[英]How does DotNetNuke Hash Its Passwords?
I am writing a login system that will log in against a DotNetNuke application's database. 我正在编写一个登录系统,它将针对DotNetNuke应用程序的数据库登录。 I have access to the database and can read the PasswordSalt in the aspnet_Membership table.
我有权访问数据库,并且可以读取aspnet_Membership表中的PasswordSalt。 Hence I will have as inputs:
因此,我将输入以下内容:
and I must produce as output the hashed Password. 并且我必须生成哈希密码作为输出。 The PasswordFormat=2, which is "Encrypted".
PasswordFormat = 2,它是“加密的”。 However, I have not been able to find details of the encryption algorithm being used, so that I can rewrite it in my own application.
但是,我无法找到所使用的加密算法的详细信息,因此无法在自己的应用程序中将其重写。 So far, my research has led be to this page:
到目前为止,我的研究导致前往该页面:
http://msdn.microsoft.com/en-us/library/aa478949.aspx http://msdn.microsoft.com/en-us/library/aa478949.aspx
and also this SO post , which has the following formula in one of the comments: 以及此SO post ,其中的注释之一具有以下公式:
Convert.ToBase64String((new Rfc2898DeriveBytes(YourPWD, YourSALT)).GetBytes(20))
However, this formula does not appear to work on my test data, which has the following inputs and outputs: 但是,此公式似乎不适用于我的测试数据,该数据具有以下输入和输出:
You can see my test here: http://ideone.com/EClO2 您可以在这里查看我的测试: http : //ideone.com/EClO2
using System;
using System.Security.Cryptography;
public class Test
{
public static void Main()
{
Console.WriteLine(Convert.ToBase64String((new Rfc2898DeriveBytes("888888", System.Convert.FromBase64String("ahEvjCX3FM04S5cSi1qdHA=="))).GetBytes(20)));
}
}
Thanks for any help! 谢谢你的帮助!
Answered here: ASP.NET MembershipProvider -- How exactly does it do encryption? 在这里回答: ASP.NET MembershipProvider-它到底如何进行加密?
Looking at the source code, they have a class called AspNetMembershipProvider
which has a method called UserLogin
. 查看源代码,他们有一个名为
AspNetMembershipProvider
的类,该类具有一个名为UserLogin
的方法。 UserLogin
calls a private method called ValidateUser
which in turn uses the ASP.NET Membership provider so it actually calls this method Membership.ValidateUser internally. UserLogin
调用一个称为ValidateUser
的私有方法,该方法又使用ASP.NET Membership提供程序,因此它实际上在内部调用了Membership.ValidateUser这个方法。
So if you call the same method with the username and password, the membership provider will take care of the password hashing and return a boolean value indicating whether the password matches. 因此,如果使用用户名和密码调用相同的方法,则成员资格提供程序将处理密码哈希,并返回一个布尔值,指示密码是否匹配。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.