成员资格提供程序 EncodePassword 方法 .NET 4.0
我正在编写自己的自定义成员资格提供程序,但正在使用成员资格提供程序自己的 EncodePassword 方法,如下所示:
internal string EncodePassword(string pass, int passwordFormat, string salt)
{
if (passwordFormat == 0) // MembershipPasswordFormat.Clear
return pass;
byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bAll = new byte[bSalt.Length + bIn.Length];
byte[] bRet = null;
Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
if (passwordFormat == 1)
{ // MembershipPasswordFormat.Hashed
HashAlgorithm s = HashAlgorithm.Create( Membership.HashAlgorithmType );
bRet = s.ComputeHash(bAll);
} else
{
bRet = EncryptPassword( bAll );
}
return Convert.ToBase64String(bRet);
}
经过几个小时的搜索后,我现在知道在 .NET 4 中使用的算法是 HMACSHA256。我知道我需要一个密钥才能使算法正常工作。
我的问题是它是如何做到这一点的?
我是否将密钥放入配置文件中并以某种方式引用它?
任何帮助将不胜感激!
谢谢。
I am writing my own Custom Membership Provider but am using the Membership Providers own EncodePassword method which is shown below:
internal string EncodePassword(string pass, int passwordFormat, string salt)
{
if (passwordFormat == 0) // MembershipPasswordFormat.Clear
return pass;
byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bAll = new byte[bSalt.Length + bIn.Length];
byte[] bRet = null;
Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
if (passwordFormat == 1)
{ // MembershipPasswordFormat.Hashed
HashAlgorithm s = HashAlgorithm.Create( Membership.HashAlgorithmType );
bRet = s.ComputeHash(bAll);
} else
{
bRet = EncryptPassword( bAll );
}
return Convert.ToBase64String(bRet);
}
I now know after hunting around for a number of hours that in .NET 4 the algorithm used is HMACSHA256. I understand that i need a key for the algorithm to work correctly.
My question is how do it do this?
Do i put the key in the config file and reference it in some way?
Any help would be appreciated!
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不要使用 SHA!。去下载 BCrypt.Net。 SHA 的散列速度太快,这使得用它加密的任何东西都容易被暴力破解。由于可配置的工作因素,BCrypt 速度较慢,因此虽然用户无法察觉,但当尝试每秒暴力破解 700m 个密钥时,您根本做不到。
一旦你有了 bcrypt,你需要做的就是:
并检查密码:
我在这里更深入地写了这个 http://www.danharman.net/2011/06/25/encrypting-hashing-passwords-for-your-website/
Don't use SHA!. Go and download BCrypt.Net. SHA is too fast at hashing which makes anything encrypted with it easy to brute force. BCrypt is slower due to a configurable work factor, so whilst imperceptable to the user, when trying to brute force 700m keys a second, you simply can't.
Once you have bcrypt all you need to do to hash is:
and to check a password:
I have written this up in a bit more depth here http://www.danharman.net/2011/06/25/encrypting-hashing-passwords-for-your-website/