MembershipProvider.ValidateUser密码编码实现

| 我正在自定义
MembershipProvider
类上实现
ValidateUser
方法。我已经看到了很多这样的示例,我正在寻找有关如何正确编码/哈希/加密密码的指南。我不是加密专家,并且对偏离默认实现有些担心。我应该只复制ѭ2中的相关源代码,还是可以使用其中的任何一个? http://mattwrock.com/post/2009/10/14/Implementing-custom-Membership-Provider-and-Role-Provider-for-Authinticating-ASPNET-MVC-Applications.aspx 
public override bool ValidateUser(string username, string password)
{
    if(string.IsNullOrEmpty(password.Trim())) return false;
    string hash = EncryptPassword(password);
    User user = _repository.GetByUserName(username);
    if (user == null) return false;
    if (user.Password == hash)
    {
    User = user;
    return true;
    }
    return false;
}

protected string EncryptPassword(string password)
{
    // Produses an MD5 hash string of the password
    //we use codepage 1252 because that is what sql server uses
    byte[] pwdBytes = Encoding.GetEncoding(1252).GetBytes(password);
    byte[] hashBytes = System.Security.Cryptography.MD5.Create().ComputeHash(pwdBytes);
    return Encoding.GetEncoding(1252).GetString(hashBytes);
}
ASP.NET成员资格盐? 
public string EncodePassword(string pass, string salt)
{
    byte[] bytes = Encoding.Unicode.GetBytes(pass);
    byte[] src = Encoding.Unicode.GetBytes(salt);
    byte[] dst = new byte[src.Length + bytes.Length];
    Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
    HashAlgorithm algorithm = HashAlgorithm.Create(\"SHA1\");
    byte[] inArray = algorithm.ComputeHash(dst);
    return Convert.ToBase64String(inArray);
}
ASP.NET成员资格盐? 
private const int ITERATIONS = 10000;
private const int SALT_SIZE = 32;
private const int HASH_SIZE = 32;

public void SaltAndHashPassword(string password, out byte[] salt, out byte[] hash)
{
  Rfc2898DeriveBytes rdb = new Rfc2898DeriveBytes(password, SALT_SIZE, ITERATIONS);

  salt = rdb.Salt;
  hash = rdb.GetBytes(HASH_SIZE);
}
ASP.NET成员资格盐? 
internal string GenerateSalt()
{
    byte[] buf = new byte[16];
    (new RNGCryptoServiceProvider()).GetBytes(buf);
    return Convert.ToBase64String(buf);
}

internal string EncodePassword(string pass, int passwordFormat, string salt)
{
    if (passwordFormat == 0) // MembershipPasswordFormat.Clear
        return pass;

    byte[] bIn = Encoding.Unicode.GetBytes(pass);
    byte[] bSalt = Convert.FromBase64String(salt);
    byte[] bAll = new byte[bSalt.Length + bIn.Length];
    byte[] bRet = null;

    Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
    Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
    if (passwordFormat == 1)
    { // MembershipPasswordFormat.Hashed
        HashAlgorithm s = HashAlgorithm.Create(\"SHA1\");
        // Hardcoded \"SHA1\" instead of Membership.HashAlgorithmType
        bRet = s.ComputeHash(bAll);
    }
    else
    {
        bRet = EncryptPassword(bAll);
    }
    return Convert.ToBase64String(bRet);
}
    
2020-01-08 3 条评论
分享

没有找到相关结果

    已邀请:

    宠封钞轰

    下载BCrypt.Net。与typica SHA散列相反,SHA散列太快了,使任何加密的内容都变得容易暴力破解。 BCrypt由于可配置的工作因数而较慢,因此尽管对于用户而言是不可察觉的,但是当尝试每秒以700m的力度破解密钥时,您根本无法做到。 进行bcrypt加密后,您需要做的就是: 
    ...
private static readonly int BCRYPT_WORK_FACTOR = 10;
string hashedPassword = BCrypt.Net.BCrypt.HashPassword(account.HashedPassword, BCRYPT_WORK_FACTOR);
...
    并检查密码: 
    bool matched = BCrypt.Net.BCrypt.Verify(password, match.HashedPassword))
    此处提供更多信息:http://www.danharman.net/2011/06/25/encrypting-hashing-passwords-for-your-website/     
    2020-01-08 0 0
    分享

    臀夯脖锑

    我使用下一个: 
    var salt = Encoding.UTF8.GetBytes(this.Name);
var bytes = Encoding.UTF8.GetBytes(password);
return Convert.ToBase64String(new HMACSHA1(salt).ComputeHash(bytes));
        
    2020-01-08 0 0
    分享
    为什么被折叠? 0 个回复被折叠

    要回复问题请先登录注册

    或代码 OrCode.com 备案号:粤ICP备15020848号-1
    Escape time: 0.045118808746338