Forum Home > General Discussion > ASP.NET Discussion

FAQ

Passwords in ASP.NET

Post Reply

Author

Message

Topic Search

Topic Options

Tegwin

Senior Member

Joined: 03 September 2003
Location: United Kingdom
Status: Offline
Points: 430

Post Options

Post Reply

Quote Tegwin

Report Post

Thanks(0)

Quote

Topic: Passwords in ASP.NET
Posted: 29 June 2006 at 4:43pm

Hey Guys,
I am looking for 2 things really...

1) Does any one have any ideas on how to do password hashing with SALT. I have an application for ASP.NET that I am writing and I need to use secure passwords.

2) Keeping with the passwords thing I would like to do something where if the user forgot their password, it would be reset and a new one sent to them.. Any ideas how to do this

Thanks

Chris

michael

Members Profile

Find Members Posts

Senior Member

Joined: 08 April 2002
Location: United States
Status: Offline
Points: 4670

Post Options

Post Reply

Quote michael

Report Post

Thanks(0)

Quote

Posted: 29 June 2006 at 9:32pm

Well #2 is built in to .net 2.0 so let me know if you decided to use 1.1, you would have to do that manually but is rather simple.

#1 is not hard with .net at all. If you want to use a hash with salt or any other crypto you can use this example class from MSDN:
[code]
Imports System.IO
Imports System.Security.Cryptography
Imports System.Threading

Class SampleCrypto

    ' This routine creates a new symmetric algorithm object of the chosen type.
    Public Sub New(ByVal strCryptoName As String)
        ' The shared Create method of the abstract symmetric algorithm base class
        ' implements a factory design for the creation of its concrete classes.
        crpSym = SymmetricAlgorithm.Create(strCryptoName)

        ' Initialize the byte arrays to the proper length for the
        ' instantiated crypto class.
        ReDimByteArrays()
    End Sub

    Private abytIV() As Byte
    Private abytKey() As Byte
    Private abytSalt() As Byte
    Private crpSym As SymmetricAlgorithm
    Private strPassword As String = ""
    Private strSaltIVFile As String = ""
    Private strSourceFile As String = ""

    Public Property Password() As String
        Get
            Return strPassword
        End Get
        Set(ByVal Value As String)
            strPassword = Value
        End Set
    End Property

    Public Property SaltIVFile() As String
        Get
            Return strSaltIVFile
        End Get
        Set(ByVal Value As String)
            If File.Exists(Value) Then
               strSaltIVFile = Value
            Else
               Throw New FileNotFoundException("The SaltIV .dat file for the " & _
                    "selected crypto type was not found. Before encrypting or " & _
                    "decrypting you must create this file.")
            End If
        End Set
    End Property

    Public Property SourceFileName() As String
        Get
            Return strSourceFile
        End Get
        Set(ByVal Value As String)
            If File.Exists(Value) Then
               strSourceFile = Value
            Else
               Throw New FileNotFoundException(Value & " does not exist.")
            End If
        End Set
    End Property

    ' This routine creates a .dat file containing the salt and IV.
    Public Function CreateSaltIVFile(ByVal strSaveToPath As String) As Boolean

        ' Initialize the byte arrays to the proper length for the
        ' instantiated crypto class.
        ReDimByteArrays()

        ' Create a Filestream object to write the salt and IV to a file.
        Dim fsKey As New FileStream(strSaveToPath, FileMode.OpenOrCreate, _
            FileAccess.Write)

        ' Generate a random "salt" value. These random bytes are appended to the
        ' password before the key derivation, making what a "Dictionary
        ' Attack" much more difficult. The concept is similar to the use of an IV.
        Dim rng As RandomNumberGenerator = RandomNumberGenerator.Create()
        rng.GetBytes(abytSalt)

        Dim pdb As New PasswordDeriveBytes(strPassword, abytSalt)
        ' Get the same amount of bytes as the current abytKey length as set in
        ' ReDimByteArrays().
        abytKey = pdb.GetBytes(abytKey.Length)

        ' Generate a new random IV.
        crpSym.GenerateIV()
        abytIV = crpSym.IV

        Try
            fsKey.Write(abytSalt, 0, abytSalt.Length)
            fsKey.Write(abytIV, 0, abytIV.Length)
            strSaltIVFile = strSaveToPath
            Return True
        Catch exp As Exception
            Throw New Exception(exp.Message)
        Finally
            fsKey.Close()
        End Try
    End Function

    ' This routine decrypts a file.
    Public Sub DecryptFile()

        ' If the password is an empty string assume the user has not checked the
        ' "Advanced" CheckBox or has not entered a password and thus is not using
        ' a password-derived key. In such a case the symmetric algorithm obje

Blog | MPG Tracker

Freon22

Members Profile

Find Members Posts

Groupie

Joined: 04 December 2005
Status: Offline
Points: 42

Post Options

Post Reply

Quote Freon22

Report Post

Thanks(0)

Quote

Posted: 21 July 2006 at 4:06am

michael I like your code, looks good. I got a class code that will hash in MD5, SHA1, SHA256, SHA384, SHA512. As far as salt I use DateTime.Now anyway I would like to post the Class that I use here, it may help someone.

Hashing.vb


Imports Microsoft.VisualBasic

Imports System.Security.Cryptography

Imports System.Text

Public Class Hashing

'Algorithm Enermations

Public Enum HashAlgorithmTypes

MD5
SHA1
SHA256
SHA384
SHA512
End Enum

'******************************************************************************

Public Shared Function CreateHash(ByVal valueToHash As String, _

ByVal algorithmType As HashAlgorithmTypes) As String

'Set up variables

Dim algorithm As System.Security.Cryptography.HashAlgorithm

Dim encoder As ASCIIEncoding = New ASCIIEncoding()

Dim valueByteArray As Byte() = encoder.GetBytes(valueToHash)

Dim hashValue As String = ""

Dim hashValueByteArray As Byte()

'Acquire algorithm object

Select Case algorithmType

Case HashAlgorithmTypes.SHA1

algorithm = New SHA1Managed()

Case HashAlgorithmTypes.SHA256

algorithm = New SHA256Managed()

Case HashAlgorithmTypes.SHA384

algorithm = New SHA384Managed()

Case HashAlgorithmTypes.SHA512

algorithm = New SHA512Managed()

Case Else 'use MD5

algorithm = New MD5CryptoServiceProvider

End Select

'Create binary hash

hashValueByteArray = algorithm.ComputeHash(valueByteArray)
'Convert binary hash to hex

For Each b As Byte In hashValueByteArray

hashValue &= String.Format("{0:x2}", b)

Next

Return hashValue

End Function

End Class

Then to call the Class from a page


Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click

Dim myhash As String

myhash = TextBox1.Text
MD5.Text = Hashing.CreateHash(myhash, Hashing.HashAlgorithmTypes.MD5)
SHA1.Text = Hashing.CreateHash(myhash, Hashing.HashAlgorithmTypes.SHA1)
SHA256.Text = Hashing.CreateHash(myhash, Hashing.HashAlgorithmTypes.SHA256)
SHA384.Text = Hashing.CreateHash(myhash, Hashing.HashAlgorithmTypes.SHA384)
SHA512.Text = Hashing.CreateHash(myhash, Hashing.HashAlgorithmTypes.SHA512)
End Sub

This way you can pick what you want.

VBScript

Members Profile

Find Members Posts

Senior Member

Joined: 14 July 2004
Location: United Kingdom
Status: Offline
Points: 219

Post Options

Post Reply

Quote VBScript

Report Post

Thanks(0)

Quote

Posted: 21 July 2006 at 7:15am

I think I will find that very useful as I am trying to learn .Net over the next couple of weeks

James
Trillian - M

Post Reply

Forum Jump

Forum Permissions View Drop Down

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum