AdventureWorks2012 DB - 密码的存储方式以及密码的验证方式？ [英] AdventureWorks2012 DB - how the password was stored and how the password validated?

问题描述

我从 http://msftdbprodsamples.codeplex.com/releases/view/55330获取AdventureWorks2012 DB并尝试从Person.Password表中的ValidatePassword。 'PasswordHash'列描述说电子邮件帐户的密码。和PasswordSalt列描述说在密码散列之前随机值连接密码字符串。

I got AdventureWorks2012 DB from http://msftdbprodsamples.codeplex.com/releases/view/55330 and trying to ValidatePassword from Person.Password table. 'PasswordHash' column description says "Password for the e-mail account." and 'PasswordSalt' column description says "Random value concatenated with the password string before the password is hashed."

以下是DB中的示例数据：

Here are the sample data from the DB:

BusinessEntityID, PasswordHash, PasswordSalt, EmailAddress
---------------- --------------------------------------------------------------------------
1, pbFwXWE99vobT6g+vPWFy93NtUU/orrIWafF01hccfM=, bE3XiWw=, ken0@adventure-works.com

2, bawRVNrZQYQ05qF05Gz6VLilnviZmrqBReTTAGAudm0=, "EjJaC3U=, terri0@adventure-works.com

知道使用哪个哈希算法来创建PasswordHash？密码是如何生成的？

How do I know which hash algorithm is used to create the PasswordHash? And how passwordsalt was generated?

这里是密码验证的代码，但没有哈希算法正常工作。任何人都可以在这方面有所作为吗？

Here is the code attempt to validate the password but none of the hash algorithm is working. Can anyone please shed some light on this?

public class SecurityService : ISecurityService
    {
        public string UserName { get; set; }

        public bool ValidateCredentials(string password, Password dbPassword)
        {
            bool valid = false;

            byte[] saltBytes = Convert.FromBase64String(dbPassword.PasswordSalt); //dbPassword.PasswordSalt: bE3XiWw=
            byte[] passwordBytes = Encoding.Unicode.GetBytes(password); //password: ken0@adventure-works.com
            byte[] passwordHashBytes = Convert.FromBase64String(dbPassword.PasswordHash);//dbPassword.PasswordHash: pbFwXWE99vobT6g+vPWFy93NtUU/orrIWafF01hccfM=
            byte[] passwordHashed    = Hash(passwordBytes, saltBytes);
            byte[] dbPasswordHashed  = Hash(passwordHashBytes, saltBytes);

            valid = dbPasswordHashed.SequenceEqual(passwordHashed);

            return valid;

        }

        private static byte[] Hash(byte[] value, byte[] salt)
        {
            byte[] saltedValue = value.Concat(salt).ToArray();
            return HashAlgorithm.Create("MD5").ComputeHash(saltedValue);
            //return HashAlgorithm.Create("SHA1").ComputeHash(saltedValue);
            //return HashAlgorithm.Create("SHA256").ComputeHash(saltedValue);
            //return HashAlgorithm.Create("SHA384").ComputeHash(saltedValue);
            //return HashAlgorithm.Create("SHA512").ComputeHash(saltedValue);  
        }
    }

推荐答案

你替换valid = dbPasswordHashed.SequenceEqual（passwordHashed）;
with
valid = passwordHashBytes.SequenceEqual（passwordHashed）;

If you replace valid = dbPasswordHashed.SequenceEqual(passwordHashed); with valid = passwordHashBytes.SequenceEqual(passwordHashed);

它会给出正确的结果。

这篇关于AdventureWorks2012 DB - 密码的存储方式以及密码的验证方式？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！