Transferring Login Credentials Securely

[ Team LiB ] Recipe 5.8 Transferring Login Credentials Securely Problem You need to protect login credentials during transmission over the network and when they are stored within a database. Solution Use password hashing and salting with the .NET FormsAuthentication class to control user
Nội dung trích xuất từ tài liệu:
Transferring Login Credentials Securely [ Team LiB ]Recipe 5.8 Transferring Login Credentials SecurelyProblemYou need to protect login credentials during transmission over the network and whenthey are stored within a database.SolutionUse password hashing and salting with the .NET FormsAuthentication class to controluser authentication and access to the application.The schema of table TBL0508 used in this solution is shown in Table 5-5. Table 5-5. TBL0508 schema Column name Data type Length Allow nulls?UserName nvarchar 50 NoPasswordHash nvarchar 50 NoPasswordSalt nvarchar 50 NoThe sample code contains two event handlers:Create Button.Click Creates a GUID-based salt and generates a hash of the password concatenated with the salt for a user-specified password. The username, password hash, and salt are inserted into a database.Login Button.Click Retrieves the salt and the hash of the password and salt from the database for the specified username. The user-entered password is concatenated with the retrieved salt and the hash is generated. If the hash matches the hash retrieved from the database, the user is authenticated.The C# code is shown in Example 5-8.Example 5-8. File: ADOCookbookCS0508.aspx.cs// Namespaces, variables, and constantsusing System;using System.Configuration;using System.Web.Security;using System.Data;using System.Data.SqlClient;private const String TABLENAME = TBL0508;// . . .private void createButton_Click(object sender, System.EventArgs e){ // Create and display the password salt. String passwordSalt = Guid.NewGuid().ToString( ); passwordSaltLabel.Text = passwordSalt; // Create and display the password hash. String passwordHash = FormsAuthentication.HashPasswordForStoringInConfigFile( passwordTextBox.Text + passwordSalt, md5); passwordHashLabel.Text = passwordHashDBLabel.Text = passwordHash; // Insert UserName with the password hash and salt into the database. String sqlText = INSERT + TABLENAME + (UserName, PasswordHash, PasswordSalt) + VALUES ( + userNameTextBox.Text + , + passwordHash + , + passwordSalt + ); SqlConnection conn = new SqlConnection( ConfigurationSettings.AppSettings[DataConnectString]); SqlCommand cmd = new SqlCommand(sqlText, conn); conn.Open( ); try { if(cmd.ExecuteNonQuery( ) == 1) statusLabel.Text = User created.; else statusLabel.Text = Could not create user.; } catch(SqlException) { statusLabel.Text = Could not create user.; } finally { conn.Close( ); }}private void loginButton_Click(object sender, System.EventArgs e){ bool isAuthenticated = false; // Get the password hash and salt for the user. String sqlText = SELECT PasswordHash, PasswordSalt FROM + TABLENAME + WHERE UserName = + userNameTextBox.Text + ; SqlConnection conn = new SqlConnection( ConfigurationSettings.AppSettings[DataConnectString]); SqlCommand cmd = new SqlCommand(sqlText, conn); conn.Open( ); SqlDataReader dr = cmd.ExecuteReader( ); // Get the DataReader first row containing users password and salt. if(dr.Read( )) { // Get and display password hash and salt from the DataReader. String passwordHashDB = passwordHashDBLabel.Text = dr.GetString(0); String passwordSalt = passwordSaltLabel.Text = dr.GetString(1); // Calculate password hash based on the password entered and // the password salt retrieved from the database. String passwordHash = passwordHashLabel.Text = FormsAuthentication.HashPasswordForStoringInConfigFile( passwordTextBox.Text + passwordSalt, md5); // Check whether the calculated hash matches the hash retrieved // from the database. isAuthenticated = (passwordHash == passwordHashDB); } conn.Close( ); if(isAuthenticated) statusLabel.Text = Authentication succeeded.; else statusLabel.Text = Authentication failed.;}DiscussionPersisting a users password can be made more secure by first hashing the password. Thismeans that an algorithm is applied to the password to generate a one-waytransformation—or hash—of the password making it statistically infeasible to recreatethe password from the hash.A hash algorithm creates a small binary value of fixed length from a larger binary valueof an arbitrary length. The hash value is a statistically unique compact representation ofthe original data. A hash value can be created for and transmitted together with data. Thehash can be recreated at a later time and compared to the original hash to ensure that thedata has not been altered. To prevent the message from being intercepted and replacedalong with a new hash, the hash is encrypted using the private key of an asymmetric keyalgorithm. This allows the hash to be authenticated as having come from the sender. Formore information about symmetric and asymmetric key algorithms, see the discussion inRecipe 5.7. The .NET Framework classes that implement hash algorithms are: • HMACSHA1 • MACTripleDES • MD5CryptoServiceProvider • SHA1Managed • SHA256Managed • SHA384Managed • SHA512ManagedIn the sample, the user enters his password, the password is hashed, and then thecombination of user ID and password hash are compared to values stored persistentlysuch as in a database table. If the pairs match, the user is authenticated, withoutcomparing the actual password. Because the hash algorithm is a one-way algorithm, theusers password cannot be recreated even if unauthorized access ...