[英]What Hash Algorithm used by the Asp.net Membership?
我正在嘗試為密碼實現自定義商店 。 在更改密碼之前,我需要先檢查密碼是否在用戶更改密碼的最后8次使用過。
var hashingAlgorithm = ConfigurationManager.AppSettings("MembershipProviderHashAlgorithm");
var hashedPasswordDetails = pwdHistory.GetRecentPasswordDetails(userName);
foreach (var passwordDetails_loopVariable in hashedPasswordDetails)
{
passwordDetails = passwordDetails_loopVariable;
var encodedPassword = pwdEncr
.EncodePassword(proposedNewPassword, passwordDetails.Salt, hashingAlgorithm);
var hashedPassword = passwordDetails.HashedPassword;
if (hashedPassword.Equals(encodedPassword)) //This line always return FALSE.
{
return true;
}
}
return false;
我遇到的問題是從表中返回的密碼總是與我輸入的密碼不同(事件清楚時有相同的情況)。 那是因為哈希算法 。
我已經嘗試過SHA和SHA1而沒有運氣。 是否存在ASP.NEt成員資格使用的特定散列算法? 我正在使用System.Web.Security.SqlMembershipProvider版本4.0.0.0
<add key="MembershipProviderHashAlgorithm" value="SHA" />
謝謝你的幫助。
以下是web.config中 Membership部分的配置部分。 有沒有辦法告訴使用哪種算法。
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider,
System.Web, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="myConnectionString"
../..
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
passwordAttemptWindow="10"/>
</providers>
</membership>
成員資格提供程序使用以下算法來哈希密碼。
默認哈希將根據成員資格提供程序的版本而有所不同。
MVC 4和ASP.NET 4和4.5默認哈希是SHA256 (HMACSHA256) 。
public string EncodePassword(string pass,
MembershipPasswordFormat passwordFormat, string salt)
{
byte[] numArray;
byte[] numArray1;
string base64String;
if (passwordFormat == MembershipPasswordFormat.Hashed)
{
byte[] bytes = Encoding.Unicode.GetBytes(pass);
byte[] numArray2 = Convert.FromBase64String(salt);
byte[] numArray3;
// Hash password
HashAlgorithm hashAlgorithm = HashAlgorithm.Create(Membership.HashAlgorithmType);
if (hashAlgorithm as KeyedHashAlgorithm == null)
{
numArray1 = new byte[numArray2.Length + bytes.Length];
Buffer.BlockCopy(numArray2, 0, numArray1, 0, numArray2.Length);
Buffer.BlockCopy(bytes, 0, numArray1, numArray2.Length, bytes.Length);
numArray3 = hashAlgorithm.ComputeHash(numArray1);
}
else
{
KeyedHashAlgorithm keyedHashAlgorithm = (KeyedHashAlgorithm)hashAlgorithm;
if (keyedHashAlgorithm.Key.Length != numArray2.Length)
{
if (keyedHashAlgorithm.Key.Length >= numArray2.Length)
{
numArray = new byte[keyedHashAlgorithm.Key.Length];
int num = 0;
while (true)
{
if (!(num < numArray.Length))
{
break;
}
int num1 = Math.Min(numArray2.Length, numArray.Length - num);
Buffer.BlockCopy(numArray2, 0, numArray, num, num1);
num = num + num1;
}
keyedHashAlgorithm.Key = numArray;
}
else
{
numArray = new byte[keyedHashAlgorithm.Key.Length];
Buffer.BlockCopy(numArray2, 0, numArray, 0, numArray.Length);
keyedHashAlgorithm.Key = numArray;
}
}
else
{
keyedHashAlgorithm.Key = numArray2;
}
numArray3 = keyedHashAlgorithm.ComputeHash(bytes);
}
base64String = Convert.ToBase64String(numArray3);
}
else if (passwordFormat == MembershipPasswordFormat.Encrypted)
{
throw new NotImplementedException("Encrypted password method is not supported.");
}
else
{
base64String = pass;
}
return base64String;
}
默認哈希算法是SHA-1。
private string EncodePassword(string pass, int passwordFormat, string salt)
{
if (passwordFormat == 0) // MembershipPasswordFormat.Clear
return pass;
byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bRet = null;
if (passwordFormat == 1)
{ // MembershipPasswordFormat.Hashed
HashAlgorithm hm = GetHashAlgorithm();
if (hm is KeyedHashAlgorithm) {
KeyedHashAlgorithm kha = (KeyedHashAlgorithm) hm;
if (kha.Key.Length == bSalt.Length) {
kha.Key = bSalt;
} else if (kha.Key.Length < bSalt.Length) {
byte[] bKey = new byte[kha.Key.Length];
Buffer.BlockCopy(bSalt, 0, bKey, 0, bKey.Length);
kha.Key = bKey;
} else {
byte[] bKey = new byte[kha.Key.Length];
for (int iter = 0; iter < bKey.Length; ) {
int len = Math.Min(bSalt.Length, bKey.Length - iter);
Buffer.BlockCopy(bSalt, 0, bKey, iter, len);
iter += len;
}
kha.Key = bKey;
}
bRet = kha.ComputeHash(bIn);
}
else {
byte[] bAll = new byte[bSalt.Length + bIn.Length];
Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
bRet = hm.ComputeHash(bAll);
}
} else {
byte[] bAll = new byte[bSalt.Length + bIn.Length];
Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
bRet = EncryptPassword(bAll, _LegacyPasswordCompatibilityMode);
}
return Convert.ToBase64String(bRet);
}
如何獲得ASP.NET成員資格使用的哈希算法的精髓?
[英]How can I get the salt of the hash algorithm that ASP.NET membership uses?
ASP.NET成員資格 - 從成員資格表中檢索密碼和PasswordSalt - 哈希用戶ID
[英]ASP.NET Membership - Retrieve Password and PasswordSalt from Membership Table - Hash UserID
是什么導致ASP.NET表單成員資格出現這種奇怪的行為?
[英]What is causing this strange behaviour with ASP.NET forms membership?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.