ASP.Net - 如何在使用Login Control登录前加密密码

Question

I'm using the ASP.Net Login control to login a web application. When the user submits the form, I want to call a function to encrypt the password before ASP.Net sends the information for authentication.

I tried to add a Customer Validator on the password field and if the password is not empty, the Password.Text will be replaced with the encrypted value. However, it seems ASP.Net still sent the original password for authentication.

I also tried adding a onClick event on the login button to encrypt the password but ASP.Net still sent the original password for authentication.

Is there a way to do this? Thank you!

UPDATE:

I'm sorry for not making this clear. What I need is to encrypt the password at Server Side.

I'm not using ASP.Net Membership to encrypt or hash the password while registering a user. The passwordFormat property has been set to "Clear".

What I am doing is:

1. While a new user registers, I use a customized function to encrypt the password and save it to database.
2. When a user tries to login, I want to use the same function to encrypt the password entered by the user and let ASP.Net to authenticate the user.

The problem I'm having is I can't find a way to call the encrypt function before ASP.Net initiate the authentication process.

Hope this makes sense. Thank you.

Allen

Answer 1

You were definitely on the right track with adding the OnClick event. If you are trying to do the encryption client-side then you will need to use the OnClientClick event instead (OnClick happens server-side and OnClientClick happens client-side). I initially assumed you were using it to call a client-side javascript function that does the encryption?

[ EDIT ]

However, if you are doing the encryption server-side, and using a Login control, then you might want to use the OnAuthenticate event:

<asp:Login id="Login1" runat="server" OnAuthenticate="OnAuthenticate">
</asp:Login>

Then do your encryption here:

private void OnAuthenticate(object sender, AuthenticateEventArgs e) {
    bool authenticated = false;
    String encryptedPassword = Encrypt(Login1.Password);
    authenticated = YourAuthenticationMethod(Login1.UserName, encryptedPassword );

    e.Authenticated = authenticated;
}
private bool YourAuthenticationMethod(String username, String encryptedPassword) {
    //test the encrypted password against that retrieved from your database using the username
}

Answer 2

Why are you trying to encrypt the password client side before sending it to the server? That's really no more secure than sending the server your plain password. The code you write to encrypt this password is viewable by anyone.

On the server you should use something like this:

public static string createPasswordHash(string pwd)
    {
        return FormsAuthentication.HashPasswordForStoringInConfigFile(pwd, "md5");
    }

Answer 3

Sorry if I misunderstood something about the ASP.NET technology, but it should provide server side application. Therefore, You should not be able to use any "c# code" to encrypt transferring password. If You cannot use secured HTTP (if You could, You wouldn't need to encrypt the password, because all communication would be encrypted), JavaScript is "only way". However, if Your project contains client-side application (the one that is really installed (or run) on client's computer), You can use full c# potential of course.

There is a discussion why would You need it at all. As I see no better explanation, I will try to provide my own: The encryption of password transferred via Internet is essential if you expect that someone will listen to the communication in between client's computer and the server. As I understand it, if user clicks on the log-in button at your site, the page he sees the form on is actually downloaded in his computer and the click only causes a transfer of data from client to server. The data is not encrypted at all and any evil Eve can listen to the transfer obtaining client's plain text password.
But You should be aware that even if You send encrypted password, the encryption covers only plain text password problem. If Your server-side application expects password encrypted with a static algorithm and my only goal (as evil Eve) is to successfully log into the system, I don't actually need to know the password itself, its encrypted form will be good enough. It is quite complex problem and it depends on how much security Your connection really needs - if the costs (or Your effort) are relevant to the risk. If You are really serious with as best as possible security, You should go through some security standards.
The point about seeing Your algorithm written in JavaScript is irrelevant as far as it is well implemented (RSA is both open and easily accessible algorithm, though safe enough).