Do you need to be able to validate the same password in both C# and CF? You might try a service like pastebin that formats code since in email all the tabs and line breaks go away making it hard to read.
-Mike Chabot On Mon, Feb 4, 2013 at 3:42 PM, Bert Dawson <[email protected]> wrote: > > Hi > > I need to write a hash mechanism in CF that replaces on in C#: it accepts a > salt, and the password the user enters, and returns a string. > > #Something("rOE3gOJuY/8iZCa0iFmjAQ==", "Sup3rP4sSwORD")# --> > YRsleC9Zqpb8/pk3KEtOcuA2jho= > > I've tried a few things, but haven't got it yet, then I thought I'd post it > here, in case there was someone who could just bash it out. > > Thanks in advance > Bert > > p.s. by way of introduction, its been a few years since I posted here, but > I'm still working on a fusebox app I started in early 2000. > > p.p.s. here's the (psuedo) C# code that i need to replicate that I've been > given, along with the comment "pay specific attention on how the base 64 > string are directly converted to byte arrays." > > > class Program { static void Main(string[] args) { > // These values are retrieved from the database. string > userSpecificSaltB64String = "rOE3gOJuY/8iZCa0iFmjAQ=="; string > realPasswordSHA1HashB64String = "YRsleC9Zqpb8/pk3KEtOcuA2jho="; > // This value is the string entered by the user in the login form. > string passwordToValidate = "Sup3rP4sSwORD"; // We write the > result of the IsPasswordValid call. Console.WriteLine( > string.Format( "Is Password Valid: {0}", > IsPasswordValid(passwordToValidate, userSpecificSaltB64String, > realPasswordSHA1HashB64String) ? "YES" : "NO")); // This will > display: // Is Password Valid: YES } /// > <summary> > /// Validates if the provided password has the same hash as the one > stored in the database. /// The high level algorithm is to compare > the hash provided in argument (DBPwdHash), retrieved from the DB, > /// with the one we generate thanks to the user specific salt (DBSalt), > also retrieved from the DB, and the provided password (ProvidedPwd) by > following this comparaison pattern: /// DBPwdHash == SHA1(DBSalt + > ProvidedPwd) /// </summary> /// <param > name="passwordToValidate">The password in clear/plain text we want to > validate. This value is provided by the user via the login form.</param> > /// <param name="userSpecificSaltB64String">The base 64 encoded string > of the user specific salt. This value is retrieved from the > database.</param> /// <param > name="realPasswordSHA1HashB64String">The base 64 encoded string of the real > password hash. This value is retrieved from the database.</param> > /// <returns>True is the password is valid (that is, produces the same > hash). False otherwise.</returns> private static bool > IsPasswordValid(string passwordToValidate, string > userSpecificSaltB64String, string realPasswordSHA1HashB64String) { > // We convert the user specific salt from the B64 string (as > stored in the DB) to a byte array. byte[] > userSpecificSaltByteArray = > Convert.FromBase64String(userSpecificSaltB64String); // We > convert the provided password from a clear/plain text string to a byte > array. byte[] passwordToValidateByteArray = > Encoding.Unicode.GetBytes(passwordToValidate); // We contenate > the salt and provided password byte arrays into one > saltAndProvidedPasswordByteArray byte array, in the order salt then > provided password. byte[] saltAndPasswordToValidateByteArray = > new byte[userSpecificSaltByteArray.Length + > passwordToValidateByteArray.Length]; > Buffer.BlockCopy(userSpecificSaltByteArray, 0, > saltAndPasswordToValidateByteArray, 0, userSpecificSaltByteArray.Length); > Buffer.BlockCopy(passwordToValidateByteArray, 0, > saltAndPasswordToValidateByteArray, userSpecificSaltByteArray.Length, > passwordToValidateByteArray.Length); // We generate the SHA1 > hash of the saltAndProvidedPasswordByteArray byte array. SHA1 > sha = new SHA1CryptoServiceProvider(); byte[] > saltAndPasswordToValidateSHA1HashByteArray = > sha.ComputeHash(saltAndPasswordToValidateByteArray); // We > convert the saltAndProvidedPasswordSHA1HashByteArray into a B64 string. > string saltAndPasswordToValidateSHA1HashB64String = > Convert.ToBase64String(saltAndPasswordToValidateSHA1HashByteArray); > // We compare the SHA1 hash generated thanks to the provided password > with the one stored in the database. return > saltAndPasswordToValidateSHA1HashB64String == > realPasswordSHA1HashB64String; > } } > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354279 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
