Re: Please Help - Encryption Problems

From: Hernan de Lahitte (hernan_at_lagash.com)
Date: 04/23/04

Next message: Joe Kaplan \(MVP - ADSI\): "Re: Please Help - Encryption Problems"
Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Please Help - Encryption Problems"
In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Please Help - Encryption Problems"
Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Please Help - Encryption Problems"
Reply: Joe Kaplan \(MVP - ADSI\): "Re: Please Help - Encryption Problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 23 Apr 2004 13:32:57 -0300

I agree with Joe suggestion.
FormsAuthentication.HashPasswordForStoringInConfigFile method actually
encode in UTF8 and not in ASCII as you do in the WinForms scenario. BTW, I
suggest to use the same methods for both clients
(HashPasswordForStoringInConfigFile should be well suited in this case).
However, if you are hashing passwords for storing in a DB, I recommend you
to add a salt value for dictionary attacks mitigation. Check out this code
from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp:

Creating a Salt Value
The following code shows how to generate a salt value by using random number
generation functionality provided by the RNGCryptoServiceProvider class
within the System.Security.Cryptography namespace.

public static string CreateSalt(int size)
{
  RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
  byte[] buff = new byte[size];
  rng.GetBytes(buff);
  return Convert.ToBase64String(buff);
}Creating a Hash Value (with Salt)
The following code fragment shows how to generate a hash value from a
supplied password and salt value.

public static string CreatePasswordHash(string pwd, string salt)
{
  string saltAndPwd = string.Concat(pwd, salt);
  string hashedPwd =
        FormsAuthentication.HashPasswordForStoringInConfigFile(
                                             saltAndPwd, "SHA1");
  return hashedPwd;
}

-- 
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no rights.
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23jvEnWUKEHA.3924@tk2msftngp13.phx.gbl...
> It is probably an encoding problem.  Forms auth uses UTF8 encoding and you
> are using ASCII.  I suggest you try switching to UTF8 first.
>
> Joe K.
>
> "Jamie Sutherland" <jamie.sutherland@nhcscotland.no.spam.com> wrote in
> message news:eH30GnTKEHA.3380@TK2MSFTNGP09.phx.gbl...
> > Hi,
> > I have a problem in that I have 2 applications writing to the same
> Database.
> > One App is web based and the other is windows/forms based.
> > Both have the same job in that they can reset a users password in the
> > database. Both are using SHA1 encryption however they both ghive
different
> > results when the programs are run.
> > If I run the windows exe file and set the password to password the exe
> > encrypts as follows: 5BAA61E4C9B93F3F68225B6CF8331B7EE68FD8
> >
> > If I run the web based version with the word password I get the
following:
> > 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
> >
> > Notice the web version has extra in it.
> > Please help..... Below is the code I have been using for both versions:
> >
> > Web Version:
> > Dim PwdAs String = "password"
> > Dim hashedPwd As String =
> > FormsAuthentication.HashPasswordForStoringInConfigFile(Pwd, "SHA1")
> > Return hashedPwd
> >
> >
> > Windows Exe Version:
> > Dim PwdAs String = Trim("password")
> > Dim Data As Byte()
> > Data = System.Text.Encoding.ASCII.GetBytes(Pwd)
> > Dim shaM As New SHA1Managed
> > Dim resultHash As Byte() = shaM.ComputeHash(Data)
> > Dim hashedpwd = ""
> > Dim b As Byte
> > For Each b In resultHash
> > hashedpwd += Hex(b)
> > Next
> > Return hashedpwd
> >
> >
> > Thanks
> > Jamie
> >
> >
>
>

Next message: Joe Kaplan \(MVP - ADSI\): "Re: Please Help - Encryption Problems"
Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Please Help - Encryption Problems"
In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Please Help - Encryption Problems"
Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Please Help - Encryption Problems"
Reply: Joe Kaplan \(MVP - ADSI\): "Re: Please Help - Encryption Problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Please Help - Encryption Problems
... Creating a Salt Value ... public static string CreatePasswordHash ... return hashedPwd; ... >> Dim PwdAs String = Trim ...
(microsoft.public.dotnet.languages.vb)
Search pattern
... Dim strfile As String ... Dim bAddressFound As Boolean ... Dim strCurrentChar As String ...
(comp.databases.ms-access)
Auto Write Name and Merge across
... Dim Sheetname01 As String ... Dim WeekName01 As String ...
(microsoft.public.excel.misc)
Re: multiplatform (pocketPC & desktopPC) (Daniel !!)
... Friend Versione As String ... Public Sub GetMyConnectionPalmare() ... Dim errorMessages As String ... Private Function GetDS_Desktop(ByVal SQL As String) As DataSet ...
(microsoft.public.dotnet.framework.compactframework)
Re: multiplatform (pocketPC & desktopPC) (Daniel !!)
... Friend Versione As String ... Public Sub GetMyConnectionPalmare() ... Dim errorMessages As String ... Private Function GetDS_Desktop(ByVal SQL As String) As DataSet ...
(microsoft.public.dotnet.framework.compactframework)