Default Implementation and Application of Microsoft. Identity IPasswordHasher encryption, microsoftidentity

Default Implementation and Application of Microsoft. Identity IPasswordHasher encryption, microsoftidentity

This article is copyrighted by the blog and the author Wu Shuang himself. for reprinting and crawlers, please enter the original address www.cnblogs.com/tdws.

I believe that I have understood the MS Identity Authentication System and must know the role of UserManager. He is the dispatcher in the system and defines a set of user behaviors to help us manage user information and role information, process passwords. But its implementation is in UserStore, we can implement what we define for us, such as IUserStore, IUserPasswordStore, IRoleStore, and so on. we can customize our user information, data structures, and data storage based on a set of user behaviors. Then, concerning the Hasher of Password, MS still provides a complete behavior definition, which is also scheduled by UserManager. For example

1 UserManager.PasswordHasher.HashPassword(password)

PasswordHasher is defined in the UserManager interface as follows:

I was not interested in its default implementation. For the login authentication purpose of multiple independent applications, an independent user authentication project is required as the authentication service, which only produces tokens, after successful authentication, the Authorization of the user's HTTP Request Header takes the token to access various resources on the application server.

For this reason, there is a problem with password authentication for multiple applications:

For example, application A uses IPasswordHasher to customize the encryption method-MD5 + salt, and application B uses the default PasswordHasher of Identity. The following code is obtained through decompilation:

Therefore, in order to be compatible with different encryption methods of multiple applications, I had to decompile the source code and obtain the default encryption method. Based on Different Application names, I decided to encrypt or decrypt the password, or compare the password entered by the database and the user in some way. First, the default PasswordHasher of MS is implemented.

 1 // Decompiled with JetBrains decompiler 2 // Type: Microsoft.AspNet.Identity.Crypto 3 // Assembly: Microsoft.AspNet.Identity.Core, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 4 // MVID: E3A10FFD-023A-4BC3-AD53-32D145ABF1C9 5 // Assembly location: C:\Sport\NewProject\V2.0\Api\Fantasy.Sport\packages\Microsoft.AspNet.Identity.Core.2.2.1\lib\net45\Microsoft.AspNet.Identity.Core.dll 6  7 using System; 8 using System.Runtime.CompilerServices; 9 using System.Security.Cryptography;10 11 namespace Microsoft.AspNet.Identity12 {13   internal static class Crypto14   {15     private const int PBKDF2IterCount = 1000;16     private const int PBKDF2SubkeyLength = 32;17     private const int SaltSize = 16;18 19     public static string HashPassword(string password)20     {21       if (password == null)22         throw new ArgumentNullException("password");23       byte[] salt;24       byte[] bytes;25       using (Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, 16, 1000))26       {27         salt = rfc2898DeriveBytes.Salt;28         bytes = rfc2898DeriveBytes.GetBytes(32);29       }30       byte[] inArray = new byte[49];31       Buffer.BlockCopy((Array) salt, 0, (Array) inArray, 1, 16);32       Buffer.BlockCopy((Array) bytes, 0, (Array) inArray, 17, 32);33       return Convert.ToBase64String(inArray);34     }35 36     public static bool VerifyHashedPassword(string hashedPassword, string password)37     {38       if (hashedPassword == null)39         return false;40       if (password == null)41         throw new ArgumentNullException("password");42       byte[] numArray = Convert.FromBase64String(hashedPassword);43       if (numArray.Length != 49 || (int) numArray[0] != 0)44         return false;45       byte[] salt = new byte[16];46       Buffer.BlockCopy((Array) numArray, 1, (Array) salt, 0, 16);47       byte[] a = new byte[32];48       Buffer.BlockCopy((Array) numArray, 17, (Array) a, 0, 32);49       byte[] bytes;50       using (Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, salt, 1000))51         bytes = rfc2898DeriveBytes.GetBytes(32);52       return Crypto.ByteArraysEqual(a, bytes);53     }54 55     [MethodImpl(MethodImplOptions.NoOptimization)]56     private static bool ByteArraysEqual(byte[] a, byte[] b)57     {58       if (object.ReferenceEquals((object) a, (object) b))59         return true;60       if (a == null || b == null || a.Length != b.Length)61         return false;62       bool flag = true;63       for (int index = 0; index < a.Length; ++index)64         flag &= (int) a[index] == (int) b[index];65       return flag;66     }67   }68 }

Someone may ask how to apply the source code. The following is a brief introduction to this problem.

At the beginning, I naively thought that it was not an encryption. I don't have to read it carefully. I just want to use it?

When registering a user and changing the password, the above HashPassword method is used to encrypt the password. Then, in the new custom PasswordHasher, when I compare the user login password for application B, is it okay to encrypt user input directly through HashPassword? Therefore, the self-defined VerifyHashedPassword (Verify translated as verification) method compares the Pwd in the database with the result processed by hasher. The result is that different encryption results are generated for each same string, which is different from the md5 + salt. So I thought of its default VerifyHashedPassword method.

So the last thing you should talk about is that you can use the encryption method of Microsoft Identity (the Hasher above) directly. When comparing the user input and the database's hash Storage results, use its VerifyHashedPassword () method. This encryption algorithm can be used even if Identity authentication is not used.

 

For more information about Identity and OWIN, see the following four articles:

Http://www.cnblogs.com/jesse2013/category/551550.html

 

 

If you believe that reading this blog has some benefits, click "add 【Recommendation] Button.
If you want to discover my new blog more easily, click follow below.
My passion for sharing is inseparable from your support.

Thank you for reading this article. I will continue to share it with you. I am a snail bait, keep learning, and remember to be modest. Improper installation, fun and dream.