ASP.NET Core Security by null

ASP.NET Core Security by null

Author:null [null]
Language: eng
Format: epub
Publisher: Manning Publications
Published: 2022-07-25T00:00:00+00:00


The size (in bytes) of the salt (it’s also possible to provide a custom salt).

The number of iterations the algorithm should use. The more iterations, the more secure the hash, but the longer hashing takes. This value is optional, but we will set it, and you will see why in a bit.

The following listing shows a username/password form that mimics the two essential aspects of using a password hash: generating the hash upon registration and validating the hash upon login.

Listing 8.1 The combined registration/login form as a Razor Page

@page @model HashingModel <div class="text-center"> <h1 class="display-4">Password Hashing</h1> <div class="mt-5 mb-5"> <form method="post" action=""> <div class="form-group"> <label class="control-label" for="UserName">User name</label> <input type="text" id="UserName" name="UserName" ➥class="form-control" value="@Model.UserName" /> ❶ </div> <div class="form-group"> <label class="control-label" for="Password">Password</label> <input type="password" id="Password" name="Password" ➥class="form-control" value="@Model.Password" /> ❷ </div> <div class="form-group"> <label class="control-label" for="HashToVerify">Hash to ➥verify</label> <input type="text" id="HashToVerify" name="HashToVerify" ➥class="form-control" value="@Model.HashToVerify" /> ❸ </div> <div class="form-group"> <label class="control-label" for="SaltToVerify">Salt to ➥verify</label> <input type="text" id="SaltToVerify" name="SaltToVerify" ➥class="form-control" value="@Model.SaltToVerify" /> ❹ </div> <div class="form-group"> <input type="submit" asp-page-handler="Register" ➥value="Register" class="btn btn-primary" /> ❺ <input type="submit" asp-page-handler="Login" value="Login" ➥class="btn btn-primary" /> ❻ </div> </form> </div> <div class="mb-3"> @Model?.Message </div> </div>

❶ Shows the username field

❷ Shows the password field

❸ Shows the hash field (for mimicking the login)

❹ Shows the salt field (for mimicking the login)

❺ Shows the Registration button

❻ Shows the Login button

The form fields are filled with the values from the model, including the password field. That’s not best practice, of course, but it helps us test the hash creation and verification without any extra copy-and-paste efforts. The associated page model class is shown in the next listing.

Listing 8.2 The page model class for the combined registration/login form

using System; using System.Security.Cryptography; using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc.RazorPages; namespace AspNetCoreSecurity.RazorSamples.Pages { public class HashingModel : PageModel { public string Message { get; set; } = string.Empty; [BindProperty] public string UserName { get; set; } = string.Empty; [BindProperty] public string Password { get; set; } = string.Empty; [BindProperty] public string HashToVerify { get; set; } = string.Empty; [BindProperty] public string SaltToVerify { get; set; } = string.Empty; public void OnPostRegister() ❶ { // TODO } public void OnPostLogin() ❷ { // TODO } } }

❶ The Handler method for the Register button

❷ The Handler method for the Login button

We will fill in the blanks—the code that runs after clicking the Register or Login buttons—individually for all the algorithms we will cover. First, the PBKDF2 hash creation:

public void OnPostRegister() { var rfc2898 = new Rfc2898DeriveBytes( ❶ this.Password, ❶ 32, ❶ 310_000); ❶ var hash = Convert.ToBase64String(rfc2898.GetBytes(20)); ❷ var salt = Convert.ToBase64String(rfc2898.Salt); ❸ this.HashToVerify = hash; this.SaltToVerify = salt; this.Message = "Hash created"; }

❶ Instantiates the Rfc2898DeriveBytes class

❷ Pulls out the hash (and Base64-encodes it)

❸ Pulls out the salt (and Base64-encodes it)

The Rfc2898DeriveBytes class creates the hash that is available by calling GetBytes(20), 20 being the default length in bytes of the hash. The automatically generated salt is more conveniently available by accessing the Salt property. Both values are then Base64-encoded and written in the page model properties so that they show up in the form fields.



Download



Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.