I wrote a website that uses the SHA-256 hash to verify the user's password. This is a relatively unsafe setting to start with, as most users will have the same username / password. To try to protect it at least a little, I do the following:
- The client requests a new salt from the server
- Client hashes password with this salt
- The client sends the hashed password with salt back to the server
- The server hashes the actual password and compares the two
Here is my code:
FROM#
//Just for testing! private static Dictionary<string, string> users = new Dictionary<string, string>() { { "User", "Password" } }; [HttpGet] public HttpResponseMessage GetSalt() { RNGCryptoServiceProvider secureRNG = new RNGCryptoServiceProvider(); byte[] saltData = new byte[64]; secureRNG.GetBytes(saltData); HttpResponseMessage response = new HttpResponseMessage(); response.Content = new StringContent(System.Text.Encoding.Unicode.GetString(saltData), System.Text.Encoding.Unicode); return response; } [HttpGet] public bool ValidateUser(string userName, string hashedPassword, string salt) { SHA256Managed hash = new SHA256Managed(); if (users.ContainsKey(userName)) { string fullPassword = salt + users[userName]; byte[] correctHash = hash.ComputeHash(System.Text.Encoding.UTF8.GetBytes(fullPassword)); if (hashedPassword.ToUpper() == BitConverter.ToString(correctHash).Replace("-","")) { return true; } } return false; }
Javascript
$scope.login = function () { $http.get('api/Login').success(function (salt) { //Hash the password with the salt and validate var hashedPassword = sjcl.hash.sha256.hash(salt.toString().concat($scope.password)); var hashString = sjcl.codec.hex.fromBits(hashedPassword); $http.get('api/Login?userName=' + $scope.userName + '&hashedPassword=' + hashString + '&salt=' + salt).success(function (validated) { $scope.loggedIn = validated; }); });
This code works fine in Google Chrome, but not in Internet Explorer 11. The problem (as seen in the debugger) is that the hash generated by javascript is different from what is generated by C #.
I suspect this has something to do with character encoding, but have not found much on the Internet to prove / refute this theory (or help with the problem as a whole). If there is a better way to solve this problem, I am glad to hear about it, but I would also like to understand the cause of the original error.
Why are the hashes different, and what can I do to fix this?
javascript c # google-chrome internet-explorer asp.net-web-api2
Bradleydotnet
source share