.NET 4.0 中的错误加密错误
今天,我将 Web 应用程序移至 .net 4.0,但 Forms Auth 停止工作。经过几个小时的深入研究我的 SqlMembershipProvider(内置 SqlMembershipProvider 的简化版本),我发现 HMACSHA256 哈希不一致。这就是加密方法:
internal string EncodePassword(string pass, int passwordFormat, string salt)
{
if (passwordFormat == 0) // MembershipPasswordFormat.Clear
return pass;
byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bAll = new byte[bSalt.Length + bIn.Length];
byte[] bRet = null;
Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
if (passwordFormat == 1)
{ // MembershipPasswordFormat.Hashed
HashAlgorithm s = HashAlgorithm.Create( Membership.HashAlgorithmType );
bRet = s.ComputeHash(bAll);
} else
{
bRet = EncryptPassword( bAll );
}
return Convert.ToBase64String(bRet);
}
两次传递相同的密码和盐会返回不同的结果!它在 .NET 3.5 中完美运行
任何人都知道任何重大更改,或者这是一个已知的错误?
更新:当我指定 SHA512 作为哈希算法时,一切正常,所以我确实相信这是 .NET 4.0 中 HMACSHA256 哈希算法实现中的一个错误,
谢谢! 安德烈
Today I moved my web application to .net 4.0 and Forms Auth just stopped working. After several hours of digging into my SqlMembershipProvider (simplified version of built-in SqlMembershipProvider), I found that HMACSHA256 hash is not consistent. This is the encryption method:
internal string EncodePassword(string pass, int passwordFormat, string salt)
{
if (passwordFormat == 0) // MembershipPasswordFormat.Clear
return pass;
byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bAll = new byte[bSalt.Length + bIn.Length];
byte[] bRet = null;
Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
if (passwordFormat == 1)
{ // MembershipPasswordFormat.Hashed
HashAlgorithm s = HashAlgorithm.Create( Membership.HashAlgorithmType );
bRet = s.ComputeHash(bAll);
} else
{
bRet = EncryptPassword( bAll );
}
return Convert.ToBase64String(bRet);
}
Passing the same password and salt twice returns different results!!! It was working perfectly in .NET 3.5
Anyone aware of any breaking changes, or is it a known bug?
UPDATE: When I specify SHA512 as hashing algorithm, everything works fine, so I do believe it's a bug in implementation of HMACSHA256 hashing algorithm in .NET 4.0
Thanks!
Andrey
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我相信 .net 4.0 中存在一些与安全相关的更改,看看这个...
http://www.asp.net/(S(ywiyuluxr3qb2dfva1z5lgeg))/learn/whitepapers/aspnet4/writing-changes
第一个显而易见的事情是这个 . ..
您是否明确设置了哈希算法,或者只是让 asp.net 决定...如果它现在使用不同的默认值,它可能只是随机获取任何旧的哈希算法,因为不再支持定义的算法。
话虽如此,M$ 可能已经退役了您正在使用的那个,所以这可能就是原因,bugger....我刚刚意识到我需要测试我的 CMS...我没有想到这一点。
感谢您的提醒,希望我的想法对我们都有帮助!
I believe there have been some security related changes in .net 4.0 have a look at this ...
http://www.asp.net/(S(ywiyuluxr3qb2dfva1z5lgeg))/learn/whitepapers/aspnet4/breaking-changes
The first obvious thing that sticks out is this ...
Have you explicitly set your hashing algorithm or just let asp.net decide ... if it's using a different default now it may be just grabbing any old hashing algorithm at random as the defined one is no longer supported.
Having said that, M$ may have retired the one you are using, so that may be the cause, bugger .... i just realised i need to test my CMS ... this hadn't occurred to me.
Thanks for the heads up, hopefully my thoughts will help us both !!!
我也遇到了这个问题。
在我的情况下,最终目标是能够动态设置连接字符串(而不是在 web.config 中硬编码)。我通过下载 MS 为 ASP.NET 提供程序提供的源代码并更改一些用于获取连接字符串的内部功能来完成此操作。
然而,这都是针对 .NET 2.0 的,看起来就像 Andrey 上面发布的代码一样。一切就绪后,我发现我无法登录我的网站。所以经过搜索,我发现了这篇文章。谢谢!
我继续下载了 .NET Framework 4.0 代码(如果有人想知道)这里是 EncodePassword 方法的新版本。我计划将其复制到旧版本的 SqlMembershipProvider 中,以便我可以使用新的加密方法并能够再次登录我的 ASP.NET 4.0 网站!
编辑:尝试将这一方法复制到旧版本的 SqlMembershipProvider 中是一个坏主意。改变太多了。 :(
I also ran into this problem.
In my situation the end goal was to be able to set the connectionString dynamically (instead of hard-coded in the web.config). I did this by downloading the source code MS has put out for the ASP.NET Providers and changing some of the internal functionality for getting the connection string.
However, this was all for .NET 2.0 and looks just like the code Andrey posted up above. Once I got it all in place, I noticed I was unable to login to my website. So after searching I found this post. Thanks!
I went ahead and downloaded the .NET Framework 4.0 code and (if anyone wants to know) here is the new version of the EncodePassword method. I'm planning to copy this into my old version of the SqlMembershipProvider so I can use the new encryption methods and be able to login to my ASP.NET 4.0 website again!
Edit: Attempting to copy this one method into the old version of the SqlMembershipProvider was a bad idea. Too much has changed. :(