security - How to authenticate client at server using a hashed password with salt? -


i try implement authentification algorithm. basic sequence following:

enter image description here

right doubt correct way it. salt want prevent rainbow tables requesting salt server let man in middle attack salt , after cracking password rainbow table using salt easy.

is way solving https connection or somehow possible more save?

  1. never store passwords, hash.
  2. salt shall never leave server, generate salt , keep part of generated hash.
  3. use seed added protection. seed can number of seconds predefined date till date user created login application.

c# code sample:

// extends byte[] create sha256 hash code seed , salt of supplied size public static byte[] getsha256hashcode(this byte[] value, byte[] seed, int prefix = 0) {     var salt = new byte[prefix];     rng.getbytes(salt);     return salt.concat(seed.concat(salt).concat(value).toarray().getsha256hashcode()).toarray(); }  // extends byte[] compare sha256 hash code seed , salt of supplied size supplied hash code public static bool isequaltosha256hashcode(this byte[] value, byte[] code, byte[] seed, int prefix = 0) {     return seed.concat(code.take(prefix)).concat(value).toarray().getsha256hashcode().sequenceequal(code.skip(prefix)); } 

Comments