tags:

views:

399

answers:

3
+1  Q: 

.NET custom MembershipProvider decrypt password

Hello,

I'm using a custom MemberShipProvider in a c# project based on the code from: http://www.asp.net/learn/videos/video-189.aspx and for some reason I can't figure out, the method that decrypts the user password to validate the login gives an extra 8 characters in front of the password value (for example: 䝉慣嘗㳪畕锬password).

I use "encrypted" passwordFormat and the method UnEncodePassword consists in:

private string UnEncodePassword(string encodedPassword)
{
    string password = encodedPassword;
    password = Encoding.Unicode.GetString(DecryptPassword(Convert.FromBase64String(encodedPassword)));

    return password;
}

Thanks!

+2  A: 

"䝉慣嘗㳪畕锬" is the salt? (updated)

On the server, in a web.config or other you have a salt value such as "milkshake". When the user gives a password like "TheYard" you add the salt and encrypt "milkshakeTheYard". When they login, you add the salt to their request and compare it to the encrypted string.

So what's the point of salt? If the encrypted password fell into the wrong hands, "TheYard" being only 7 characters is easy to lookup on a Rainbow Table. By adding salt, you make this process much harder.

Salt by itself provides little security, but used in combination provides an easily implmeneted extra layer.

Dead account  2010-02-08 17:02:33
sorry...I don't understand?
tricat  2010-02-08 22:43:22
I see, within the context of my question, password is "the password" and is the word I'm expecting solely from the DecryptPassword method, hence my problem because I'm getting those eight cryptic characters+clear_password_value.It must be something silly because clearly the encryption/decryption works or I wouldn't even get the clear text when decrypting otherwise. :(
tricat  2010-02-09 10:09:54
Sorry mate but I have to downvote your answer as it´s a comment and I want to keep what's the valid answer at the top.
tricat  2010-02-10 08:50:00
You can mark your answer as an answer. Downvoting people who help you is a slap in the face.
Dead account  2010-02-10 12:34:53
+1  A: 

Found it! I have to subtract the 16 bytes salt from my decrypted encodedPassword variable to get the password: 

private string UnEncodePassword(string encodedPassword)
{
    string password = encodedPassword;
    byte[] bytesIn = Convert.FromBase64String(encodedPassword);
    byte[] bytesRet = DecryptPassword(bytesIn);
    password = System.Text.Encoding.Unicode.GetString(bytesRet, 16, bytesRet.Length - 16);

    return password;
}

Thanks Ian to give me the clue about the salt!

tricat  2010-02-09 12:43:30
You're just removing the word "䝉慣嘗㳪畕锬" from your string without really knowing why. byteRet is your decrypted string, unicode is 2 bytes per character, so your last line says "convert bytes to string, ignoring the last 8 characters". Or is there anohter reason for using the value of 16?
Dead account  2010-02-10 12:39:28
A: 

You should not be able to decrypt the password. You should encrypt the user-entered password and compare it to the stored encrypted password. Password recovery should generate a random one-time use password and force the user to change it the first time it's used.

Jamie Ide  2010-02-09 12:53:06
The DecryptPassword is a method in the .NET Security assembly, I'm just overriding the existing method to make it work with my custom membership.Your post should be a comment, not an answer.
tricat  2010-02-09 13:32:19
You're right. But my thinking is that if you can decrypt the password then you might as well store it in clear text.
Jamie Ide  2010-02-09 13:55:59
I see your point but at least having the passwords and other sensible information in a unreadable format in the database is secure enough to pass a security audit. Decrypting the information requires the machinekey so even with the database and knowing the way DecryptPassword method works won't be enough to compromise my data.
tricat  2010-02-09 14:16:30
It depends on the auditor. :-) You will be able to decrypt the passwords, right? Most people re-use the same login/password on multiple sites so with a little additional work you can compromise their logins on other sites. Users should be confident that their passwords are secure from you too.
Jamie Ide  2010-02-09 14:28:52

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?