More secure passwords

-
Storing a plain-text password in a DB leaves your system open to abuse from anybody with access to the tables (sys admin for example). Here is the technique I recently used. Instead of storing the password itself I store a hash of the password, and a random "salt" that was used to create the hash to make it less predictable.


[UmlTaggedValue("Eco.Length", "255")]
private string PasswordHash
{
  get
  {
    ...
  }
  set
  {
    ...
  }
}

[UmlTaggedValue("Eco.AllowNULL", "True")]
[UmlTaggedValue("Eco.Length",  "40")]
private string PasswordSalt
{
 get
 {
    ...
 }
 set
 {
    ...
 }
}



As you can see I do not store the password, just a hash + salt, both of
which are private. Here are the methods used to set the values of these properties.

public void SetPassword(string newPassword)
{
  if (newPassword == null)
    throw new ArgumentNullException("password");
  if (newPassword.Length < 6)
    throw new ArgumentException("Password must be at least 6 characters");

  PasswordSalt = Guid.NewGuid().ToString();
  PasswordHash = EncryptPassword(newPassword);
}

private string EncryptPassword(string password)
{
  TripleDESCryptoServiceProvider des;
  MD5CryptoServiceProvider hashmd5;
  byte[] pwdhash, buff;
  hashmd5 = new MD5CryptoServiceProvider();
  pwdhash = hashmd5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(PasswordSalt));
  hashmd5 = null;
  des = new TripleDESCryptoServiceProvider();
  des.Key = pwdhash;
  des.Mode = CipherMode.ECB; //CBC, CFB
  buff = ASCIIEncoding.ASCII.GetBytes(password);
  string result = 
    Convert.ToBase64String(
      des.CreateEncryptor().TransformFinalBlock(
        buff, 0, buff.Length)
    );
  return result;
}


Now the code required to get a user by ID/Password

public static User FindUserByUserIDAndPassword(IEcoServiceProvider serviceProvider, 
  string userID, string password)
{
  string query = 
    string.Format("->select(userID.sqlLikeCaseInsensitive('{0}'))",
      BusinessClassesHelper.EscapeOcl(userID));
 
  User user = 
    BusinessClassesHelper.SelectFirstObject(serviceProvider, "User", query);

  if (user != null && user.EncryptPassword(password) == user.PasswordHash)
    return user;
  return null;
}


The BusinessClassesHelper is a class with static methods to help with OCL operations, such as escaping user input values to avoid OCL injection.

using System;
using System.Collections.Generic;
using System.Text;
using Eco.ObjectRepresentation;
using Eco.Services;
using Eco.Handles;

namespace xxxxxxxxxxxxxxx
{
   public static class BusinessClassesHelper
   {
       public static string EscapeOcl(string ocl)
       {
           if (string.IsNullOrEmpty(ocl))
               throw new ArgumentNullException("ocl");

           ocl = ocl.Replace("\\", "\\\\");
           ocl = ocl.Replace("'", "\\'");
           return ocl;
       }

       public static T SelectFirstObject(IEcoServiceProvider serviceProvider,
         string className, string criteria)
       {
           if (serviceProvider == null)
               throw new ArgumentNullException("serviceProvider");
           if (string.IsNullOrEmpty(className))
               throw new ArgumentNullException("className");
           if (criteria == null)
               throw new ArgumentNullException("criteria");
         
           IOclPsService psService = 
             EcoServiceHelper.GetOclPsService(serviceProvider);
           IOclService oclService = 
             EcoServiceHelper.GetOclService(serviceProvider);

           IObjectList result = 
             psService.Execute(className + ".allInstances" + criteria);
           result = 
             oclService.Evaluate(className + ".allLoadedObjects" + criteria) as IObjectList;
           if (result.Count == 0)
               return default(T);
           else
               return (T)result[0].AsObject;
       }
   }
}

Comments

Post a Comment

Popular posts from this blog

Connascence

-
I’ve just finished reading What every programmer should know about object oriented design . The first couple of sections are a bit useless really, but the 3rd section is very good. I particularly liked the section on the difference types of connascence in software. There’s some basic information about it here if you fancy a brief overview of what it is about. It’s a really good book, I recommend you read it! Should only take a day if you only read the 3rd section.
Read more

Convert absolute path to relative path

-
Today I needed to convert an absolute path to a relative path based on a specified base path. E.g. c:\a\b\c -> c:\a\b\c\d\file.txt = d\file.txt c:\a\b\c -> c:\a\file.txt = ..\..\file.txt c:\a\b\c -> c:\a\x\file.txt = ..\..\x\file.txt I am surprised there is nothing in the .NET framework so I had a hunt around and converted the code from the following URL ( http://www.vergentsoftware.com/blogs/ckinsman/default.aspx?date=2006-08-07 ) into C#.... private string RelativePath(string absolutePath, string relativeTo) { string[] absoluteDirectories = absolutePath.Split('\\'); string[] relativeDirectories = relativeTo.Split('\\'); //Get the shortest of the two paths int length = absoluteDirectories.Length < relativeDirectories.Length ? absoluteDirectories.Length : relativeDirectories.Length; //Use to determine where in the loop we exited int lastCommonRoot = -1; int i
Read more

Printing bitmaps using CPCL

-
I've had no end of grief trying to print a PCX to a Zebra Printer using the CPCL printer language. Silly me, didn't notice the EG command (expanded graphics) so there was no need to convert my BMP to a PCX and then struggle with binary data. I still had a bit of grief working out how to print using the EG command because the documentation is quite frankly crap. The expected command format is EG {WidthInBytes} {HeightInPixels} {XPos} {YPos} {Data}\r\n The printer expects a 1 bit pixel matrix. So if pixel(0, 0) is set you will set "80" in the data. If pixel(0, 0) is set and pixel (7, 0) is also set you would sent "81". Basically what you need to do is to read each set of 8 horizontal pixels and then use bit operations to create a byte value 0..255, and then output this as hex 00..FF. Here's the routine :-) public void DrawBitmap(Bitmap bmp, int xPosition, int yPosition) { if (bmp == null) throw new ArgumentNullException("bmp");
Read more