Develop Reference

.NET Identity 2.0 with custom salted passwords

I'm trying to switch to .NET Identity from an old custom membership provider in an existing MVC application, and maintain dapper as the ORM, not EntityFramework which comes out of the box.
I'm stuck at trying to implement my own IPasswordHasher, as I need the existing credentials to work. In HashPassword I want to return a SHA-computed hash of the cleartext input combined with a user-specific salt, but the method only receives the clear text value, and no reference to the user for which a login is attempted.
Where can I get this salt? Or am I going at this in the wrong way?

I had to do pretty much the same thing for migration. And the recommended migration article provides the solution for your problem.
You need to merge old password hash with the salt into one Password field, separated by a special symbol (in the article it was |, but you can choose your own separator).
And then PasswordHasher should check the password for that special symbol, and if it is present separate salt from the password and apply the hashing.
Here is a code snippet from the linked above article, though I've removed some noise for checking of plain-text password storage. This presumes that your hash is stored in format SH1hash|salt
public class SQLPasswordHasher : PasswordHasher
{
public override string HashPassword(string password)
{
return base.HashPassword(password);
}
public override PasswordVerificationResult VerifyHashedPassword(string hashedPassword, string providedPassword)
{
string[] passwordProperties = hashedPassword.Split('|');
if (passwordProperties.Length != 2)
{
// use default Identity implementation
return base.VerifyHashedPassword(hashedPassword, providedPassword);
}
else
{
string passwordHash = passwordProperties[0];
string salt = passwordProperties[1];
if (String.Equals(EncryptPassword(providedPassword, salt), passwordHash, StringComparison.CurrentCultureIgnoreCase))
{
return PasswordVerificationResult.SuccessRehashNeeded;
}
else
{
return PasswordVerificationResult.Failed;
}
}
}
//This is copied from the existing SQL provider
private string EncryptPassword(string pass, string salt)
{
byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bRet = null;
HashAlgorithm hm = HashAlgorithm.Create("SHA1");
if (hm is KeyedHashAlgorithm)
{
KeyedHashAlgorithm kha = (KeyedHashAlgorithm)hm;
if (kha.Key.Length == bSalt.Length)
{
kha.Key = bSalt;
}
else if (kha.Key.Length < bSalt.Length)
{
byte[] bKey = new byte[kha.Key.Length];
Buffer.BlockCopy(bSalt, 0, bKey, 0, bKey.Length);
kha.Key = bKey;
}
else
{
byte[] bKey = new byte[kha.Key.Length];
for (int iter = 0; iter < bKey.Length; )
{
int len = Math.Min(bSalt.Length, bKey.Length - iter);
Buffer.BlockCopy(bSalt, 0, bKey, iter, len);
iter += len;
}
kha.Key = bKey;
}
bRet = kha.ComputeHash(bIn);
}
else
{
byte[] bAll = new byte[bSalt.Length + bIn.Length];
Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
bRet = hm.ComputeHash(bAll);
}
return Convert.ToBase64String(bRet);
}
}

text to md5 converter script in asp.net

I have a website in asp.net 2.0, As I need to use CCNOW payment integration to make a payment but for this I'll have to send request to CCNOW in MD5 format but I can't able to generate my values to CCNOW MD5 format. So, could you please any one have a script/function that will convert given string into MD5?

MD5 isn't a "format," is a hashing algorithm. Use the MD5 class. Assuming you're using C#, it would look something like this:
static string getMd5Hash(string input)
{
// Create a new instance of the MD5CryptoServiceProvider object.
MD5 md5Hasher = MD5.Create();
// Convert the input string to a byte array and compute the hash.
byte[] data = md5Hasher.ComputeHash(Encoding.Default.GetBytes(input));
// Create a new Stringbuilder to collect the bytes
// and create a string.
StringBuilder sBuilder = new StringBuilder();
// Loop through each byte of the hashed data
// and format each one as a hexadecimal string.
for (int i = 0; i < data.Length; i++)
{
sBuilder.Append(data[i].ToString("x2"));
}
// Return the hexadecimal string.
return sBuilder.ToString();
}

public static string GetMD5(string value) {
MD5 md5 = MD5.Create();
byte[] md5Bytes = System.Text.Encoding.Default.GetBytes(value);
byte[] cryString = md5.ComputeHash(md5Bytes);
string md5Str = string.Empty;
for (int i = 0; i < cryString.Length; i++) {
md5Str += cryString[i].ToString("X");
}
return md5Str;
}
Call it with:
GetMD5(stringToConvert);

AES Encryption/Decryption with Bouncycastle Example in J2ME

i want to Encrypt and Decrypt data in J2ME using AES Algorithm with bouncy castle
can any one give me sample code for that
i want to use ECB with PKCS5Padding
Thanks in Advance.

I'm sure there are examples out there but I haven't found them. Here are a few hints to help you get started. You need to learn how to connect the BC classes together. First, get the bouncycastle source code and be prepared to look at it when you have questions. It's actually very readable so don't be afraid to examine it when the documentation is poor. For example, many classes want an instance of a CipherParameters object, but it is rare for the documentation to specify any more detail. However, in the source code it will be obvious as to which implementing classes are expected.
Choose one of the AES engines, for example AESEngine, as the encryption engine. Next pick a mode; ECB is rarely correct, so for example if you pick CBC mode then create a CBCBlockCipher object from your AESEngine object. Next, use this object to create a PaddedBufferBlockCipher object. The default constructor uses PKCS7 padding which is identical to the PKCS5 padding you want. Now you need to create an object to hold the key and IV. This is the CipherParameters interface. You create the object in two steps. First, you create a KeyParameter object with your key. Next, you create a ParametersWithIV object with your KeyParameter object and your IV. This object is supplied to the init method of the PaddedBufferBlockCipher object and then your are ready to go.
EDIT
Here is small example:
private static byte[] cipherData(PaddedBufferedBlockCipher cipher, byte[] data)
throws Exception
{
int minSize = cipher.getOutputSize(data.length);
byte[] outBuf = new byte[minSize];
int length1 = cipher.processBytes(data, 0, data.length, outBuf, 0);
int length2 = cipher.doFinal(outBuf, length1);
int actualLength = length1 + length2;
byte[] result = new byte[actualLength];
System.arraycopy(outBuf, 0, result, 0, result.length);
return result;
}
private static byte[] decrypt(byte[] cipher, byte[] key, byte[] iv) throws Exception
{
PaddedBufferedBlockCipher aes = new PaddedBufferedBlockCipher(new CBCBlockCipher(
new AESEngine()));
CipherParameters ivAndKey = new ParametersWithIV(new KeyParameter(key), iv);
aes.init(false, ivAndKey);
return cipherData(aes, cipher);
}
private static byte[] encrypt(byte[] plain, byte[] key, byte[] iv) throws Exception
{
PaddedBufferedBlockCipher aes = new PaddedBufferedBlockCipher(new CBCBlockCipher(
new AESEngine()));
CipherParameters ivAndKey = new ParametersWithIV(new KeyParameter(key), iv);
aes.init(true, ivAndKey);
return cipherData(aes, plain);
}

encrypt PBEWithMD5AndDES in j2me

i'm triing to get this code to work on j2me
(it is working a java program)
but not yet in j2me
public static String generate(String plaintext, String passphase) throws Exception {
try {
PBEKeySpec pbeKeySpec = new PBEKeySpec(passphase.toCharArray());
PBEParameterSpec pbeParamSpec;
SecretKeyFactory keyFac;
// Salt
byte[] salt = {(byte) 0xc8, (byte) 0x73, (byte) 0x61, (byte) 0x1d, (byte) 0x1a, (byte) 0xf2, (byte) 0xa8, (byte) 0x99};
// Iteration count
int count = 20;
// Create PBE parameter set
pbeParamSpec = new PBEParameterSpec(salt, count);
keyFac = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
SecretKey pbeKey = keyFac.generateSecret(pbeKeySpec);
// Create PBE Cipher
Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES");
// Initialize PBE Cipher with key and parameters
pbeCipher.init(Cipher.ENCRYPT_MODE, pbeKey, pbeParamSpec);
// Our cleartext
byte[] cleartext = plaintext.getBytes();
// Encrypt the cleartext
byte[] ciphertext = pbeCipher.doFinal(cleartext);
return ciphertext;
} catch (Exception ex) {
throw new Exception(ex.getMessage());
}
}
i found this lib
http://www.bouncycastle.org/java.html
the important thing is that i find a method for j2me that can encrypt using PBEWithMD5AndDES
anyone know the solution?
edit adding extra info
when i try to add the above code to a mobile project
following classes are not recognized (not included in j2me)
PBEKeySpec
PBEParameterSpec
SecretKeyFactory
so i need a package that allows me to encode plain text using PBEWithMD5AndDES
anyone know such a package compatible with j2me?
thx for the replies so far

A lot can go wrong when applying a primitive, you should use Jasypt.

string message authentication

I get string messages from the clients which needs to be authenticated in the server.
I need to ensure that I (the server) got the exact string content which was sent by the client. I don't care about the client identity. Just the message.
I thought of using hashcode or CRC algorithm.
Do you have any suggestions/best practices for it?
Thanks a lot,
Adi Barda

To make certain the string is identical, then yes, a hash will do the job. The only problem you will encounter is that if the server has nothing to match to, all you will have is that the string you have is the same as the string that was hashed.
Any language you are using in particular?
Here's an example in C#, which hashes a string then converts into Base64:
public static string QHash(string str)
{
SHA512 SHA512HashCreator = SHA512.Create();
byte[] EncryptedData = SHA512HashCreator.ComputeHash(Encoding.UTF8.GetBytes(str));
StringBuilder qhash = new StringBuilder();
for (int i = 0; i < EncryptedData.Length; i++)
{
qhash.Append(EncryptedData[i].ToString("X2"));
}
return qhash.ToString().ToUpper();
}