MD5 Encryption Problem (ASP.NET VB)

mmofya posted this at 16:10 — 31st October 2008.

They have: 2 posts

Joined: Aug 2008

Hi,
I am trying to use MD5 Encryption for passwords in my application but I need help sorting out a data conversion issue... I think.

I have figured out how to convert an entered password at user registration and store the MD5 equivalent. Now my problem is, the core of my application was generated from ASP.NET Maker and the password is stored in a cookie / session string and is checked through out the system.
It looks something like this in login.aspx

' *************************
		' *  Handler for Page Load
		' *************************

		Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
			Dim md5Hasher as New MD5CryptoServiceProvider()
    
      		Dim hashedBytes as Byte() 
      		Dim encoder as New UTF8Encoding()

      		hashedBytes = md5Hasher.ComputeHash(encoder.GetBytes(LoginControl.Password))
			
			Response.Cache.SetCacheability(HttpCacheability.NoCache)
			Page.ClientScript.RegisterClientScriptInclude("ewv", "ewv.js") 
			Advsecu.LoadUserLevel()
			If (CustomProfile.GetGlobal(Share.ProjectName).Message IsNot Nothing) Then
				lblMessage.Text = CustomProfile.GetGlobal(Share.ProjectName).Message
				pnlMessage.Visible = True
				CustomProfile.GetGlobal(Share.ProjectName).Message = Nothing
			End If
			If (Not IsPostBack) Then
				If (Advsecu.IsLoggedIn()) Then 'User already logged in
					If (CustomProfile.GetGlobal(Share.ProjectName).Message Is Nothing) Then
						Response.Redirect("default.aspx") 'Redirect to default page
						Return
					End If
				Else

					' Check auto login
					If (Request.Cookies(Share.ProjectName) IsNot Nothing AndAlso _
						Request.Cookies(Share.ProjectName)("autologin") IsNot Nothing AndAlso _
						Request.Cookies(Share.ProjectName)("autologin") = "autologin") Then
						Dim strUsername As String = Request.Cookies(Share.ProjectName)("username")
						Dim strPassword As String = IIf(Not String.IsNullOrEmpty(Request.Cookies(Share.ProjectName)("password")), hashedBytes, String.Empty)
						If (Not String.IsNullOrEmpty(strUsername) AndAlso Not String.IsNullOrEmpty(strPassword)) Then
							If (ValidateUser(strUsername, strPassword)) Then
								FormsAuthentication.RedirectFromLoginPage(strUsername, False)
								Return
							Else ' invalid username or password
								ClearCookies()
							End If
						Else ' empty username or password
							ClearCookies()
						End If
					End If

					' Initial username
					If (Request.Cookies(Share.ProjectName) IsNot Nothing AndAlso _
						Request.Cookies(Share.ProjectName)("username") IsNot Nothing) Then
						LoginControl.UserName = Request.Cookies(Share.ProjectName)("username")
					End If

					' Inital rememberme option
					Dim autoLoginValue As String = "n"
					If (Request.Cookies(Share.ProjectName) IsNot Nothing AndAlso _
						Request.Cookies(Share.ProjectName)("autologin") IsNot Nothing) Then
						If (Request.Cookies(Share.ProjectName)("autologin") = "autologin") Then
							autoLoginValue = "a"
						ElseIf (Request.Cookies(Share.ProjectName)("autologin") = "rememberUsername") Then
							autoLoginValue = "u"
						End If
					End If
					Dim rememberme As RadioButtonList = TryCast(LoginControl.FindControl("RememberMe"), RadioButtonList)
					If (rememberme IsNot Nothing) Then
						rememberme.SelectedIndex = -1
						For Each item As ListItem In rememberme.Items
							If (item.Value = autoLoginValue) Then
								item.Selected = True
								Exit For
							End If
						Next
					End If
				End If
			End If
			If (LoginControl.FindControl("UserName") IsNot Nothing) Then
				Page.Form.DefaultFocus = LoginControl.FindControl("UserName").ClientID
			End If
		End Sub

I would like to replace the password with "hashedBytes" so that it compares the encrypted password with the encrypted data in the database. However I have the issue of the password being represented as a string in the generated script, where "hashedBytes" is an array of type Byte. How can I fix this problem so that I don't need to change too much in the code? Please help.

The relevant membership provider code is as follows:

Public Overloads Overrides Function ValidateUser(ByVal username As String, ByVal password As String) As Boolean
			Dim booValid As Boolean = False
			Try
                Dim userProfile As UserProfile = GetUserProfile(username)
                
				If (userProfile IsNot Nothing) Then
					Return IIf((_boolIsPasswordCaseSensitive),(userProfile.Password.Trim = password.Trim),(userProfile.Password.ToLower.Trim = password.ToLower.Trim))
				Else
					Return False
				End If
			Catch
				Return False
			End Try
		End Function

I hope it is clear... let me know if you need more info.
Thanks in advance.
Mel