AdventureWorks2012 DB-密码如何存储以及密码如何验证?
[英]AdventureWorks2012 DB - how the password was stored and how the password validated?
问题描述
I got AdventureWorks2012 DB from http://msftdbprodsamples.codeplex.com/releases/view/55330 and trying to ValidatePassword from Person.Password table. 
我从http://msftdbprodsamples.codeplex.com/releases/view/55330获得AdventureWorks2012 DB,并尝试从Person.Password表验证ValidatePassword。 'PasswordHash' column description says "Password for the e-mail account." “ PasswordHash”列说明显示“电子邮件帐户的密码”。 and 'PasswordSalt' column description says "Random value concatenated with the password string before the password is hashed." 并且“ PasswordSalt”列说明说“在对哈希进行哈希处理之前,将随机值与密码字符串连接在一起”。
Here are the sample data from the DB: 以下是来自数据库的示例数据:
BusinessEntityID, PasswordHash, PasswordSalt, EmailAddress
---------------- --------------------------------------------------------------------------
1, pbFwXWE99vobT6g+vPWFy93NtUU/orrIWafF01hccfM=, bE3XiWw=, ken0@adventure-works.com
2, bawRVNrZQYQ05qF05Gz6VLilnviZmrqBReTTAGAudm0=, "EjJaC3U=, terri0@adventure-works.com
How do I know which hash algorithm is used to create the PasswordHash? 我如何知道使用哪种哈希算法来创建PasswordHash? And how passwordsalt was generated? 以及如何生成passwordsalt?
Here is the code attempt to validate the password but none of the hash algorithm is working. 这是尝试验证密码的代码,但没有一种哈希算法有效。 Can anyone please shed some light on this? 任何人都可以对此有所了解吗?
public class SecurityService : ISecurityService
{
public string UserName { get; set; }
public bool ValidateCredentials(string password, Password dbPassword)
{
bool valid = false;
byte[] saltBytes = Convert.FromBase64String(dbPassword.PasswordSalt); //dbPassword.PasswordSalt: bE3XiWw=
byte[] passwordBytes = Encoding.Unicode.GetBytes(password); //password: ken0@adventure-works.com
byte[] passwordHashBytes = Convert.FromBase64String(dbPassword.PasswordHash);//dbPassword.PasswordHash: pbFwXWE99vobT6g+vPWFy93NtUU/orrIWafF01hccfM=
byte[] passwordHashed = Hash(passwordBytes, saltBytes);
byte[] dbPasswordHashed = Hash(passwordHashBytes, saltBytes);
valid = dbPasswordHashed.SequenceEqual(passwordHashed);
return valid;
}
private static byte[] Hash(byte[] value, byte[] salt)
{
byte[] saltedValue = value.Concat(salt).ToArray();
return HashAlgorithm.Create("MD5").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA1").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA256").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA384").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA512").ComputeHash(saltedValue);
}
}
1 个解决方案
解决方案1
0 2015-09-17 07:27:36
If you replace valid = dbPasswordHashed.SequenceEqual(passwordHashed); 如果替换为有效= dbPasswordHashed.SequenceEqual(passwordHashed); with valid = passwordHashBytes.SequenceEqual(passwordHashed); 与有效= passwordHashBytes.SequenceEqual(passwordHashed);
it will give correct results. 它将给出正确的结果。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.