Re: How do I can check a password Hash in WSE 2.0

From: Paul Glavich [MVP - ASP.NET] (glav_at_aspalliance.com-NOSPAM)
Date: 06/14/04 

Date: Mon, 14 Jun 2004 22:16:20 +1000

After reading the documentation on WSE2.0, it seems you only need to return
the actual password as part of the AuthenticateToken method that you
override, and WSE2 will create a hash, and compare it with the one that was
passed. The documentation is quoted below :-

************************************
The SHA-1 hash of the password is sent in the SOAP message. This is the best
way to help protect the password. When a SOAP message is received with a
UsernameToken, WSE calls the AuthenticateToken method of the class deriving
from UsernameTokenManager that is registered in the configuration file. The
AuthenticateToken method returns a password or password equivalent, which
WSE creates a SHA-1 hash from. That SHA-1 hash is compared to the one in the
SOAP message and if they are identical, the hashed password is deemed valid.
************************************

Not much help I know but here are some links that may help.

http://blogs.geekdojo.net/justin/archive/2004/06/03/2139.aspx
http://dotnetjunkies.com/WebLog/softwaremaker/ 

-- 
- Paul Glavich
Microsoft MVP - ASP.NET
"Juan Irigoyen" <juan_irigoyen@hotmail.com> wrote in message
news:a1jjac.9d.ln@orannews.oran.local...
> Yes, but how perform the same hasing, I probe the next code, but is not
> working.
>
> string ncadena =
> HashPassword(Convert.ToBase64String(token.Nonce),token.Created,"1111");
>
>
> private string HashPassword (string nnonce, DateTime nfecha, string
> npassword)
> {
>
> byte[] n = System.Text.Encoding.UTF8.GetBytes(nnonce);
>
> byte[] c = System.Text.Encoding.UTF8.GetBytes(nfecha.ToString());
>
> byte[] p = System.Text.Encoding.UTF8.GetBytes(npassword);
>
> byte[] toBeDiges = new byte[n.Length + c.Length + p.Length];
>
> Array.Copy(n,0,toBeDiges,0,n.Length);
>
> Array.Copy(c,0,toBeDiges,n.Length,c.Length);
>
> Array.Copy(p,0,toBeDiges,(n.Length + c.Length),p.Length);
>
>
> Array.Clear(p,0,p.Length);
>
> SHA1 hash = SHA1.Create();
>
> byte[] digest = hash.ComputeHash(toBeDiges);
>
> Array.Clear(toBeDiges,0,toBeDiges.Length);
>
> return Convert.ToBase64String(digest);
>
> }
>
>
>
> "Paul Glavich [MVP - ASP.NET]" <glav@aspalliance.com-NOSPAM> escribió en
el
> mensaje news:ucVIX5FUEHA.1356@TK2MSFTNGP09.phx.gbl...
> >
> > You need to have the original data (in this case the password), so that
> you
> > can perform the same hashing algorithm against the data, get the
rsultant
> > hash, and then compare your computed hash against the supplied one.
> >
> > Hashing is not reversible in that you cannot reverse hash it to get the
> > password or original data. Bottom line, you need the original password
to
> > compare against OR you simply store hashes in the database against the
> users
> > profile, so that you never actually store passwords, only ever hashes of
> the
> > passwords that are used for comparison.
> >
> > -- 
> > - Paul Glavich
> > Microsoft MVP - ASP.NET
> >
> >
> > "Juan Irigoyen" <juan_irigoyen@hotmail.com> wrote in message
> > news:pohcac.s91.ln@orannews.oran.local...
> > >
> > >
> > > By example
> > >
> > > Client
> > >
> > > token = new UsernameToken("juan", "1111", PasswordOption.TextPlain );
> > >
> > >
> > > Server
> > >
> > >     protected override string AuthenticateToken( UsernameToken token )
> > >     {
> > >                 ncadena = '1111';
> > >          return ncadena;
> > >     }
> > >
> > >
> > > This sample go well but if the password is SendHashed the sample don´t
> > >
> > >
> > > Client
> > >
> > > token = new UsernameToken("juan", "1111",
asswordOption.SendHashed  );
> > >
> > >
> > > Server
> > >
> > >     protected override string AuthenticateToken( UsernameToken token )
> > >     {
> > >                 ncadena = '1111';
> > >          return ncadena;
> > >     }
> > >
> > >
> > > I don´t find example for this problem.
> > > Thanks,
> > >
> > >
> > >
> > >
> >
> >
> >
>
>
>

Relevant Pages

  • Re: Is String Hashing Effective in String comparisons
    ... string class more efficient. ... overhead of continuing to compare if a character is different. ... in the hash functions i have encountered we loop through all the ... computing the hash for a string of length L takes Htime units. ...
    (comp.programming)
  • Re: String Identity Test
    ... Well, it's not about curiosity, it's more about performance. ... Python uses some tricks to speed up string comparison. ... # compare the size ... # compare the hash ...
    (comp.lang.python)
  • Re: How do I can check a password Hash in WSE 2.0
    ... private string HashPassword (string nnonce, DateTime nfecha, string ... > hash, and then compare your computed hash against the supplied one. ... > password or original data. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: md5 encryption
    ... > simon wrote: ... >> compare the hash as they cannot compare the string. ... >> So, technically, given a hash key you can get a string. ...
    (alt.php)
  • Re: How to write a diff in VB6 for comparing two xml files?
    ... No, the best you could do is to read both into string and use StrCompbut it's inefficient and, but using the hash ... Private Declare Function CryptAcquireContext Lib "AdvAPI32.dll" Alias _ ... Dim HashAAs Byte, HashLenA As Long ...
    (microsoft.public.vb.general.discussion)
Loading