 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / January 2006Mail merge with an MD5 hash.
Hello all. I'm working on a project for a community college which allows the Alumni to update their contact information over the web. We would like to mail the Alumni a physical letter which has the link to the web form that collects the data. The Alumni then will enter in their ID number which would allow them to update their account. I would also like to include an MD5 hash of their ID number and a private key. This would prevent anyone from viewing or modifying someone else's records. What would be the best way to generate the MD5s so that they can be easily added to the mail merge? Thanks for your time, -Jay > I would also like to include an MD5 hash of their ID number and a private key. This would prevent anyone from viewing or modifying someone else's records. can you explain? --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Hello all. I'm working on a project for a community college which > allows the Alumni to update their contact information over the web. We [quoted text clipped - 11 lines] > Thanks for your time, > -Jay The pysical letter sent to the Alumnus will include their Personal Identification Number and an MD5 hash of their PIN + a private key stored on the web server. When they attempt to log in, the website verifies that the hash they provide is correct. If someone attempted to use another person's pin they would not be able to log in because they would have no way of generating the correct MD5 hash. Obviously, I know, no encryption is uncrackable, but this will prevent trivial attepts at using the system as a searchable directory of Alumni contact information. Hi, why all the hassle with the private key - give them a password (or a pin) - store the SHA1/256 hash of it in your db. When they log in with the pwd/pin - create a hash from that and compare with the stored value... In 1.1 use the PasswordDeriveBytes class, in 2.0 the Rfc2898DeriveBytes --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > The pysical letter sent to the Alumnus will include their Personal > Identification Number and an MD5 hash of their PIN + a private key [quoted text clipped - 10 lines] > trivial attepts at using the system as a searchable directory of > Alumni contact information. The issue with that method is that our PIN number is basically their Alumni ID number. If we only required that from them than anyone could simply enter a different pin and possibly view another person's record. By storing the PIN as a hash in our db we would simply be obscuring it. That isn't needed as the PIN is not private information. By making the user provide their PIN as well as a password(PIN + Private Key => hashed) we get authentication credentials that can only be supplied by us. There would be no way for a savvy user to generate their own. Also, we are saved the added overhead of storing the hash in the db. Instead we just generate it as needed for the mailings. All that being said, it was a pretty simple task to write an applet that generates the keys needed and then import that into an Excell file for our College Foundation. I flag this as <complete>. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.