|
 |
aspdotnet_website_programming thread: forgot password page
Message #1 by "Todd Mueller" <lenny_92675@y...> on Fri, 8 Nov 2002 15:36:49
|
|
All,
Im creating a forgotpassword page and was wondering if someone found a way
to decrypt the password using the DES method? Anyone try this?
Todd
Message #2 by David Barnes <DavidB@w...> on Fri, 8 Nov 2002 15:53:26 -0000
|
|
Todd
If you're using the encryption method in the book, I'm pretty sure it's not
possible (or at least not trivial) to decrypt it. If you want to keep
passwords encrypted, then your forgotpassword page should probably generate
a new password, rather than trying to retrieve the old one.
Cheers
David
> -----Original Message-----
> From: Todd Mueller [mailto:lenny_92675@y...]
> Sent: Friday, November 08, 2002 3:37 PM
> To: Website Programming with ASP.NET
> Subject: [aspdotnet_website_programming] forgot password page
>
>
> All,
>
> Im creating a forgotpassword page and was wondering if
> someone found a way
> to decrypt the password using the DES method? Anyone try this?
>
> Todd
>
Message #3 by "Todd Mueller" <lenny_92675@y...> on Fri, 8 Nov 2002 16:09:25
|
|
Problem with that is i can over take someones account if i know there
password. Thoughts?
Todd
> Todd
If you're using the encryption method in the book, I'm pretty sure it's not
possible (or at least not trivial) to decrypt it. If you want to keep
passwords encrypted, then your forgotpassword page should probably generate
a new password, rather than trying to retrieve the old one.
Cheers
David
> -----Original Message-----
> From: Todd Mueller [mailto:lenny_92675@y...]
> Sent: Friday, November 08, 2002 3:37 PM
> To: Website Programming with ASP.NET
> Subject: [aspdotnet_website_programming] forgot password page
>
>
> All,
>
> Im creating a forgotpassword page and was wondering if
> someone found a way
> to decrypt the password using the DES method? Anyone try this?
>
> Todd
>
Message #4 by "Charles Walsek" <cwalsek@w...> on Fri, 8 Nov 2002 18:34:33 -0500
|
|
David / Todd:
I've been looking into this for some time now. I wanted to add some code to
prevent multiple accounts for the same email address. Did not lot of "dead"
rows in the database. The key of course is to be able to decrypt the
password & email it back to the user.
Anyway, the password ecryption method used by SitePrincipal is one-way. So
if user forgets, you are out of luck. Today at the chat discussion Mr.
Hoffman explained that by using a synchronous encryption method, a password
could decrypted. We will need to look at the MSDN documentation to learn
how this is done. When I get around to it, I'll check it out. If you get
there first, please let me know.
Regards,
--Chas
Message #5 by "Claude Wynne" <claudew@i...> on Mon, 11 Nov 2002 14:02:27 -0800
|
|
I found some code for 2 way encryption on the net and modified my
SitePrincipal class as follows. I don't really understand encryption
that well so don't ask me to explain it. I just know that it works. I
welcome any comments or suggestions on how to make it more secure. Right
now I'm using the email address as the key which is probably not the
best idea because if anyone could capture the encrypted password and
knew the person's email address they could get the unencrypted password.
Of course, if the login and/or sign-up pages don't use encryption - and
many smaller sites don't - than a hacker could capture the unencrypted
password at that point.
Here is part of my modified SitePrinipal class. Replace [YOUR EMAIL
ADDRESS] and [YOUR SITE NAME] with your information:
public static bool SendPassword(string emailAddress, string password)
{
try
{
// create a new mail message and set the common
properties
MailMessage mailMsg = new MailMessage();
mailMsg.From = "[YOUR EMAIL ADDRESS]";
mailMsg.Priority = MailPriority.Normal;
mailMsg.BodyFormat = MailFormat.Text;
mailMsg.Subject = " Password";
mailMsg.To = emailAddress;
mailMsg.Body = "Your password at [YOUR SITE NAME] is " +
password;
// send the mail to the administrator
SmtpMail.Send(mailMsg);
return true;
}
catch
{
return false;
}
}
public static bool EmailPassword(string emailAddress)
{
try
{
Configuration.ModuleSettings moduleSettings
Configuration.ModuleConfig.GetSettings();
Data.User dataUser = new Data.User(
moduleSettings.ConnectionString );
byte[] cryptPassword
dataUser.GetPassword(emailAddress);
if(cryptPassword.Length == 0)
return false;
string password
DecryptData(emailAddress,cryptPassword);
return SendPassword(emailAddress,password);
}
catch(Exception e)
{
string s = e.Message;
return false;
}
}
public static SitePrincipal ValidateLogin(string emailAddress, string
password)
{
Configuration.ModuleSettings moduleSettings
Configuration.ModuleConfig.GetSettings();
int newID=-1;
try
{
Data.User dataUser = new Data.User(
moduleSettings.ConnectionString );
byte[] cryptPassword
dataUser.GetPassword(emailAddress);
string decryptPassword
DecryptData(emailAddress,cryptPassword);
if(password == decryptPassword)
newID = dataUser.GetUserID(emailAddress);
if ( newID > -1 )
return new SitePrincipal( newID );
else
return null;
}
catch(Exception e)
{
string s = e.Message;
return null;
}
}
public static byte[] EncryptPassword(string password)
{
UnicodeEncoding encoding = new UnicodeEncoding();
byte[] hashBytes = encoding.GetBytes( password );
// compute SHA-1 hash.
SHA1 sha1 = new SHA1CryptoServiceProvider();
byte[] cryptPassword = sha1.ComputeHash ( hashBytes );
return cryptPassword;
}
public static byte[] EncryptPassword(string email, string password)
{
return EncryptData(email, password);
}
static private Byte[] m_Key = new Byte[8];
static private Byte[] m_IV = new Byte[8];
//////////////////////////
//Function to encrypt data
public static byte [] EncryptData(String strKey, String strData)
{
//1. String Length cannot exceed 90Kb. Otherwise, buffer will
overflow. See point 3 for reasons
if (strData.Length > 92160)
{
throw new AppException("Error. Data String too large.
Keep within 90Kb.");
}
//2. Generate the Keys
if (!InitKey(strKey))
{
throw new AppException("Error. Failed to generate key
for encryption");
}
//3. Prepare the String
// The first 5 character of the string is formatted to
store the actual length of the data.
// This is the simplest way to remember to original length
of the data, without resorting to complicated computations.
strData = String.Format("{0,5:00000}"+strData, strData.Length);
//4. Encrypt the Data
byte[] rbData = new byte[strData.Length];
ASCIIEncoding aEnc = new ASCIIEncoding();
aEnc.GetBytes(strData, 0, strData.Length, rbData, 0);
DESCryptoServiceProvider descsp = new
DESCryptoServiceProvider();
ICryptoTransform desEncrypt = descsp.CreateEncryptor(m_Key,
m_IV);
//5. Perpare the streams:
// mOut is the output stream.
// mStream is the input stream.
// cs is the transformation stream.
MemoryStream mStream = new MemoryStream(rbData);
CryptoStream cs = new CryptoStream(mStream, desEncrypt,
CryptoStreamMode.Read);
MemoryStream mOut = new MemoryStream();
//6. Start performing the encryption
int bytesRead;
byte[] output = new byte[1024];
do
{
bytesRead = cs.Read(output,0,1024);
if (bytesRead != 0)
mOut.Write(output,0,bytesRead);
} while (bytesRead > 0);
return mOut.GetBuffer();
}
//////////////////////////
//Function to decrypt data
//public string DecryptData(String strKey, String strData)
public static string DecryptData(String strKey, byte[] bPlain)
{
string strResult;
//1. Generate the Key used for decrypting
if (!InitKey(strKey))
{
throw new AppException("Error. Fail to generate key for
decryption");
}
//2. Initialize the service provider
DESCryptoServiceProvider descsp = new
DESCryptoServiceProvider();
ICryptoTransform desDecrypt = descsp.CreateDecryptor(m_Key,
m_IV);
//3. Prepare the streams:
// mOut is the output stream.
// cs is the transformation stream.
MemoryStream mOut = new MemoryStream();
CryptoStream cs = new CryptoStream(mOut, desDecrypt,
CryptoStreamMode.Write);
long lRead = 0;
//long lTotal = strData.Length;
long lTotal = bPlain.Length;
try
{
//5. Perform the actual decryption
while (lTotal >= lRead)
{
cs.Write(bPlain,0,(int)bPlain.Length);
//descsp.BlockSize=64
lRead = mOut.Length +
Convert.ToUInt32(((bPlain.Length / descsp.BlockSize) *
descsp.BlockSize));
};
ASCIIEncoding aEnc = new ASCIIEncoding();
strResult = aEnc.GetString(mOut.GetBuffer(), 0,
(int)mOut.Length);
//6. Trim the string to return only the meaningful data
// Remember that in the encrypt function, the first
5 character holds the length of the actual data
// This is the simplest way to remember to original
length of the data, without resorting to complicated computations.
String strLen = strResult.Substring(0,5);
int nLen = Convert.ToInt32(strLen);
strResult = strResult.Substring(5, nLen);
return strResult;
}
catch (Exception)
{
throw new AppException("Error. Decryption Failed.
Possibly due to incorrect Key or corrputed data");
}
}
/////////////////////////////////////////////////////////////
//Private function to generate the keys into member variables
static private bool InitKey(String strKey)
{
try
{
// Convert Key to byte array
byte[] bp = new byte[strKey.Length];
ASCIIEncoding aEnc = new ASCIIEncoding();
aEnc.GetBytes(strKey, 0, strKey.Length, bp, 0);
//Hash the key using SHA1
SHA1CryptoServiceProvider sha = new
SHA1CryptoServiceProvider();
byte[] bpHash = sha.ComputeHash(bp);
int i;
// use the low 64-bits for the key value
for (i=0; i<8; i++)
m_Key[i] = bpHash[i];
for (i=8; i<16; i++)
m_IV[i-8] = bpHash[i];
return true;
}
catch (Exception)
{
//Error Performing Operations
return false;
}
}
Message #6 by Helen Warn <hwarn@s...> on Mon, 11 Nov 2002 14:51:45 -0800
|
|
I believe attachments are automatically removed.
If someone needs to show their code, they should copy it into the body of
the post.
Cheers,
Helen
> -----Original Message-----
> From: Claude Wynne [mailto:claudew@i...]
> Sent: Monday, November 11, 2002 2:02 PM
> To: Website Programming with ASP.NET
> Subject: [aspdotnet_website_programming] RE: forgot password page
>
>
> I found some code for 2 way encryption on the net and modified my
> SitePrincipal class as follows. I don't really understand encryption
> that well so don't ask me to explain it. I just know that it works. I
> welcome any comments or suggestions on how to make it more
> secure. Right
> now I'm using the email address as the key which is probably not the
> best idea because if anyone could capture the encrypted password and
> knew the person's email address they could get the
> unencrypted password.
> Of course, if the login and/or sign-up pages don't use
> encryption - and
> many smaller sites don't - than a hacker could capture the unencrypted
> password at that point.
>
> Here is part of my modified SitePrinipal class. Replace [YOUR EMAIL
> ADDRESS] and [YOUR SITE NAME] with your information:
>
>
>
> public static bool SendPassword(string emailAddress, string password)
> {
> try
> {
> // create a new mail message and set the common
> properties
> MailMessage mailMsg = new MailMessage();
> mailMsg.From = "[YOUR EMAIL ADDRESS]";
> mailMsg.Priority = MailPriority.Normal;
> mailMsg.BodyFormat = MailFormat.Text;
> mailMsg.Subject = " Password";
> mailMsg.To = emailAddress;
> mailMsg.Body = "Your password at [YOUR SITE NAME] is " +
> password;
>
> // send the mail to the administrator
> SmtpMail.Send(mailMsg);
> return true;
> }
> catch
> {
> return false;
> }
> }
>
> public static bool EmailPassword(string emailAddress)
> {
> try
> {
> Configuration.ModuleSettings moduleSettings
> Configuration.ModuleConfig.GetSettings();
> Data.User dataUser = new Data.User(
> moduleSettings.ConnectionString );
> byte[] cryptPassword
> dataUser.GetPassword(emailAddress);
> if(cryptPassword.Length == 0)
> return false;
> string password
> DecryptData(emailAddress,cryptPassword);
> return SendPassword(emailAddress,password);
> }
> catch(Exception e)
> {
> string s = e.Message;
> return false;
> }
> }
>
> public static SitePrincipal ValidateLogin(string emailAddress, string
> password)
> {
> Configuration.ModuleSettings moduleSettings
> Configuration.ModuleConfig.GetSettings();
> int newID=-1;
>
> try
> {
> Data.User dataUser = new Data.User(
> moduleSettings.ConnectionString );
> byte[] cryptPassword
> dataUser.GetPassword(emailAddress);
> string decryptPassword
> DecryptData(emailAddress,cryptPassword);
> if(password == decryptPassword)
> newID = dataUser.GetUserID(emailAddress);
> if ( newID > -1 )
> return new SitePrincipal( newID );
> else
> return null;
> }
> catch(Exception e)
> {
> string s = e.Message;
> return null;
> }
> }
>
> public static byte[] EncryptPassword(string password)
> {
> UnicodeEncoding encoding = new UnicodeEncoding();
> byte[] hashBytes = encoding.GetBytes( password );
>
> // compute SHA-1 hash.
> SHA1 sha1 = new SHA1CryptoServiceProvider();
> byte[] cryptPassword = sha1.ComputeHash ( hashBytes );
>
> return cryptPassword;
> }
>
> public static byte[] EncryptPassword(string email, string password)
> {
> return EncryptData(email, password);
>
> }
>
> static private Byte[] m_Key = new Byte[8];
> static private Byte[] m_IV = new Byte[8];
>
> //////////////////////////
> //Function to encrypt data
> public static byte [] EncryptData(String strKey, String strData)
> {
> //1. String Length cannot exceed 90Kb. Otherwise, buffer will
> overflow. See point 3 for reasons
> if (strData.Length > 92160)
> {
> throw new AppException("Error. Data String too large.
> Keep within 90Kb.");
> }
>
> //2. Generate the Keys
> if (!InitKey(strKey))
> {
> throw new AppException("Error. Failed to generate key
> for encryption");
> }
>
> //3. Prepare the String
> // The first 5 character of the string is formatted to
> store the actual length of the data.
> // This is the simplest way to remember to original length
> of the data, without resorting to complicated computations.
> strData = String.Format("{0,5:00000}"+strData, strData.Length);
>
>
> //4. Encrypt the Data
> byte[] rbData = new byte[strData.Length];
> ASCIIEncoding aEnc = new ASCIIEncoding();
> aEnc.GetBytes(strData, 0, strData.Length, rbData, 0);
>
> DESCryptoServiceProvider descsp = new
> DESCryptoServiceProvider();
>
> ICryptoTransform desEncrypt = descsp.CreateEncryptor(m_Key,
> m_IV);
>
>
> //5. Perpare the streams:
> // mOut is the output stream.
> // mStream is the input stream.
> // cs is the transformation stream.
> MemoryStream mStream = new MemoryStream(rbData);
> CryptoStream cs = new CryptoStream(mStream, desEncrypt,
> CryptoStreamMode.Read);
> MemoryStream mOut = new MemoryStream();
>
> //6. Start performing the encryption
> int bytesRead;
> byte[] output = new byte[1024];
> do
> {
> bytesRead = cs.Read(output,0,1024);
> if (bytesRead != 0)
> mOut.Write(output,0,bytesRead);
> } while (bytesRead > 0);
>
> return mOut.GetBuffer();
> }
>
> //////////////////////////
> //Function to decrypt data
> //public string DecryptData(String strKey, String strData)
> public static string DecryptData(String strKey, byte[] bPlain)
> {
> string strResult;
> //1. Generate the Key used for decrypting
> if (!InitKey(strKey))
> {
> throw new AppException("Error. Fail to generate key for
> decryption");
> }
>
> //2. Initialize the service provider
> DESCryptoServiceProvider descsp = new
> DESCryptoServiceProvider();
> ICryptoTransform desDecrypt = descsp.CreateDecryptor(m_Key,
> m_IV);
>
> //3. Prepare the streams:
> // mOut is the output stream.
> // cs is the transformation stream.
> MemoryStream mOut = new MemoryStream();
> CryptoStream cs = new CryptoStream(mOut, desDecrypt,
> CryptoStreamMode.Write);
>
> long lRead = 0;
> //long lTotal = strData.Length;
> long lTotal = bPlain.Length;
>
> try
> {
> //5. Perform the actual decryption
> while (lTotal >= lRead)
> {
> cs.Write(bPlain,0,(int)bPlain.Length);
> //descsp.BlockSize=64
> lRead = mOut.Length +
> Convert.ToUInt32(((bPlain.Length / descsp.BlockSize) *
> descsp.BlockSize));
> };
>
> ASCIIEncoding aEnc = new ASCIIEncoding();
> strResult = aEnc.GetString(mOut.GetBuffer(), 0,
> (int)mOut.Length);
>
> //6. Trim the string to return only the meaningful data
> // Remember that in the encrypt function, the first
> 5 character holds the length of the actual data
> // This is the simplest way to remember to original
> length of the data, without resorting to complicated computations.
> String strLen = strResult.Substring(0,5);
> int nLen = Convert.ToInt32(strLen);
> strResult = strResult.Substring(5, nLen);
>
> return strResult;
> }
> catch (Exception)
> {
> throw new AppException("Error. Decryption Failed.
> Possibly due to incorrect Key or corrputed data");
> }
> }
>
> /////////////////////////////////////////////////////////////
> //Private function to generate the keys into member variables
> static private bool InitKey(String strKey)
> {
> try
> {
> // Convert Key to byte array
> byte[] bp = new byte[strKey.Length];
> ASCIIEncoding aEnc = new ASCIIEncoding();
> aEnc.GetBytes(strKey, 0, strKey.Length, bp, 0);
>
> //Hash the key using SHA1
> SHA1CryptoServiceProvider sha = new
> SHA1CryptoServiceProvider();
> byte[] bpHash = sha.ComputeHash(bp);
>
> int i;
> // use the low 64-bits for the key value
> for (i=0; i<8; i++)
> m_Key[i] = bpHash[i];
>
> for (i=8; i<16; i++)
> m_IV[i-8] = bpHash[i];
>
> return true;
> }
> catch (Exception)
> {
> //Error Performing Operations
> return false;
> }
> }
>
>
>
|
|
|
View Cart
