locked
How to Decrypt user's password in LINQ? RRS feed

  • Question

  • User-1651604128 posted

    In my asp.net web mvc app, I need to encrypt and decrypt  user's password, but I have problem how to Decrypt in LINQ,

    ..............
    /*I got run-time error below in the code of "DecodeFrom64", basically, after the passsword is encrypted in SQL table, and I need to decrypt it here and compare it with the user input to validate it, but it seems I can not use function here, 
    */
    
     var users = _dbContext.tbl_Users.Where(t => t.USER_NAME == user.Username & DecodeFrom64(t.PASS_WORD) == user.Password).ToArray();
                             if (users.Any(u => DecodeFrom64(u.PASS_WORD).TrimEnd() == user.Password ))
                    {
                    valid = true;
                }
    ...................
    //Decrypt function below
    public string DecodeFrom64(string encodedData)
            {
                System.Text.UTF8Encoding encoder = new System.Text.UTF8Encoding();
                System.Text.Decoder utf8Decode = encoder.GetDecoder();
                byte[] todecode_byte = Convert.FromBase64String(encodedData);
                int charCount = utf8Decode.GetCharCount(todecode_byte, 0, todecode_byte.Length);
                char[] decoded_char = new char[charCount];
                utf8Decode.GetChars(todecode_byte, 0, todecode_byte.Length, decoded_char, 0);
                string result = new String(decoded_char);
                return result;
            }

    Wednesday, June 12, 2019 12:29 PM

All replies

  • User753101303 posted

    Hi,

    Linq is about translating C# code to SQL and more likely you have an error because Linq don't know what to do for your client side DecodeFrom64 function (it's best to always tell what happens, it could be still some other error than the first problem I see).

    A common approach would be to encode the password on the client side and then do the comparison ie var encodedPassword=EncodeTo64(user.Password); and then

    var users = _dbContext.tbl_Users.Where(t => t.USER_NAME == user.Username & user.Password==encodedPassword).ToArray();

    If doing just  that the password is not encrypted at all. Base64 is just a way to write a binary value with printable characters. Rather than writing your own security mechanism it could be better to just use what ASP.NET offers out of the box (have a look at ASP.NET Identity).

    Wednesday, June 12, 2019 12:40 PM
  • User475983607 posted

    Peter, you have a lot of experience on these forums.  IMO, we should not have to ask for the error message. 

    You have not shared a single line of encryption/description code.   The code shown is encoding which is very different from encryption.

    Can you clarify the design and provide the error message?

    Wednesday, June 12, 2019 12:50 PM
  • User-1651604128 posted

    Hi PatriceSc,

    Thanks a lot for your quick response, it seems client side DecodeFrom64 function resolves the error in this case, it works well.

    But if this "is not encrypted at all", then I will look for better solution other then this one.

    Any more info about using ASP.NET Identity as you recommended?

    Much appreciated,

    Wednesday, June 12, 2019 1:28 PM
  • User-474980206 posted
    You should not store passwords that are not encrypted as this is a major security flaw. The best approach is store a one way hash, which can not be converted back to the original.

    Wednesday, June 12, 2019 2:11 PM
  • User-1651604128 posted

    You should not store passwords that are not encrypted as this is a major security flaw. The best approach is store a one way hash, which can not be converted back to the original.

    Hi bruce, this is a good idea, I appreciate if you can provide some details how to implement it, much appreciated,

    Wednesday, June 12, 2019 2:14 PM
  • User-474980206 posted

    if you don't fully understand making a secure login service, why are you not using the builtin user authentication which has all the best practices?

     

    Wednesday, June 12, 2019 2:59 PM
  • User753101303 posted

    Using VS you can use https://docs.microsoft.com/en-us/aspnet/visual-studio/overview/2013/creating-web-projects-in-visual-studio#authentication-methods to start with a template having already "Individual User Accounts"  that you can study.

    You have a detailed doc but I would suggest to start with https://docs.microsoft.com/en-us/aspnet/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity that shows how it can be customized (or simplified) at will.

    You do have a learning curve depending on your current kownledge but at least you'll have something standard.

    Not sure but if I had a programming site I would write on using ASP.NET Identity from really the smallest required part up to maybe the VS provided template so that one can better grasp the basic architecture and how flexible it is.

    Wednesday, June 12, 2019 4:24 PM
  • User-1651604128 posted

    Using VS you can use https://docs.microsoft.com/en-us/aspnet/visual-studio/overview/2013/creating-web-projects-in-visual-studio#authentication-methods to start with a template having already "Individual User Accounts"  that you can study.

    You have a detailed doc but I would suggest to start with https://docs.microsoft.com/en-us/aspnet/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity that shows how it can be customized (or simplified) at will.

    You do have a learning curve depending on your current kownledge but at least you'll have something standard.

    Not sure but if I had a programming site I would write on using ASP.NET Identity from really the smallest required part up to maybe the VS provided template so that one can better grasp the basic architecture and how flexible it is.

    Hi PatriceSc, Thanks a lot for your info,

    Now, let's me introduce my issues.

    In my mvc web site project, user requires to accept "Guest users", basically, users who do not need to sign in as windows authorization, when the site is opened, any user can access 5 pages content, but if user click Sign in to sign in, the signed in users can  see more stuff, and I also need to capture user's Windows ID to identify who is Creating, Editing and Deleting a record,.

    This is what I did, after user click Logged in, I will compare the User table in SQL server to see if the username and password is match the record in the User table (User's widnow network id is saved on the user table when System admin creates that user), if match is found, then I capture the user's Widnow ID(network id) in cookie to be used in the following session, So there is no Widnow's authorization in this case, this may not be the correct way, but the thing is that if I Disabled Anonymous Authrntication, all site is not working. I think in my case, I have to Enable the Anonymous Authentication since the site requires Guest users to view 5 pages which is not requiring the windows authentication.

    Since I Enabled Anonymous Authentication in my case, so Window.Identify of using default authentication may not work.

    Please correct me if my understanding is wrong or if there is any better solution, much appreciated.

    Tuesday, June 18, 2019 1:44 PM
  • User475983607 posted

    Create two sites.  One uses Anonymous Authentication and contains the 5 pages anyone can see. The other is secured by Windows authentication.  A user that is authenticated by Windows authentication (when they login to their system)  can visit both site while a user that is not authenticated can only visit the Anonymous Authenticated site.

    Tuesday, June 18, 2019 1:51 PM
  • User-474980206 posted
    The standard security supports both anonymous and authenticated access.

    Tuesday, June 18, 2019 2:01 PM