开发者

Hashing gone wrong

开发者 https://www.devze.com 2023-04-10 22:19 出处:网络
I\'m using the same function to hash values for comparison during login as I am to hash the passwords when users register:

I'm using the same function to hash values for comparison during login as I am to hash the passwords when users register:

Public Shared Function Compute(ByVal text As String, ByVal algorithm As String, Optional ByVal salt() As Byte = Nothing) As String
    If salt Is Nothing Then
        Dim saltSize As Integer = 8
        salt = New Byte(saltSize - 1) {}

        Dim rng As New RNGCryptoServiceProvider
        rng.GetNonZeroBytes(salt)
    End If

    Dim textBytes As Byte() = Encoding.UTF8.GetBytes(text)
    Dim saltedTextBytes() As Byte = New Byte(textBytes.Length + salt.Length - 1) {}
    For i As Integer = 0 To textBytes.Length - 1
        saltedTextBytes(i) = textBytes(i)
    Next i

    For i As Integer = 0 To salt.Length - 1
        saltedTextBytes(textBytes.Length + i) = salt(i)
    Next i

    Dim hash As HashAlgorithm
    If algorithm Is Nothing Then
        algorithm = ""
    End If

    Select Case algorithm.ToUpper
        Case "SHA1" : hash = New SHA1Managed
        Case "SHA256" : hash = New SHA256Managed
        Case "SHA384" : hash = New SHA384Managed
        Case "SHA512" : hash = New SHA512Managed
        Case Else : hash = New MD5CryptoServiceProvider
    End Select

    Dim hashBytes As Byte() = hash.ComputeHash(saltedTextBytes)
    Dim saltedHash() As Byte = New Byte(hashBytes.Length + salt.Length - 1) {}
    For i As Integer = 0 To hashBytes.Length - 1
        saltedHash(i) = hashBytes(i)
    Next i

    For i As Integer = 0 To salt.Length - 1
        saltedHash(hashBytes.Length + i) = salt(i)
    Next i

    Dim hashValue As String = Convert.ToBase64String(saltedHash)

    Return Left(hashValue, 36)
End Function

My problem is that when I try to log in on an account whose password was hashed by this function, the hashed values don't match up. I think I'm skipping a step or something.

Here's the code for user account creation:

        ' The email address needs to be valid
        Dim pattern As String = "^(?("")("".+?""@)|(([0-9a-zA-Z]((\.(?!\.))|[-!#\$%&'\*\+/=\?\^`\{\}\|~\w])*)(?<=[0-9a-zA-Z])@))(?(\[)(\[(\d{1,3}\.){3}\d{1,3}\])|(([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,6}))$"
        Dim match As Match = Regex.Match(txtEmail.Text, pattern)
        If match.Success Then
            'Hash the user's password before entering it into the database.
            Dim pass As String = Crypt.Compute(txtPass.Text, "SHA512", Nothing)

            ' Enter the information from the form into the database.
            Dim sql As String = "INSERT INTO Users(Username, Password, EmailAddress) " & _
                "VALUES(@User, @Pass, @Email)"
            Dim cmd As New SqlCommand(sql, conn)
            cmd.Parameters.AddWithValue("@User", txtName.Text)
            cmd.Parameters.AddWithValue("@Pass", pass)
            cmd.Parameters.AddWithValue("@Email", txtEmail.Text)

            conn.Open()
            cmd.ExecuteNonQuery()
            conn.Close()
        Else
            lblError.Text = "Invalid email address. Please correct."
            lblError.ForeColor = Drawing.Color.Red
        End If

There are more checks that aren't included here that aren't relevant to my problem.

Here's my user login:

            Dim pass As String = Crypt.Compute(txtPass.Text, "SHA512", Nothing)

            Dim UserData As New DataSet
            Dim UserAdapter As New SqlDataAdapter
            UserAdapter.SelectCommand = New SqlCommand("SELECT * FROM Users " & _
                                                       "WHERE Username = @User AND Password = @Pass", conn)
            UserAdapter.SelectCommand.Parameters.AddWithValue("@User", txtUser.Text)
            UserAdapter.SelectCommand.Parameters.AddWithValue("@Pass", pass)
            UserAdapter.Fill(UserData)

            If UserData.Tables(0).Rows.Count <> 1 Then
                lblError.Text = "Invalid username or password."
                lblError.ForeColor = Drawing.Color.Red
               开发者_StackOverflow Session("LoginAttempt") = CInt(Session("LoginAttempt")) + 1
            Else
                Session("LoggedIn") = True
                Response.Redirect("Home.aspx")
            End If

As far as I can see, there is no difference in the hashing I've done here.

Does anyone have any ideas?


  1. When you creating an account by inserting into the table, you are using txtName.Text for the username, but when checking the credentials you are using txtUser.Text.
  2. Why are you using a random salt? Doesn't the salt have to be the same for every encryption? I've pasted your code into a new project, and when I run the Compute method twice in a row for the same password, I get two different results... obviously that won't work. Try passing in a salt value instead of Nothing, and use the same salt for creating accounts and comparing login. Here's some sample code that works:

    Dim thePass As String = "MyPassword"
    Dim theSalt As String = "salt"
    
    Dim pass As String = Compute(thePass, "SHA512", Encoding.UTF8.GetBytes(theSalt))
    Console.WriteLine(pass)
    Dim pass2 As String = Compute(thePass, "SHA512", Encoding.UTF8.GetBytes(theSalt))
    Console.WriteLine(pass2) 'pass and pass2 are identical
    

Hope this helps!


Unless I'm missing it (not really familiar with the language), you don't store the salt anywhere.

You have to use the same salt you've used when creating the account for the verification.

On a side note: You can either generate a random salt for every user account or use a fixed salt for all accounts. Either method works. The first is theoretically more secure, but if the salt is long enough, both are fine for practical purposes.

0

精彩评论

暂无评论...
验证码 换一张
取 消