Nido
|
| Posted: 07/31/2003, 9:50 AM |
|
Hello all,
I am looking for a solution to secure a site which I designed using CC (ASP with templates), IIS4 and SQL 7.
Presently we are saving user ids and password in a table on the database.
I would like to know if anybody knows how to encrypt the password and save the encrypted password on the SQL table and how to incorporate the encryption solution in CC.
Any feedback will be appreciated.
Regards,
Nido.
|
|
|
 |
Blinky Bill
|
| Posted: 08/03/2003, 6:05 AM |
|
A few options
-- sql server has a built-in encrypt function (pretty weak and work-out-able) useful for trivial stuff. I believe this function is undocumented the usage is as follows
ecrypt('mystring')
returns
0x6D00790073007400720069006E006700
take a close look it's pretty easy to work out what it's doing.
-- write a stored procedure to hash passwords.
-- use MD5 hashes plenty of MD5 stuff on the internet, use google and grab some MD5 code, wrap it up in a ActiveX DLL and call it from CCS code, see my wrapper function below.
Function MD5Hash(StringToHash)
Dim sHashedString
Dim oUA
Set oUA = Server.CreateObject("IntranetBouncer.MD5")
sHashedString = oUA.SHA256(cstr(StringToHash))
MD5Hash = sHashedString
End Function
Generally with password all you want to do is hash it. You don't actually need to decrypt it. Just hash the password value the user enters and compare it to teh already hashed password in the database.
|
|
|
|
Headhunter
|
| Posted: 08/03/2003, 2:11 PM |
|
http://www.gotocode.com/disc_viewt.asp?mid=9767&s_topic=md5&
I use CCS 2.1 + PhP + MySQL, works for me
|
|
|
|
Blinky Bill
|
| Posted: 08/03/2003, 4:07 PM |
|
Head Hunter,
SQL Server 7 (which was what the original poster was asking about) doesn't have an MD5 function, therefore the pointer you provide isn't of value.
|
|
|
|
Nido
|
| Posted: 08/03/2003, 6:39 PM |
|
Hi Blinky Bill
I like your second option to write a stored procedure to hash passwords.
Can I use it with CC instead of CCS? If yes, could you please give me some more details. I am sure this would help the whole community.
Regards,
Nido.
|
|
|
|
Blinky Bill
|
| Posted: 08/04/2003, 2:46 AM |
|
Nido,
Stored Procedures: have a look at www.sqlservercentral.com for sample scripts and third party extended stored procs.
Using these auth methods isn't a function as CC or CCS as you will rewriting the login functions in CC or CCS anyway
What I have done is created a complete SQL Server based authentication system that can be used by ALL application created by CCS or CC for that matter, there is also a front-end that allow for non-technical people to add remove users, applications, permissions etc. It does other nice stuff like dictionary checking so easy passwords cannot be used, 15 password history, 30 day cycling of passwords, login auditing etc etc.
Now when we create a new application using CCS, we just use the base project (with the already modified common.asp file) as a template, create a new APPID for the new app, security taken care of.
Before you ask no I can't make the code available, as my employer has paid for my wages to develop this system. If you interested it took about 6 months of developing in my spare time at work, probably about 3 weeks solid dev time.
|
|
|
|
lneisius
|
| Posted: 08/04/2003, 11:18 AM |
|
Maybe I'm missing the point, if someone got a copy of the dbase then with the stored procedure in the dbase they could figure out a way of decrypting any info that was crypted. Thats why the md5 hash is so great isn't it? If I read things correctly about protecting the dbase DO NOT USE STORED PROCEDURES TO CYPHER DATABASE!!!!! You should use outside code as described in earlier post. I'm currently working on adding a hash to my site, and searching has found many solutions and I'm still trying to figure out which is the best one! Maybe in the future MS will hear the people asking for the md5 hash and incorporate it in their system.
|
|
|
|
Blinky Bill
|
| Posted: 08/04/2003, 3:07 PM |
|
Correct, the methods I'm describing are all to do with 1 way hashing algo's. You don't need to decrypt a password to know whether the user has supplied the right password or not. So having stored procedure with MD5 will work just fine. If you don't want people looking at the stored proc you could encrypt it (using the encrypt check box) or implement it as an extended stored procedure (dll)
|
|
|
|
|
