 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / January 2006hashed password and UsernameTokenManager
Hi, I'm using WSE3 username/password over certificate - I can implement my own (test) UsernameTokenManager like this: public class MyUsernameTokenManager : UsernameTokenManager { ... protected override string AuthenticateToken( UsernameToken token, string authenticatedPassword ) { // for clear text passwords return token.Password; // This is just for test purposes } } This works fine. If however I want to send hashed passwords using PasswordOption.SendHashed, what do I need to return from AuthenticateToken? Returning token.PasswordDigest.ToString() doesn't work. Regards Phil Lee Hi Phil, You have to return the original password. You will have to get it from somewhere, e.g. a database. WSE computes a hash with the password that you returns and then compares that hash with the Usernametoken's hash. Regards, Pablo Cibraro http://weblogs.asp.net/cibrax http://www.lagash.com > Hi, > [quoted text clipped - 23 lines] > Regards > Phil Lee Hi Phil, I agree with Pablo, the "AuthenticateToken" method of the custom UsernameTokenManager require us to return the correct CLEAR TEXT password... (so that the runtime will use it for sequential decrypting or sigining....) So in other words, this is usually used when the account database is a custom storage ( a relational database table....) or in xml file.... And it's not usable for windows security authority since no clear text password is available... Please feel free to post here if there're anything else unclear. Regards, Steven Cheng Microsoft Online Support  SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) -------------------- From: "Pablo Cibraro" <pcibraro@hotmail.com> References: <Or4PeYGEGHA.1508@TK2MSFTNGP15.phx.gbl> Subject: Re: hashed password and UsernameTokenManager Date: Tue, 3 Jan 2006 17:02:40 -0300 Lines: 44 X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-RFC2646: Format=Flowed; Response Message-ID: <O$CZhCKEGHA.1028@TK2MSFTNGP11.phx.gbl> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements NNTP-Posting-Host: 200.123.99.98 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:8027 X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements Hi Phil, You have to return the original password. You will have to get it from somewhere, e.g. a database. WSE computes a hash with the password that you returns and then compares that hash with the Usernametoken's hash. Regards, Pablo Cibraro http://weblogs.asp.net/cibrax http://www.lagash.com > Hi, > [quoted text clipped - 23 lines] > Regards > Phil Lee Steven, isn't is best practice to store a password equivalent and not a clear text password in the database? I suppose I can just send a password marked as cleartext but it would have actually been hashed on the client. I could then salt and hash again before storing in the database. I'm using this article http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/secu rusernametoken.asp for inspiration. Regards Phil Lee > Hi Phil, > [quoted text clipped - 74 lines] >> Regards >> Phil Lee Thanks for your response Phil, Yes, storing password hash is the best practice... However, the cleartext mentioned here is just what the value which is used to construct the UsernameToken at clientside... Because when it used usernametoken or derived token to encrypte or sign the message, we'll need the original cleartext value to construct the token key and decrypte the message.... Thus, if your custom security database stores only password hash, you need to also use hashed password text to construct the username token... Thanks, Steven Cheng Microsoft Online Support SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) -------------------- From: "Phil Lee" <phil.lee@newsgroups.nospam> References: <Or4PeYGEGHA.1508@TK2MSFTNGP15.phx.gbl> <O$CZhCKEGHA.1028@TK2MSFTNGP11.phx.gbl> <o0$XGHPEGHA.1236@TK2MSFTNGXA02.phx.gbl> Subject: Re: hashed password and UsernameTokenManager Date: Thu, 5 Jan 2006 15:00:34 -0000 Lines: 103 X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-RFC2646: Format=Flowed; Original Message-ID: <OT$EIjgEGHA.3728@tk2msftngp13.phx.gbl> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements NNTP-Posting-Host: host86-132-72-9.range86-132.btcentralplus.com 86.132.72.9 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:8051 X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements Steven, isn't is best practice to store a password equivalent and not a clear text password in the database? I suppose I can just send a password marked as cleartext but it would have actually been hashed on the client. I could then salt and hash again before storing in the database. I'm using this article http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/ securusernametoken.asp for inspiration. Regards Phil Lee > Hi Phil, > [quoted text clipped - 74 lines] >> Regards >> Phil Lee Steven, this is what I have implemented: Client: proxy.SetClientCredential( new UsernameToken( "name", "base 64 encoded MD5 hashed password", PasswordOptions.SendPlainText ) ); Server: string AuthenticateToken(UsernameToken token) { lookup salt and iteratively hashed salted password equivalent from DB salt and iteratively hash token.Password if they match then return token.Password. } But I am still confused as to the reason for having PasswordOptions.SendHashed. I will have to tell clients of the web service that it's good practice to send a password equivalent and not the cleartext password, but I can't force them to. Regards Phil Lee > Thanks for your response Phil, > [quoted text clipped - 132 lines] >>> Regards >>> Phil Lee Thanks for your response Phil, I think your current implementation is good according to the custom UsernameTokenmanager model. And as for the PasswordOptions.SendHashed, from the WSE documentation, you can find that it just use SHA1 to hash the password, which provide a buildin option for you to hash the password in case that some application directly store original clear text password (also let user input at client) in db.... Regards, Steven Cheng Microsoft Online Support SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) -------------------- From: "Phil Lee" <phil.lee@newsgroups.nospam> References: <Or4PeYGEGHA.1508@TK2MSFTNGP15.phx.gbl> <O$CZhCKEGHA.1028@TK2MSFTNGP11.phx.gbl> <o0$XGHPEGHA.1236@TK2MSFTNGXA02.phx.gbl> <OT$EIjgEGHA.3728@tk2msftngp13.phx.gbl> <BERz8onEGHA.3764@TK2MSFTNGXA02.phx.gbl> Subject: Re: hashed password and UsernameTokenManager Date: Tue, 10 Jan 2006 13:47:57 -0000 Lines: 184 X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-RFC2646: Format=Flowed; Original Message-ID: <#JXp2xeFGHA.1032@TK2MSFTNGP11.phx.gbl> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements NNTP-Posting-Host: host86-132-72-9.range86-132.btcentralplus.com 86.132.72.9 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:8085 X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements Steven, this is what I have implemented: Client: proxy.SetClientCredential( new UsernameToken( "name", "base 64 encoded MD5 hashed password", PasswordOptions.SendPlainText ) ); Server: string AuthenticateToken(UsernameToken token) { lookup salt and iteratively hashed salted password equivalent from DB salt and iteratively hash token.Password if they match then return token.Password. } But I am still confused as to the reason for having PasswordOptions.SendHashed. I will have to tell clients of the web service that it's good practice to send a password equivalent and not the cleartext password, but I can't force them to. Regards Phil Lee > Thanks for your response Phil, > [quoted text clipped - 46 lines] > before > storing in the database. I'm using this article http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/ > securusernametoken.asp > for inspiration. [quoted text clipped - 85 lines] >>> Regards >>> Phil Lee > Thanks for your response Phil, > [quoted text clipped - 5 lines] > Thus, if your custom security database stores only password hash, you need > to also use hashed password text to construct the username token... Note that if you hash the password in the client by giving the hashed password to UsernameToken, then the hashed password *becomes the password*. If you do this, then IMO it is pointless to store the password hash in the database. Regards, Sami > Thanks, > > Steven Cheng > Microsoft Online Support Sami, As you say an MD5 hashed password in the UsernameToken is a password itself (or password equivalent). The reason for further hashing and salting the already hashed password is to make offline dictionary attacks more difficult if someone manages to steal the database. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/secu rusernametoken.asp There are dictionaries of pre-hashed common passwords available which means discovering passwords from non-salted password hashes is easy if you have the database. This is why salting and iterative hashing is used. If someone has stolen your database why bother about them getting the passwords? Because people tend to use the same password on more than one site, so you are preventing the hacker getting easy access to more sites. The reason for hashing the password on the client is to provide a simple level of protection if someone hacks inside your secure channel (which is encrypted of course) and can get access to the unencrypted data. If this happens then your pretty stuffed though. Phil >> Thanks for your response Phil, >> [quoted text clipped - 19 lines] >> Steven Cheng >> Microsoft Online Support Yes, I agree. It does give a level of protection as users tend to use the same or similar passwords on multiple sites. Regards, Sami > Sami, > [quoted text clipped - 45 lines] >>> Steven Cheng >>> Microsoft Online Support Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.