密码哈希不匹配

时间:2018-10-08 17:33:56

标签: c# asp.net-mvc authentication asp.net-core cryptography

我无法登录用户,因为密码哈希不匹配。我究竟做错了什么。 我的保存密码哈希的sql服务器的数据类型为nvarchar。我以前使用过二进制数据类型,但是没有用。

 private readonly MovieHubContext _context;
    public AuthRepository(MovieHubContext context)
    {
        _context = context;
    }

    //method is called when the user hits the login button
    public async Task<Users> Login(string username, string password)
    {
        //returns the username from the databse
        var user = await _context.Users.FirstOrDefaultAsync(x => x.UserName == username);
        if (user == null)
        {
            return null;
        }

        if (!VerifyPasswordHash(password, System.Text.Encoding.UTF8.GetBytes(user.PasswordHash),
            System.Text.Encoding.UTF8.GetBytes(user.PasswordSalt)))
            return null;
        return user;

    }
    // this method is used to verify the password 
    private bool VerifyPasswordHash(string password, byte[] passwordHash, byte[] passwordSalt)
    {
        using (var hmac = new System.Security.Cryptography.HMACSHA512(passwordSalt))
        {
            //changes the string into byte and them computes the hash
            byte[] computedHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));
            for (int i = 0; i < computedHash.Length; i++)
            {
                //compares the hashed password(user input) with the hashed password from the database
                if (computedHash[i] != passwordHash[i])
                    return false;
            }
        }
        return true;
    }
    // This method is used to register the users
    public async Task<Users> Register(Users users, string password)
    {
        byte[] passwordHash, passwordSalt;
        CreatePasswordHash(password, out passwordHash, out passwordSalt);

        users.PasswordHash = System.Text.Encoding.UTF8.GetString(passwordHash);
        users.PasswordSalt = System.Text.Encoding.UTF8.GetString(passwordSalt);

        //save into database
        await _context.Users.AddAsync(users);
        await _context.SaveChangesAsync();

        return users;


    }

    private void CreatePasswordHash(string password, out byte[] passwordHash, out byte[] passwordSalt)
    {
        using (var hmac = new System.Security.Cryptography.HMACSHA512())
        {
            passwordSalt = hmac.Key;
            passwordHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));
        }
    }

    public async Task<bool> UserExists(string username)
    {
        if (await _context.Users.AnyAsync(x => x.UserName == username))
            return true;

        return false;
    }

这是我为注册和登录客户端编写的代码。我找不到我在做什么错。

2 个答案:

答案 0 :(得分:3)

在注册/验证后,只需将UTF8.GetBytes替换为Convert.FromBase64String,将UTF8.GetString替换为Convert.ToBase64String 

public async Task<Users> Register(Users users, string password)
{
    byte[] passwordHash, passwordSalt;
    CreatePasswordHash(password, out passwordHash, out passwordSalt);

    users.PasswordHash = Convert.ToBase64String(passwordHash);
    users.PasswordSalt = Convert.ToBase64String(passwordSalt);

    //save into database
    await _context.Users.AddAsync(users);
    await _context.SaveChangesAsync();

    return users;
}


public async Task<Users> Login(string username, string password)
{
    //returns the username from the databse
    var user = await _context.Users.FirstOrDefaultAsync(x => x.UserName == username);
    if (user == null)
    {
        return null;
    }

    if (!VerifyPasswordHash(password, Convert.FromBase64String(user.PasswordHash),
        Convert.FromBase64String(user.PasswordSalt)))
        return null;
    return user;

}

导致无效结果的原因是您的GetString返回的字符串中包含不可打印的字符,这些字符不能正确地从数据库中持久保存/检索到数据库。

只需打印出这些字符串,看看您能得到什么。

相比之下,base64编码可确保字节数组在可以安全地存储/检索它们的意义上转换为 safe 字符串。

这是经过稍微修改的版本(已删除异步和dbcontext),

https://dotnetfiddle.net/fH5mXh

答案 1 :(得分:0)

在此处输入代码我遇到了同样的问题,因为我将数据存储为SQL Server中binary(64)的数据类型,然后更改了

        public async Task<User> Login(string username, string password)
    {
        var user = await _context.Users.FirstOrDefaultAsync(x => x.Username == username);
        if(user == null)
        return null;
        if(!VerifyPasswordHash(password, user.PasswordHash, user.PasswordSalt))
        return null;

        return user;
    }
    public async Task<User> Register(User user, string password)
    {
        byte[] passwordHash, passwordSalt;
        CreatePasswordHash(password, out passwordHash, out passwordSalt);
        user.PasswordHash = passwordHash;
        user.PasswordSalt = passwordSalt;

        await _context.Users.AddAsync(user);
        await _context.SaveChangesAsync();

        return user;
    }
    private void CreatePasswordHash(string password, out byte[] passwordHash, out byte[] passwordSalt)
    {
        using (var hmaic = new System.Security.Cryptography.HMACSHA512())
        {
          passwordSalt = hmaic.Key;
          passwordHash = hmaic.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));
        }
    }
    private bool VerifyPasswordHash(string password, byte[] passwordHash, byte[] passwordSalt)
    {
       using (var hmaic = new System.Security.Cryptography.HMACSHA512(passwordSalt))
        {             
          var computedHash = hmaic.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));

          for(int i =0; i < computedHash.Length; i++)
          {
              if(computedHash[i] != passwordHash[i])
              return false;
          }

          return true;
        }

    }
相关问题
最新问题