R
Ryan
How do the built in membership controls compute the password hash and
salt for storing in the memberstore? I am trying to create a custom
change password control but want to use the built-in login control. I
modified the following code from Microsoft to get it into VB but the
hashed password it creates is way longer than that created when I use
the Create User wizard. What am I doing wrong?
Public Shared Function ComputeHash(ByVal plainText As String,
_
ByVal hashAlgorithm As
String, _
ByRef saltBytes() As Byte)
_
As String
Dim saltsize As Integer
Dim passwordBytes() As Byte
Dim hash As HashAlgorithm
' If salt is not specified, generate it on the fly.
' Define min and max salt sizes.
'Dim minSaltSize As Integer
'Dim maxSaltSize As Integer
'minSaltSize = 8
'maxSaltSize = 8
' Generate a random number for the size of the salt.
'Dim random As Random
'random = New Random()
'Dim saltSize As Integer
'saltSize = random.Next(minSaltSize, maxSaltSize)
saltsize = 32
' Allocate a byte array, which will hold the salt.
saltBytes = New Byte(saltsize - 1) {}
System.Security.Cryptography.RNGCryptoServiceProvider.Create().GetBytes(saltBytes)
' Convert the plain string password into bytes
passwordBytes =
UnicodeEncoding.Unicode.GetBytes(plainText)
Dim combinedBytes(passwordBytes.Length + saltBytes.Length
- 1) As Byte
' Append salt to password before hashing
System.Buffer.BlockCopy(passwordBytes, 0, combinedBytes,
0, passwordBytes.Length)
System.Buffer.BlockCopy(saltBytes, 0, combinedBytes,
passwordBytes.Length, saltBytes.Length)
' Fill the salt with cryptographically strong byte values.
'rng.GetNonZeroBytes(saltBytes)
' Because we support multiple hashing algorithms, we must
define
' hash object as a common (abstract) base class. We will
specify the
' actual hashing algorithm class later during object
creation.
' Make sure hashing algorithm name is specified.
If (hashAlgorithm Is Nothing) Then
hashAlgorithm = ""
End If
' Initialize appropriate hashing algorithm class.
Select Case hashAlgorithm.ToUpper()
Case "MD5"
hash = New MD5CryptoServiceProvider()
Case "SHA256"
hash = New SHA256Managed()
Case "SHA384"
hash = New SHA384Managed()
Case "SHA512"
hash = New SHA512Managed()
Case Else 'SHA1 = Default
hash = New SHA1Managed()
End Select
' Compute hash value of our plain text with appended salt.
Dim hashBytes As Byte()
hashBytes = hash.ComputeHash(combinedBytes)
' Append the salt to the hash
Dim hashPlusSalt(hashBytes.Length + saltBytes.Length) As
Byte
System.Buffer.BlockCopy(hashBytes, 0, hashPlusSalt, 0,
hashBytes.Length)
System.Buffer.BlockCopy(saltBytes, 0, hashPlusSalt,
hashBytes.Length, saltBytes.Length)
' Return the result.
ComputeHash = Convert.ToBase64String(hashPlusSalt)
End Function
salt for storing in the memberstore? I am trying to create a custom
change password control but want to use the built-in login control. I
modified the following code from Microsoft to get it into VB but the
hashed password it creates is way longer than that created when I use
the Create User wizard. What am I doing wrong?
Public Shared Function ComputeHash(ByVal plainText As String,
_
ByVal hashAlgorithm As
String, _
ByRef saltBytes() As Byte)
_
As String
Dim saltsize As Integer
Dim passwordBytes() As Byte
Dim hash As HashAlgorithm
' If salt is not specified, generate it on the fly.
' Define min and max salt sizes.
'Dim minSaltSize As Integer
'Dim maxSaltSize As Integer
'minSaltSize = 8
'maxSaltSize = 8
' Generate a random number for the size of the salt.
'Dim random As Random
'random = New Random()
'Dim saltSize As Integer
'saltSize = random.Next(minSaltSize, maxSaltSize)
saltsize = 32
' Allocate a byte array, which will hold the salt.
saltBytes = New Byte(saltsize - 1) {}
System.Security.Cryptography.RNGCryptoServiceProvider.Create().GetBytes(saltBytes)
' Convert the plain string password into bytes
passwordBytes =
UnicodeEncoding.Unicode.GetBytes(plainText)
Dim combinedBytes(passwordBytes.Length + saltBytes.Length
- 1) As Byte
' Append salt to password before hashing
System.Buffer.BlockCopy(passwordBytes, 0, combinedBytes,
0, passwordBytes.Length)
System.Buffer.BlockCopy(saltBytes, 0, combinedBytes,
passwordBytes.Length, saltBytes.Length)
' Fill the salt with cryptographically strong byte values.
'rng.GetNonZeroBytes(saltBytes)
' Because we support multiple hashing algorithms, we must
define
' hash object as a common (abstract) base class. We will
specify the
' actual hashing algorithm class later during object
creation.
' Make sure hashing algorithm name is specified.
If (hashAlgorithm Is Nothing) Then
hashAlgorithm = ""
End If
' Initialize appropriate hashing algorithm class.
Select Case hashAlgorithm.ToUpper()
Case "MD5"
hash = New MD5CryptoServiceProvider()
Case "SHA256"
hash = New SHA256Managed()
Case "SHA384"
hash = New SHA384Managed()
Case "SHA512"
hash = New SHA512Managed()
Case Else 'SHA1 = Default
hash = New SHA1Managed()
End Select
' Compute hash value of our plain text with appended salt.
Dim hashBytes As Byte()
hashBytes = hash.ComputeHash(combinedBytes)
' Append the salt to the hash
Dim hashPlusSalt(hashBytes.Length + saltBytes.Length) As
Byte
System.Buffer.BlockCopy(hashBytes, 0, hashPlusSalt, 0,
hashBytes.Length)
System.Buffer.BlockCopy(saltBytes, 0, hashPlusSalt,
hashBytes.Length, saltBytes.Length)
' Return the result.
ComputeHash = Convert.ToBase64String(hashPlusSalt)
End Function