|
Post by Cariad2033 on Feb 5, 2024 15:24:02 GMT
Hi I have implemented your encryption for my user table.
Basically it is
ID INT autoincrement LOGON string encrypted PASSWORD string encrypted.
it all saves great.
Then when a user goes to login with their ID and password I go to create an SQL statement to retrieve their record using the login id and password they entered in a where clause.
So I take the login and password they entered and encrypt them using the same password key in your example and the encrypted version is different and I cannot authenticate them.
Eg.
So lets say I create a login GOD it encrypts to WRZ67F using encryption password ABCDEF012345 and saved great to the database.
Then a user tries to login again as GOD using the same encryption password ABCDEF012345 it encrypts to something totally different to WRZ67F .
So obviously my where clause is not going to authenticate. I am using your code in the example you gave me.
I know how to use the encrypted field in a where clause but the encryption is always different with the exact same key used in your demo of encryption.
Anyone have any Ideas how to get the same encrypted value using the same key ?
Is it the fact the Salt and IV is randomly generated each time, but is preprended to encrypted cipher text so that the same Salt and IV values can be used when decrypting. That means nothing can be encrypted the same for database comparison is that correct ?
In other words the salt and iv should remain the same if one was to compare an entered Logon ID and and encrypted one. Is that right ?
|
|
|
Post by echo17 on Feb 6, 2024 11:26:58 GMT
Yes, by design salt will generate a unique value each time the encryption is used. This prevents attacks on people that tend to use the same passwords for multiple logins. Please see this post for a detailed explanation: linkNote that salt was just what I chose to use in my demo. You can easily replace that code with any encryption technique, including ones that produce the same values for each encryption.
|
|
|
Post by Cariad2033 on Feb 7, 2024 12:11:51 GMT
Yes, by design salt will generate a unique value each time the encryption is used. This prevents attacks on people that tend to use the same passwords for multiple logins. Please see this post for a detailed explanation: linkNote that salt was just what I chose to use in my demo. You can easily replace that code with any encryption technique, including ones that produce the same values for each encryption. Thanks mate, thats what I figured. I ended up adding two more encryption systems to the Cipher.cs so I could use either when needed. Thanks for the response.
|
|