i try implement authentification algorithm. basic sequence following:
right doubt correct way it. salt want prevent rainbow tables requesting salt server let man in middle attack salt , after cracking password rainbow table using salt easy.
is way solving https connection or somehow possible more save?
- never store passwords, hash.
- salt shall never leave server, generate salt , keep part of generated hash.
- use seed added protection. seed can number of seconds predefined date till date user created login application.
c# code sample:
// extends byte[] create sha256 hash code seed , salt of supplied size public static byte[] getsha256hashcode(this byte[] value, byte[] seed, int prefix = 0) { var salt = new byte[prefix]; rng.getbytes(salt); return salt.concat(seed.concat(salt).concat(value).toarray().getsha256hashcode()).toarray(); } // extends byte[] compare sha256 hash code seed , salt of supplied size supplied hash code public static bool isequaltosha256hashcode(this byte[] value, byte[] code, byte[] seed, int prefix = 0) { return seed.concat(code.take(prefix)).concat(value).toarray().getsha256hashcode().sequenceequal(code.skip(prefix)); }
Comments
Post a Comment