我从http://msftdbprodsamples.codeplex.com/releases/view/55330获得了AdventureWorks2012数据库,并尝试从Person.Password表中验证ValidatePassword。 'PasswordHash'列描述显示“电子邮件帐户的密码”。和'PasswordSalt'列描述说“在密码被哈希之前,随机值与密码字符串连接。”
以下是来自DB的示例数据:
BusinessEntityID, PasswordHash, PasswordSalt, EmailAddress
---------------- --------------------------------------------------------------------------
1, pbFwXWE99vobT6g+vPWFy93NtUU/orrIWafF01hccfM=, bE3XiWw=, ken0@adventure-works.com
2, bawRVNrZQYQ05qF05Gz6VLilnviZmrqBReTTAGAudm0=, "EjJaC3U=, terri0@adventure-works.com
我如何知道使用哪种哈希算法创建PasswordHash?如何生成齐纳特盐?
以下是验证密码的代码尝试,但没有一个哈希算法正在运行。任何人都可以对此有所了解吗?
public class SecurityService : ISecurityService
{
public string UserName { get; set; }
public bool ValidateCredentials(string password, Password dbPassword)
{
bool valid = false;
byte[] saltBytes = Convert.FromBase64String(dbPassword.PasswordSalt); //dbPassword.PasswordSalt: bE3XiWw=
byte[] passwordBytes = Encoding.Unicode.GetBytes(password); //password: ken0@adventure-works.com
byte[] passwordHashBytes = Convert.FromBase64String(dbPassword.PasswordHash);//dbPassword.PasswordHash: pbFwXWE99vobT6g+vPWFy93NtUU/orrIWafF01hccfM=
byte[] passwordHashed = Hash(passwordBytes, saltBytes);
byte[] dbPasswordHashed = Hash(passwordHashBytes, saltBytes);
valid = dbPasswordHashed.SequenceEqual(passwordHashed);
return valid;
}
private static byte[] Hash(byte[] value, byte[] salt)
{
byte[] saltedValue = value.Concat(salt).ToArray();
return HashAlgorithm.Create("MD5").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA1").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA256").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA384").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA512").ComputeHash(saltedValue);
}
}
答案 0 :(得分:0)
如果替换valid = dbPasswordHashed.SequenceEqual(passwordHashed); 同 valid = passwordHashBytes.SequenceEqual(passwordHashed);
它会给出正确的结果。