Home>

First, clear a few basic concepts

1. Pseudo-random numbers:pseudo-random number generators, referred to as prngs, are generated by the computer using a certain algorithm.Pseudo-random numbers are not pseudo-random numbers,"Pseudo" here has a regular meaning,The computer-generated pseudo-random number is both random and regular.How to understand it?The generated pseudo-random numbers sometimes follow certain rules,Sometimes not following any rules;Some of the pseudo-random numbers follow certain rules;The other part does not follow any rules.For example, "there are no two leaves with exactly the same shape in the world." This is exactly the characteristics of things.Randomness,But the leaves of each tree have similar shapes,This is the commonality of things,That is regularity.From this perspective,You will probably accept the fact that computers can only generate pseudo-random numbers and not absolute random numbers.

2. True random number:true random number generators, abbreviated as:trngs, are random numbers generated using unpredictable physical methods.

3. Plain text:original password,A password encrypted without any algorithm.

4. Ciphertext:After the original password is encrypted by some algorithm,The formed password.

C#salt + hash encryption rules

rule:salt pseudo-random value + original password,That is, the salt pseudo-random value and the original password are combined into plain text,Then pass the hash algorithm to form the ciphertext,Such as:

Assume that the pseudo-random number generated by salt is:9de74893-0b41-4f4e-91dc-06f62241b8bc

The original plain text was:admin

Combination rule:original plaintext + salt pseudo-random value,I.e. admin9de74893-0b41-4f4e-91dc-06f62241b8bc

Hash encrypted cipher text:urffo/iwz912e2gxl4kiczbosuz6tdlpmk7ldrvvdyk =

The database table results are as follows:

Third, the principle of c#salt generating pseudo-random numbers

Step 1:Introduce namespace using system;

Step 2:Call the newguid () method of the structure guid;

Step 3:The code indicates string strsalt=guid.newguid (). Tostring ();

Note:Of course, you can also call methods under the random class to generate pseudo-random numbers.

Fourth, the hash principle

hash is an irreversible encryption algorithm,There are many c#hash algorithms.The following are listed:

1, md5

2. Sha family:By the way,The US government previously widely used the sha-1 algorithm, and in 2005 was discovered a security vulnerability by Professor Wang Xiaoyun of Shandong University in ChinaSo now the sha-1 longer variant is more commonly used,For example, sha-256. In .net, you can use the sha256managed class

3. The key code is as follows:

protected void btnregister_click (object sender, eventargs e)
 {
  //user name and password
  string username=this.textboxusername.text;
  string userpwd=this.textboxpwd.text;
  //salt
  string strsalt=guid.newguid (). tostring ();
  //sha256 encryption
  byte [] pwdandsalt=encoding.utf8.getbytes (userpwd + strsalt);
  byte [] hashbytes=new sha256managed (). computehash (pwdandsalt);
  string hashstr=convert.tobase64string (hashbytes);
  stringbuilder strbuid=new stringbuilder ();
  strbuid.append ("insert into userinfo (");
  strbuid.append ("username, userpassword, salt) values ​​(");
  strbuid.append ("@ username,@hashstr,@strsalt)");
  sqlparameter [] sqlpara={
      new sqlparameter ("@ username", sqldbtype.nvarchar, 50),      new sqlparameter ("@ hashstr", sqldbtype.nvarchar, 50),      new sqlparameter ("@ strsalt", sqldbtype.nvarchar, 50)
     };
  sqlpara [0] .value=this.textboxusername.text;
  sqlpara [1] .value=hashstr;
  sqlpara [2] .value=strsalt;
  //Get the connection string
  string sqlconstr=configurationmanager.connectionstrings ["constr"]. connectionstring;
  using (sqlconnection con=new sqlconnection (sqlconstr))
  {
  con.open ();
  sqlcommand cmd=new sqlcommand (strbuid.tostring (), con);
  cmd.parameters.addrange (sqlpara);
  if (cmd.executenonquery ()>0)
  {
   response.write ("<script>alert (" Registration succeeded! ")</script>");
  }
  else
  {
   response.write ("<script>alert (" Registration failed! ")</script>");
  }
  }
 }

Five, c#common encryption algorithm

md5 encryption, sha family encryption, rsa encryption, des encryption, the current mainstream encryption is rsa, such as digital signatures, etc.In this blog,Will not discussThese four types of algorithms will be discussed in detail later.

Common password cracking algorithms(quote/go.php?id=102918&s=a)

The simplest and most common methods of cracking are dictionary attack and brute force attack. To put it plainly, these two methods are guessing the password.

Dictionary cracking and brute force cracking are both inefficient cracking methods.If you know the hash of the password in the database,You can use a more efficient way of cracking,Lookup tables. There are some ways,For example, reverse lookup tables, rainbow tables, etc., are similar to the lookup table method.Now let's look at the principle of table lookup.

Table lookups don't guess passwords like dictionary cracking and brute force cracking.It first calculates the hash values ​​of some of the more commonly used passwords.Then build a table,Of course the more passwords,The bigger the table.When you know the hash value of a password,You just need to look up the hash value in the table you created,If found,You will know the corresponding password.

Why use hash for encryption(quote/go.php?id=102918&s=a)

If you need to save passwords (such as website user passwords), you need to consider how to protect the password data,It is extremely insecure to write the password directly into the database as follows,Because anyone can open the database,Will be able to see these passwords directly.

The solution is to encrypt the password before storing it in the database.The more commonly used encryption method is to use a hash function. The specific definition of the hash function,You can check it online or in related books,general speaking,Its characteristics are as follows:

(1) A hash value is obtained after the original password is calculated by a hash function

(2) change the original password,The hash value calculated by the hash function will change accordingly.

(3) the same password,The hash value is the same

(4) The hash function is one-way and irreversible.That is, from the hash value,You can't figure out what the original password was

With a hash function,We can store the hash of the password into the database.When a user logs on to a website,We can check if the hash value of the password entered by the user is the same as the hash value in the database.

Since the hash function is irreversible,Even if someone opens the database,It is also impossible to see what the user's password is.

Is it safe to store the password encrypted by the hash function?Refer to 6. It is not safe to discover,Only adding salt is safe, because salt is randomly generated.

c
  • Previous C # dynamically load dll files and implement simple methods to call them
  • Next C # traverse all pictures in the folder subdirectory and traverse the files in the folder