从 ASP.NET 2.0 成员资格中解密“加密"密码 [英] Decrypting an 'Encrypted' password from ASP.NET 2.0 Membership

问题描述

我需要解密我的 aspnet_Membership 表中的加密(非散列)密码.在该数据库中，我看到 Password (Encrypted) 和 PasswordSalt 字段，我可以查看我的 web.config 以找到 machinekey > decryptionKey (validation="SHA1" decryption="AES").

I have a requirement to decrypt the Encrypted (not Hashed) passwords located in my aspnet_Membership table. In that database I see the Password (Encrypted) and PasswordSalt fields, and I can look at my web.config to find the machinekey > decryptionKey (validation="SHA1" decryption="AES").

注意:我很想使用散列密码，但出于商业原因，我需要能够使用会员密码，用于 SSO 进出其他远程系统，因此使用加密(绝对不使用清除- 哎呀！)

鉴于所有这些，肯定有一种方法可以将密码检索为清晰、纯文本和可读文本，即解密，但我在查找任何网站或在 stackoverflow 上回答时遇到了真正的麻烦(我正在查看所有此处的类似问题"和具有类似标题的问题")解释了如何做到这一点.

Given all that, surely there is a way to retrieve the password as Clear, plain and readable text, i.e. decrypted, but I'm having real trouble finding any website, or answer on stackoverflow (and I'm looking at all the "similar questions" and "question with similar titles" here) that explains how this can be done.

我找到了 MembershipProvider.DecryptPassword Method 页面，但我仍然无法弄清楚如何在我的代码中实际使用它.我还通过 Google 找到了其他页面，但大多数密码解密示例似乎都没有考虑到 salt 和 decrytionKey.

I've found the MembershipProvider.DecryptPassword Method page, but I still cannot work out how to actually use this in my code. I've also found other pages, via Google, but most example of password decryption don't appear to take the salt and decrytionKey's into account.

有没有人从各自的位置选择密码、密码盐和解密密钥并使用它们来解密 ASP.NET 2.0 成员身份加密密码的直接示例?

Does anyone have a straight forward example of selecting the password, passwordsalt and decryptionkey from their respective locations, and using them to decypt an ASP.NET 2.0 Membership Encrypted password?

推荐答案

创建一个继承自 SqlMembershipProvider 的类，并在其中调用解密.

Create a class that inherits from SqlMembershipProvider and in it you can call the decrypt.

您需要的所有代码都可以在 这篇文章由 Naveen Kohli 撰写:

All the code you need for this can be found in this article by Naveen Kohli:

查看反射器中的代码后，我看到微软提供商分两步解密.加密的密码实际上是一个加密数据的 Base64 转换.所以首先它将它从Base64 然后调用 DecryptPassword 方法.我只是做了最简单的事物.从 Microsoft 实现中复制代码，删除所有检查它正在做什么，然后使用它.下面的类是一个例子类派生形式 SqlMembershipProvider ，其方法仅以明文形式返回给定加密密码的密码.

After looking through the code in reflector, I saw that Microsoft providers decrypts in two steps. The encrypted password is actually a Base64 conversion of encrypted data. So first it converts it back from Base64 and then calls DecryptPassword method. I just did the easiest thing. Copied the code from Microsoft implementation, removed all the checks it was doing and then used it. Following class is an example of a class derived form SqlMembershipProvider with a method that just returns me password in clear text for a given encrypted password.

namespace MembershipPasswordRecover
{
    public class NetFourMembershipProvider : SqlMembershipProvider
    {
        public string GetClearTextPassword(string encryptedPwd)
        {
            byte[] encodedPassword = Convert.FromBase64String(encryptedPwd);
            byte[] bytes = this.DecryptPassword(encodedPassword);
            if (bytes == null)
            {
                return null;
            }
            return Encoding.Unicode.GetString(bytes, 0x10, bytes.Length - 0x10);

        }
    }
}

static void Main(string[] args)
{
    var passwordManager = new NetFourMembershipProvider();
    var clearPWd = passwordManager.GetClearTextPassword("encryptedpasswordhere");
    Console.WriteLine(clearPWd);
}

这篇关于从 ASP.NET 2.0 成员资格中解密“加密"密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！