tags:

views:

643

answers:

3
Q: 

Password encryption/decryption between classic asp and ASP.NET

I have 2 websites: one written in classic asp and another written in ASP.NET (1.1 framework). Both applications use a login mechanism to validate user credentials based on a shared database table. Up to now passwords are stored in a 1-way MD5 hash, meaning people must be given a new generated password if they lose the old one. I now want to change this and make the passwords decryptable.

I found this Rijndael code to use with classic asp: http://www.frez.co.uk/freecode.htm#rijndael

But I cannot find the same solution for ASP.NET. I tried this, but it gives me different encryption and decryption results between the classic asp and ASP.NET code:

        If Not String.IsNullOrEmpty(TextBox1.Text) And Not String.IsNullOrEmpty(TextBox2.Text) Then

        Dim password = TextBox1.Text
        Dim key = TextBox2.Text

        Dim keyGenerator = New Rfc2898DeriveBytes(key, 8)
        Dim r = New RijndaelManaged

        r.Mode = CipherMode.CBC
        r.Padding = PaddingMode.Zeros
        r.BlockSize = 256
        r.KeySize = 256
        r.FeedbackSize = 256

        r.IV = keyGenerator.GetBytes(CType(r.BlockSize / 8, Integer))
        r.Key = keyGenerator.GetBytes(CType(r.KeySize / 8, Integer))

        Dim transform As ICryptoTransform = r.CreateEncryptor()

        Dim encoded As Byte() = Encoding.ASCII.GetBytes(password)
        Dim target As Byte() = transform.TransformFinalBlock(encoded, 0, encoded.Length)

        TextBox3.Text = Encoding.ASCII.GetString(target)

    End If

I think I'm doing something wrong with generating the key or iv, but I can't find a solution.

A: 

Since ASP classic doesn't have native hash functions, you'll probably need to port your MD5 VBScript code to your .NET language, or to use a common cryptography component, due some error on your legacy code.

Rubens Farias  2009-11-05 09:21:13
MD5 is no problem, this has been working for years now both for classic asp and ASP.NET. But I want to convert everything to Rijndael encryption to make passwords also decryptable.
Stief Dirckx  2009-11-05 09:26:19
same applies: if those two methods, by different algorithms, results doesn't match, use same algorithm and they will. OR, you'll need to do hard way: validating Phil Fresle's AES Rijndael Block Cipher implementation
Rubens Farias  2009-11-05 09:31:08
A: 

I had a quick look at the classic asp files and it doesn't mention the block mode used, whereas your .net code specifies CBC mode and also the padding. Further the classic implementation states:

' 3-Apr-2001: Functions added to the bottom for encrypting/decrypting large ' arrays of data. The entire length of the array is inserted as the first four ' bytes onto the front of the first block of the resultant byte array before ' encryption.

Are you using those functions, if you are then your encrypting the size bytes too.

Be assured the .net encryption works well, I'd guess your problem is in the classic solution you've found. If I were in your position I'd start by simplifying things and just encrypt a single block with each method and then expand from there... good luck

Patrick  2009-11-06 20:05:10
Thanks Patrick, so the classic asp solution doesn't really stick to the standard encryption method. I'm thinking to develop a dll in .NET that takes care of the encryption and make that dll callable form classic asp.
Stief Dirckx  2009-11-09 08:37:52
I didn't look that closely but it looks like the classic asp just does AES which isn't very useful by itself but the code does what it says on the tin... you could add the block mode yourself perhaps but .net does it all for you...
Patrick  2009-11-09 11:25:29
A: 

check below page. this guy provides a whole package of aes solution!

http://blog.ryeol.com/6

lazy fri13th  2010-09-25 23:40:47

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps