I'm trying to change my dnn installation to use a sha1 encryption with a salt to make my database more secure per my client's request. I was trying to implement something like http://www.aspheute.com/english/20040105.asp but in vb. I've tried to add all the functions to the security.vb component. I'm having trouble with password method

Expression is not an array or a method, and cannot have an argument list. Dim pwd As String = Password(Password, SaltID)

Also having trouble with pwd.ComputeSaltedHash() is not a member of 'String'.


Has anyone implemented something like this? If not, would someone be willing to help me troubleshoot my errors.

I have most of the other code and sp modifications made. Just need to be able to initalize my password with salt.
I would like to be able to contribute back to the project by defining all of the code needed and contributing back for others to use.

Thanks,
vetter1

ok, got past that but am getting a new error,

Specified cast is not valid.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.InvalidCastException: Specified cast is not valid.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[InvalidCastException: Specified cast is not valid.]
DotNetNuke.Register.RegisterBtn_Click(Object sender, EventArgs E) +1619
System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +83
System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +138
System.Web.UI.Page.ProcessRequestMain() +1277


Any suggestions?

I've redone this using the following in the security.vb file

'http://www.obviex.com/samples/hash.aspx

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' SAMPLE: Hashing data with salt using MD5 and several SHA algorithms.
'
' To run this sample, create a new Visual Basic.NET project using the Console
' Application template and replace the contents of the Module1.vb file with
' the code below.
'
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' Copyright (C) 2003. Obviex(TM). All rights reserved.
'
'Imports System
'Imports System.Text
'Imports System.Security.Cryptography



' <SUMMARY>
' This class generates and compares hashes using MD5, SHA1, SHA256, SHA384,
' and SHA512 hashing algorithms. Before computing a hash, it appends a
' randomly generated salt to the plain text, and stores this salt appended
' to the result. To verify another plain text value against the given hash,
' this class will retrieve the salt value from the hash string and use it
' when computing a new hash of the plain text. Appending a salt value to
' the hash may not be the most efficient approach, so when using hashes in
' a real-life application, you may choose to store them separately. You may
' also opt to keep results as byte arrays instead of converting them into
' base64-encoded strings.
' </SUMMARY>
'Public Class SimpleHash

' <SUMMARY>
' Generates a hash for the given plain text value and returns a
' base64-encoded result. Before the hash is computed, a random salt
' is generated and appended to the plain text. This salt is stored at
' the end of the hash value, so it can be used later for hash
' verification.
' </SUMMARY>
' <PARAM name="plainText">
' Plaintext value to be hashed. The function does not check whether
' this parameter is null.
' </PARAM>
' < name="hashAlgorithm">
' Name of the hash algorithm. Allowed values are: "MD5", "SHA1",
' "SHA256", "SHA384", and "SHA512" (if any other value is specified
' MD5 hashing algorithm will be used). This value is case-insensitive.
' </PARAM>
' < name="saltBytes">
' Salt bytes. This parameter can be null, in which case a random salt
' value will be generated.
' </PARAM>
' <RETURNS>
' Hash value formatted as a base64-encoded string.
' </RETURNS>
Public Shared Function ComputeHash(ByVal plainText As String, ByVal hashAlgorithm As String, ByVal saltBytes() As Byte) As String

' If salt is not specified, generate it on the fly.
If (saltBytes Is Nothing) Then

' Define min and max salt sizes.
Dim minSaltSize As Integer
Dim maxSaltSize As Integer

minSaltSize = 4
maxSaltSize = 8

' Generate a random number for the size of the salt.
Dim random As Random
random = New Random()

Dim saltSize As Integer
saltSize = random.Next(minSaltSize, maxSaltSize)

' Allocate a byte array, which will hold the salt.
saltBytes = New Byte(saltSize - 1){}

' Initialize a random number generator.
Dim rng As RNGCryptoServiceProvider
rng = New RNGCryptoServiceProvider()

' Fill the salt with cryptographically strong byte values.
rng.GetNonZeroBytes(saltBytes)
End If

' Convert plain text into a byte array.
Dim plainTextBytes As Byte()
plainTextBytes = Encoding.UTF8.GetBytes(plainText)

' Allocate array, which will hold plain text and salt.
Dim plainTextWithSaltBytes() As Byte = New Byte(plainTextBytes.Length + saltBytes.Length - 1){}

' Copy plain text bytes into resulting array.
Dim I As Integer
For I = 0 To plainTextBytes.Length - 1
plainTextWithSaltBytes(I) = plainTextBytes(I)
Next I

' Append salt bytes to the resulting array.
For I = 0 To saltBytes.Length - 1
plainTextWithSaltBytes(plainTextBytes.Length + I) = saltBytes(I)
Next I

' Because we support multiple hashing algorithms, we must define
' hash object as a common (abstract) base class. We will specify the
' actual hashing algorithm class later during object creation.
Dim hash As HashAlgorithm

' Make sure hashing algorithm name is specified.
If (hashAlgorithm Is Nothing) Then
hashAlgorithm = ""
End If

' Initialize appropriate hashing algorithm class.
Select hashAlgorithm.ToUpper()

Case "SHA1"
hash = New SHA1Managed()

Case "SHA256"
hash = New SHA256Managed()

Case "SHA384"
hash = New SHA384Managed()

Case "SHA512"
hash = New SHA512Managed()

Case Else
hash = New MD5CryptoServiceProvider()

End Select

' Compute hash value of our plain text with appended salt.
Dim hashBytes As Byte()
hashBytes = hash.ComputeHash(plainTextWithSaltBytes)

' Create array which will hold hash and original salt bytes.
Dim hashWithSaltBytes() As Byte = New Byte(hashBytes.Length + saltBytes.Length - 1) {}

' Copy hash bytes into resulting array.
For I = 0 To hashBytes.Length - 1
hashWithSaltBytes(I) = hashBytes(I)
Next I

' Append salt bytes to the result.
For I = 0 To saltBytes.Length - 1
hashWithSaltBytes(hashBytes.Length + I) = saltBytes(I)
Next I

' Convert result into a base64-encoded string.
Dim hashString As String
hashString = Convert.ToBase64String(hashWithSaltBytes)

' Return the result.
Return hashString

End Function

'************************************************

And I'm referrencing it in the register module as

UserId = objUser.AddUser(PortalId, txtFirstName.Text, txtLastName.Text, Address1.Unit, Address1.Street, Address1.City, Address1.Region, Address1.Postal, Address1.Country, Address1.Telephone, txtEmail.Text, txtUsername.Text, objSecurity.ComputeHash(txtPassword.Text, "SHA512", Nothing), IIf(_portalSettings.UserRegistration = 1, CStr(False), CStr(True)), UserId)

However, whenever I look at the passwords they are only 12 characters in length which is incorrect. What am I doing wrong?

vetter1

got it, inproper resource referrence.

Thanks!