开发者

ASP.NET: SHA1 + Salt Password Hashing on Multiple Servers

So, I am the approach David Hayden posted on his blog (http://davidhayden.com/blog/dave/archive/2004/02/16/157.aspx) to create a salt and hash the user's password by taking the user's raw password and the generated salt and using SHA1 to hash the value.

I then store the salt and the hashed password in the database.

The website is currently load balanced, so I was wondering if resulting hash value would be the same for both servers.

Here is the snippet of code posted on David Hayden's blog:

private static string CreateSalt(int size)
  {
   //Generate a cryptographic random number.
   RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
   byte[] buff = new byte[size];
   rng.GetBytes(buff);

   // Return a Base64 string representation of the random number.
   return Convert.ToBase64String(buff);
  }

private static string CreatePasswordHash(string pwd, string salt)
  {
   string saltAndPwd = String.Concat(pwd, salt);
   string hashedPwd =
    FormsAuthentication.HashPasswordForStoringInConfigFile(
    saltAndPwd, "sha1");

   return hashedPwd;
  }

The reason I ask is that th开发者_如何学Pythonis code uses the code snippet:

FormsAuthentication.HashPasswordForStoringInConfigFile(
        saltAndPwd, "sha1");


I think the key question your asking here is if the SHA1 algorithm is the same whatever server it is running on. In which case the answer is yes.

Presumably you store your generated salt somewhere that all the servers can access it, along with the password hash? So the method used to generate the salt doesn't need to be consistent across servers.


This method will only use the parameters passed into it.
Don't worry about it; it will work.


"To address this issue, the validationKey and decryptionKey values must be identical on all computers in the Web farm." http://msdn.microsoft.com/en-us/library/ff647070.aspx#pagexplained0002_webfarmscenarios

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜