从 ASP.NET 2.0 成员身份解密“加密"密码 [英] Decrypting an 'Encrypted' password from ASP.NET 2.0 Membership

问题描述

我需要解密位于我的 aspnet_Membership 表中的加密(非散列)密码.在那个数据库中，我看到了 Password (Encrypted) 和 PasswordSalt 字段，我可以查看我的 web.config 以找到 machinekey >decryptionKey (validation="SHA1"decryption="AES").

I have a requirement to decrypt the Encrypted (not Hashed) passwords located in my aspnet_Membership table. In that database I see the Password (Encrypted) and PasswordSalt fields, and I can look at my web.config to find the machinekey > decryptionKey (validation="SHA1" decryption="AES").

注意:我很想使用散列密码，但出于商业原因，我需要能够使用成员的密码，用于进出其他远程系统的 SSO，因此使用加密(绝对不使用清除- 真恶心！)

鉴于所有这些，当然有一种方法可以将密码检索为清晰、简单和可读的文本，即解密的，但我很难找到任何网站，或者在 stackoverflow 上回答(我正在寻找所有此处的相似问题"和具有相似标题的问题")解释了如何做到这一点.

Given all that, surely there is a way to retrieve the password as Clear, plain and readable text, i.e. decrypted, but I'm having real trouble finding any website, or answer on stackoverflow (and I'm looking at all the "similar questions" and "question with similar titles" here) that explains how this can be done.

我找到了 MembershipProvider.DecryptPassword Method 页面，但我仍然无法弄清楚如何在我的代码中实际使用它.我还通过 Google 找到了其他页面，但大多数密码解密示例似乎都没有考虑 salt 和 decrytionKey.

I've found the MembershipProvider.DecryptPassword Method page, but I still cannot work out how to actually use this in my code. I've also found other pages, via Google, but most example of password decryption don't appear to take the salt and decrytionKey's into account.

有没有人有一个直接的例子，从各自的位置选择密码、密码盐和解密密钥，并使用它们来解密 ASP.NET 2.0 会员加密密码?

Does anyone have a straight forward example of selecting the password, passwordsalt and decryptionkey from their respective locations, and using them to decypt an ASP.NET 2.0 Membership Encrypted password?

推荐答案

创建一个继承自 SqlMembershipProvider 的类，您可以在其中调用解密.

Create a class that inherits from SqlMembershipProvider and in it you can call the decrypt.

您需要的所有代码都可以在 Naveen Kohli 撰写的这篇文章:

All the code you need for this can be found in this article by Naveen Kohli:

查看reflector中的代码后，我看到Microsoft提供者分两步解密.加密后的密码实际上是一个加密数据的 Base64 转换.所以首先它把它从Base64 然后调用 DecryptPassword 方法.我只是做了最简单的事物.从 Microsoft 实现中复制代码，删除所有检查它正在做什么，然后使用它.以下课程是一个例子从 SqlMembershipProvider 派生的类，其方法仅以明文形式返回给定加密密码的密码.

After looking through the code in reflector, I saw that Microsoft providers decrypts in two steps. The encrypted password is actually a Base64 conversion of encrypted data. So first it converts it back from Base64 and then calls DecryptPassword method. I just did the easiest thing. Copied the code from Microsoft implementation, removed all the checks it was doing and then used it. Following class is an example of a class derived form SqlMembershipProvider with a method that just returns me password in clear text for a given encrypted password.

namespace MembershipPasswordRecover
{
    public class NetFourMembershipProvider : SqlMembershipProvider
    {
        public string GetClearTextPassword(string encryptedPwd)
        {
            byte[] encodedPassword = Convert.FromBase64String(encryptedPwd);
            byte[] bytes = this.DecryptPassword(encodedPassword);
            if (bytes == null)
            {
                return null;
            }
            return Encoding.Unicode.GetString(bytes, 0x10, bytes.Length - 0x10);

        }
    }
}

static void Main(string[] args)
{
    var passwordManager = new NetFourMembershipProvider();
    var clearPWd = passwordManager.GetClearTextPassword("encryptedpasswordhere");
    Console.WriteLine(clearPWd);
}

这篇关于从 ASP.NET 2.0 成员身份解密“加密"密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！