Re: URL. Hash, Encrypt, ...

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

On Oct 4, 10:49 pm, rossum <rossu...@xxxxxxxxxxxx> wrote:
1 Generate a suitable large random number.

You mean considering that is a password?
For example with length equal to 8, which is the minimum length I
usually set to passwords ...

2 Encrypt this number with the user's public RSA key.

Doesn't the private key include the public key?

So I need to generate two keys, one private and one public and
save in the database?

Like so?

RSACryptoServiceProvider RSA = new RSACryptoServiceProvider();
byte[] privateAndPublicKeys = RSA.ExportCspBlob(true);
byte[] publicKey = RSA.ExportCspBlob(false);

The ExportCspBlob says for the parameter:
"true to include the private key"
This is why I am not sure how to separate both.

3 Send the encrypted number to the user in an e-mail.

Got it.

4 The new password is the SHA-256 hash of the random number (in
Base-64 if you want to make it typeable on a keyboard).

I don't get the typeable part ...

If I understood correctly I get the encrypted number use Base64 to
convert to String and send it to user by email.
And I also turn it to byte[] and hash it using SHA 256. I save the
hash and the salt in the database.
Then when the user inserts that number I convert it to byte[] using
UTF8 and verify it against the hash I have on the database.

Correct?

5 Expire the new password the first time it is used to force the user
to change to their own new password when they log back on.

I can create a column on the database Users table: Bool
TemporaryPassword.
When I send the password I set it to true. When the user logins I
redirect him to the password change form and set it to false.
I suppose a column on the table for this is necessary. Correct?

This requires all users to have their own RSA public/private keys.
They could perhaps be generated as part of the sign-up process.

Yes, no problem in doing that on the signup process.
And I can use the RSA keys for other things if needed correct?

As is usual with security, how valuable is what you are trying to
protect?  What is the cost to the business is the data is compromised?

Not a lot ... But the way I see it is if I am spending time learning
and implementing things then it would be better to do it the correct
way.

Thank You,
Miguel
.

Relevant Pages

  • Re: URL. Hash, Encrypt, ...
    ... Doesn't the private key include the public key? ... I have never used RSA on .NET so I am not the best person to ask about ... raw hash tends to be used for computer-to-computer security and is ... hash and the salt in the database. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Newbie - Is this Reasonable?
    ... because this hash is stored in the database. ... So you use PKCS5v2 to generate a key hash from a salt and the user's passphrase, then store the salt and the hash in a database. ... are even more critical in database applications because the payoff from tampering with selected fields may be much higher, fields tend to be fixed-length so it's easier to tamper with them in a meaningful way, and databases lend themselves to off-line analysis, so the attacker can marshall more resources and take more time to attack your system. ... You're using a stream cipher for encryption. ...
    (sci.crypt)
  • Re: looking for help with a counting algorithm
    ... >> subcategory is counted, the code goes back up the tree to the root, adding ... >> involve retrieving all the category memberships from the database, ... sub ReadCategories{ ... ReadCategories is called with two empty hash pointers by any of the ...
    (comp.lang.perl.misc)
  • Re: Best practice for password hashing
    ... a)Making the hash expensive to calculate. ... database is compromised because it exists outside the database) so that an ... attacker is missing a piece of the information required to calculate the ... which renders compromise of the database irrelevant. ...
    (sci.crypt)
  • Re: out of memory
    ... read only the smaller file into a hash. ... the smaller file will fit into RAM. ... Depending upon the sorting algorithm this would be Ologor ... put your relevant data into a database and use ...
    (comp.lang.perl.misc)