How do I can check a password Hash in WSE 2.0

[Juan Irigoyen]

By example

Client

token = new UsernameToken("juan", "1111", PasswordOption.TextPlain );


Server

protected override string AuthenticateToken( UsernameToken token )
{
ncadena = '1111';
return ncadena;
}


This sample go well but if the password is SendHashed the sample don´t


Client

token = new UsernameToken("juan", "1111", PasswordOption.SendHashed );


Server

protected override string AuthenticateToken( UsernameToken token )
{
ncadena = '1111';
return ncadena;
}


I don´t find example for this problem.
Thanks,

[Paul Glavich [MVP - ASP.NET]]

You need to have the original data (in this case the password), so that you
can perform the same hashing algorithm against the data, get the rsultant
hash, and then compare your computed hash against the supplied one.

Hashing is not reversible in that you cannot reverse hash it to get the
password or original data. Bottom line, you need the original password to
compare against OR you simply store hashes in the database against the users
profile, so that you never actually store passwords, only ever hashes of the
passwords that are used for comparison.

--
- Paul Glavich
Microsoft MVP - ASP.NET


"Juan Irigoyen" <juan_irigoyen@hotmail.com> wrote in message
news:pohcac.s91.ln@orannews.oran.local...

>
>
> By example
>
> Client
>
> token = new UsernameToken("juan", "1111", PasswordOption.TextPlain );
>
>
> Server
>
> protected override string AuthenticateToken( UsernameToken token )
> {
> ncadena = '1111';
> return ncadena;
> }
>
>
> This sample go well but if the password is SendHashed the sample don´t
>
>
> Client
>
> token = new UsernameToken("juan", "1111", PasswordOption.SendHashed );
>
>
> Server
>
> protected override string AuthenticateToken( UsernameToken token )
> {
> ncadena = '1111';
> return ncadena;
> }
>
>
> I don´t find example for this problem.
> Thanks,
>
>
>
>

[Juan Irigoyen]

Yes, but how perform the same hasing, I probe the next code, but is not
working.

string ncadena =
HashPassword(Convert.ToBase64String(token.Nonce),t oken.Created,"1111");


private string HashPassword (string nnonce, DateTime nfecha, string
npassword)
{

byte[] n = System.Text.Encoding.UTF8.GetBytes(nnonce);

byte[] c = System.Text.Encoding.UTF8.GetBytes(nfecha.ToString ());

byte[] p = System.Text.Encoding.UTF8.GetBytes(npassword);

byte[] toBeDiges = new byte[n.Length + c.Length + p.Length];

Array.Copy(n,0,toBeDiges,0,n.Length);

Array.Copy(c,0,toBeDiges,n.Length,c.Length);

Array.Copy(p,0,toBeDiges,(n.Length + c.Length),p.Length);


Array.Clear(p,0,p.Length);

SHA1 hash = SHA1.Create();

byte[] digest = hash.ComputeHash(toBeDiges);

Array.Clear(toBeDiges,0,toBeDiges.Length);

return Convert.ToBase64String(digest);

}



"Paul Glavich [MVP - ASP.NET]" <glav@aspalliance.com-NOSPAM> escribió en el
mensaje news:ucVIX5FUEHA.1356@TK2MSFTNGP09.phx.gbl...

>
> You need to have the original data (in this case the password), so that

you

> can perform the same hashing algorithm against the data, get the rsultant
> hash, and then compare your computed hash against the supplied one.
>
> Hashing is not reversible in that you cannot reverse hash it to get the
> password or original data. Bottom line, you need the original password to
> compare against OR you simply store hashes in the database against the

users

> profile, so that you never actually store passwords, only ever hashes of

the

> passwords that are used for comparison.
>
> --
> - Paul Glavich
> Microsoft MVP - ASP.NET
>
>
> "Juan Irigoyen" <juan_irigoyen@hotmail.com> wrote in message
> news:pohcac.s91.ln@orannews.oran.local...

> >
> >
> > By example
> >
> > Client
> >
> > token = new UsernameToken("juan", "1111", PasswordOption.TextPlain );
> >
> >
> > Server
> >
> > protected override string AuthenticateToken( UsernameToken token )
> > {
> > ncadena = '1111';
> > return ncadena;
> > }
> >
> >
> > This sample go well but if the password is SendHashed the sample don´t
> >
> >
> > Client
> >
> > token = new UsernameToken("juan", "1111", PasswordOption.SendHashed );
> >
> >
> > Server
> >
> > protected override string AuthenticateToken( UsernameToken token )
> > {
> > ncadena = '1111';
> > return ncadena;
> > }
> >
> >
> > I don´t find example for this problem.
> > Thanks,
> >
> >
> >
> >

>
>
>

[Paul Glavich [MVP - ASP.NET]]

After reading the documentation on WSE2.0, it seems you only need to return
the actual password as part of the AuthenticateToken method that you
override, and WSE2 will create a hash, and compare it with the one that was
passed. The documentation is quoted below :-

************************************
The SHA-1 hash of the password is sent in the SOAP message. This is the best
way to help protect the password. When a SOAP message is received with a
UsernameToken, WSE calls the AuthenticateToken method of the class deriving
from UsernameTokenManager that is registered in the configuration file. The
AuthenticateToken method returns a password or password equivalent, which
WSE creates a SHA-1 hash from. That SHA-1 hash is compared to the one in the
SOAP message and if they are identical, the hashed password is deemed valid.
************************************

Not much help I know but here are some links that may help.

[url]http://blogs.geekdojo.net/justin/archive/2004/06/03/2139.aspx[/url]
[url]http://dotnetjunkies.com/WebLog/softwaremaker/[/url]
--
- Paul Glavich
Microsoft MVP - ASP.NET


"Juan Irigoyen" <juan_irigoyen@hotmail.com> wrote in message
news:a1jjac.9d.ln@orannews.oran.local...

> Yes, but how perform the same hasing, I probe the next code, but is not
> working.
>
> string ncadena =
> HashPassword(Convert.ToBase64String(token.Nonce),t oken.Created,"1111");
>
>
> private string HashPassword (string nnonce, DateTime nfecha, string
> npassword)
> {
>
> byte[] n = System.Text.Encoding.UTF8.GetBytes(nnonce);
>
> byte[] c = System.Text.Encoding.UTF8.GetBytes(nfecha.ToString ());
>
> byte[] p = System.Text.Encoding.UTF8.GetBytes(npassword);
>
> byte[] toBeDiges = new byte[n.Length + c.Length + p.Length];
>
> Array.Copy(n,0,toBeDiges,0,n.Length);
>
> Array.Copy(c,0,toBeDiges,n.Length,c.Length);
>
> Array.Copy(p,0,toBeDiges,(n.Length + c.Length),p.Length);
>
>
> Array.Clear(p,0,p.Length);
>
> SHA1 hash = SHA1.Create();
>
> byte[] digest = hash.ComputeHash(toBeDiges);
>
> Array.Clear(toBeDiges,0,toBeDiges.Length);
>
> return Convert.ToBase64String(digest);
>
> }
>
>
>
> "Paul Glavich [MVP - ASP.NET]" <glav@aspalliance.com-NOSPAM> escribió en

el

> mensaje news:ucVIX5FUEHA.1356@TK2MSFTNGP09.phx.gbl...

> >
> > You need to have the original data (in this case the password), so that

> you

> > can perform the same hashing algorithm against the data, get the

rsultant

> > hash, and then compare your computed hash against the supplied one.
> >
> > Hashing is not reversible in that you cannot reverse hash it to get the
> > password or original data. Bottom line, you need the original password

to

> > compare against OR you simply store hashes in the database against the

> users

> > profile, so that you never actually store passwords, only ever hashes of

> the

> > passwords that are used for comparison.
> >
> > --
> > - Paul Glavich
> > Microsoft MVP - ASP.NET
> >
> >
> > "Juan Irigoyen" <juan_irigoyen@hotmail.com> wrote in message
> > news:pohcac.s91.ln@orannews.oran.local...

> > >
> > >
> > > By example
> > >
> > > Client
> > >
> > > token = new UsernameToken("juan", "1111", PasswordOption.TextPlain );
> > >
> > >
> > > Server
> > >
> > > protected override string AuthenticateToken( UsernameToken token )
> > > {
> > > ncadena = '1111';
> > > return ncadena;
> > > }
> > >
> > >
> > > This sample go well but if the password is SendHashed the sample don´t
> > >
> > >
> > > Client
> > >
> > > token = new UsernameToken("juan", "1111",

asswordOption.SendHashed );

> > >
> > >
> > > Server
> > >
> > > protected override string AuthenticateToken( UsernameToken token )
> > > {
> > > ncadena = '1111';
> > > return ncadena;
> > > }
> > >
> > >
> > > I don´t find example for this problem.
> > > Thanks,
> > >
> > >
> > >
> > >

> >
> >
> >

>
>
>