authentication itself, rather than the storage of passwords (which must, of course, still be done properly) - so consider simply making sure that the authentication traffic is sent over HTTPS if it's not already.
Using password stretching algorithms blindly has its own issues - see the responses to my own recent SO on this topic - if you do the stretching on the server you could potentially end up causing a DOS attack on the site!
The other option is, as you've suggested, to manage the membership entirely yourself - thus you can use whichever types you want and manage the necessary storage of the password information manually.
My sites now use an algorithm very similar to PBKDF2 that I lifted from Bruce Schneier and Niels Ferguson's book Practical Cryptography, for which I use 512 bit random salt and SHA512 (storage is cheap) plus many thousands of iterations to hash a clear text. The server benchmarks itself once per appdomain to establish 'levels' of protection that equate to millisecond ranges - thus over time newly hashed passwords will receive a constant level of protection even if the hardware improves. The library is standalone, too, and I've been able to deploy it to SQL Server 2008 R2 to provide CLR SPs if we have to generate password records at the SQL level.
But this only protects the passwords - you then need an authentication mechanism that can protect the act of logging in; plus another system for protecting the authenticated session token (.Net's Authentication Cookie system is actually pretty good for this).
Following on from that SO I have now spent a week implementing SCRAM primitives that I have then plugged into my MVC web services for authentication, and I plan to do the same to enable login from the web browser using Javascript (locking out non-JS clients). The key there being the client is doing all the hash calculations; thus I've stuck to SHA because mature implementations are readily available in practically any environment (e.g. we have iPhone apps too - and they need to authenticate as well).
In your case, however, with the existing investment in the MembershipProvider, I would consider 512 bits of SHA plus SSL plus Asp.Net's auth cookie sufficient - so long as the database is really secure(!) and you've got no SQL injection holes in the site.
这篇关于添加在C#ASP.NET自定义hashAlgorithmType的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
