.NET custom MembershipProvider decrypt password
I'm using a custom MemberShipProvider in a c# project based on the code from: http://www.asp.net/learn/videos/video-189.aspx and for some reason开发者_如何学编程 I can't figure out, the method that decrypts the user password to validate the login gives an extra 8 characters in front of the password value (for example: 䝉慣嘗㳪畕锬password).
I use "encrypted" passwordFormat and the method UnEncodePassword consists in:
private string UnEncodePassword(string encodedPassword)
{
string password = encodedPassword;
password = Encoding.Unicode.GetString(DecryptPassword(Convert.FromBase64String(encodedPassword)));
return password;
}
Thanks!
"䝉慣嘗㳪畕锬" is the salt? (updated)
On the server, in a web.config or other you have a salt value such as "milkshake". When the user gives a password like "TheYard" you add the salt and encrypt "milkshakeTheYard". When they login, you add the salt to their request and compare it to the encrypted string.
So what's the point of salt? If the encrypted password fell into the wrong hands, "TheYard" being only 7 characters is easy to lookup on a Rainbow Table. By adding salt, you make this process much harder.
Salt by itself provides little security, but used in combination provides an easily implmeneted extra layer.
You should not be able to decrypt the password. You should encrypt the user-entered password and compare it to the stored encrypted password. Password recovery should generate a random one-time use password and force the user to change it the first time it's used.
Found it! I have to subtract the 16 bytes salt from my decrypted encodedPassword variable to get the password:
private string UnEncodePassword(string encodedPassword)
{
string password = encodedPassword;
byte[] bytesIn = Convert.FromBase64String(encodedPassword);
byte[] bytesRet = DecryptPassword(bytesIn);
password = System.Text.Encoding.Unicode.GetString(bytesRet, 16, bytesRet.Length - 16);
return password;
}
Thanks Ian to give me the clue about the salt!
加载中,请稍侯......
精彩评论