Hi
I need to write a hash mechanism in CF that replaces on in C#: it accepts a
salt, and the password the user enters, and returns a string.
#Something("rOE3gOJuY/8iZCa0iFmjAQ==", "Sup3rP4sSwORD")# -->
YRsleC9Zqpb8/pk3KEtOcuA2jho=
I've tried a few things, but haven't got it yet, then I thought I'd post it
here, in case there was someone who could just bash it out.
Thanks in advance
Bert
p.s. by way of introduction, its been a few years since I posted here, but
I'm still working on a fusebox app I started in early 2000.
p.p.s. here's the (psuedo) C# code that i need to replicate that I've been
given, along with the comment "pay specific attention on how the base 64
string are directly converted to byte arrays."
class Program { static void Main(string[] args) {
// These values are retrieved from the database. string
userSpecificSaltB64String = "rOE3gOJuY/8iZCa0iFmjAQ=="; string
realPasswordSHA1HashB64String = "YRsleC9Zqpb8/pk3KEtOcuA2jho=";
// This value is the string entered by the user in the login form.
string passwordToValidate = "Sup3rP4sSwORD"; // We write the
result of the IsPasswordValid call. Console.WriteLine(
string.Format( "Is Password Valid: {0}",
IsPasswordValid(passwordToValidate, userSpecificSaltB64String,
realPasswordSHA1HashB64String) ? "YES" : "NO")); // This will
display: // Is Password Valid: YES } /// <summary>
/// Validates if the provided password has the same hash as the one
stored in the database. /// The high level algorithm is to compare
the hash provided in argument (DBPwdHash), retrieved from the DB,
/// with the one we generate thanks to the user specific salt (DBSalt),
also retrieved from the DB, and the provided password (ProvidedPwd) by
following this comparaison pattern: /// DBPwdHash == SHA1(DBSalt +
ProvidedPwd) /// </summary> /// <param
name="passwordToValidate">The password in clear/plain text we want to
validate. This value is provided by the user via the login form.</param>
/// <param name="userSpecificSaltB64String">The base 64 encoded string
of the user specific salt. This value is retrieved from the
database.</param> /// <param
name="realPasswordSHA1HashB64String">The base 64 encoded string of the real
password hash. This value is retrieved from the database.</param>
/// <returns>True is the password is valid (that is, produces the same
hash). False otherwise.</returns> private static bool
IsPasswordValid(string passwordToValidate, string
userSpecificSaltB64String, string realPasswordSHA1HashB64String) {
// We convert the user specific salt from the B64 string (as
stored in the DB) to a byte array. byte[]
userSpecificSaltByteArray =
Convert.FromBase64String(userSpecificSaltB64String); // We
convert the provided password from a clear/plain text string to a byte
array. byte[] passwordToValidateByteArray =
Encoding.Unicode.GetBytes(passwordToValidate); // We contenate
the salt and provided password byte arrays into one
saltAndProvidedPasswordByteArray byte array, in the order salt then
provided password. byte[] saltAndPasswordToValidateByteArray =
new byte[userSpecificSaltByteArray.Length +
passwordToValidateByteArray.Length];
Buffer.BlockCopy(userSpecificSaltByteArray, 0,
saltAndPasswordToValidateByteArray, 0, userSpecificSaltByteArray.Length);
Buffer.BlockCopy(passwordToValidateByteArray, 0,
saltAndPasswordToValidateByteArray, userSpecificSaltByteArray.Length,
passwordToValidateByteArray.Length); // We generate the SHA1
hash of the saltAndProvidedPasswordByteArray byte array. SHA1
sha = new SHA1CryptoServiceProvider(); byte[]
saltAndPasswordToValidateSHA1HashByteArray =
sha.ComputeHash(saltAndPasswordToValidateByteArray); // We
convert the saltAndProvidedPasswordSHA1HashByteArray into a B64 string.
string saltAndPasswordToValidateSHA1HashB64String =
Convert.ToBase64String(saltAndPasswordToValidateSHA1HashByteArray);
// We compare the SHA1 hash generated thanks to the provided password
with the one stored in the database. return
saltAndPasswordToValidateSHA1HashB64String == realPasswordSHA1HashB64String;
} }
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354277
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
