Implementierung einer besseren Radom und rechenintensiveren Hash-Aart

login/login_FLEX.aspx.vb

@@ -1,14 +1,15 @@
 Imports System.Data.SqlClient
 Imports System.Data
 Imports System.Security.Cryptography
-
 Partial Class login_FLEX
     Inherits System.Web.UI.Page
-
-    Dim Customer_ID As String = String.Empty
-    Dim UserNaMe As String = String.Empty
-    Dim passw As String = String.Empty
-    Dim USERID As String = String.Empty
+    Private Customer_ID As String = String.Empty
+    Private UserNaMe As String = String.Empty
+    Private passw As String = String.Empty
+    Private USERID As String = String.Empty
+    Private salt As Byte()
+    Private intzahl As Integer
+    Private intzahliterats As Integer
     Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load
         VERAG_VARIABLES.initerrorcount()
         If Page.IsPostBack = True Then
@@ -16,8 +17,11 @@ Partial Class login_FLEX
         Else
             Page.MaintainScrollPositionOnPostBack = False
         End If
+        intzahl = VERAG_VARIABLES.RandomInteger(Math.Pow(2, 7), Math.Pow(2, 10))
+        intzahliterats = VERAG_VARIABLES.getiterationnumber
+        salt = VERAG_VARIABLES.GenerateSalt(intzahl)
     End Sub
-    Protected Sub ValidateUser(sender As Object, e As EventArgs)
+    Protected Async Sub ValidateUser(sender As Object, e As EventArgs)
 
         ' cDBFunctions.GetNewOpenConnection()
         Dim ConnectionString = ""
@@ -183,16 +187,6 @@ Partial Class login_FLEX
                 dr.Close()
                 con.Close()
             End Using
-            Using cmd2 As New SqlCommand("UPDATE [VERAG_HOMEPAGE].[dbo].[Users] SET [LastLoginDate]=@Date WHERE [Username]=@Username AND [KundenNr]=@KundenNr AND Password=@Password")
-                cmd2.Parameters.AddWithValue("Date", Date.Now.ToString)
-                cmd2.Parameters.AddWithValue("Username", UserNaMe)
-                cmd2.Parameters.AddWithValue("KundenNr", Customer_ID)
-                cmd2.Parameters.AddWithValue("Password", passw)
-                cmd2.Connection = con
-                con.Open()
-                cmd2.ExecuteNonQuery()
-                con.Close()
-            End Using
         End Using
 
         If String.IsNullOrEmpty(tb2_M.Text) = False AndAlso String.IsNullOrEmpty(tb2.Text) = True Then
@@ -204,7 +198,10 @@ Partial Class login_FLEX
         'Dim str = gensaltToken(UserNaMe, passw, Customer_ID, Session.IsNewSession)
         'MsgBox(str)
         'End If
-        FormsAuthentication.RedirectFromLoginPage(UserNaMe, True)
+        Dim hashpw As Byte() = Await VERAG_VARIABLES.HashPassword(passw, salt, intzahliterats, intzahl)
+        If Await VERAG_VARIABLES.Verifyhash(passw, salt, hashpw, intzahliterats, intzahl) = True Then
+            FormsAuthentication.RedirectFromLoginPage(UserNaMe, True)
+        End If
 
     End Sub
 
@@ -220,58 +217,38 @@ Partial Class login_FLEX
         Session.Add("CustomerID", Customer_ID)
         Session.Add("PW", passw)
     End Sub
-    Function gensaltToken(username As String, password As String, CustomerID As String, isnewSession As Boolean) As String
+    Async Function gensaltToken(username As String, password As String, CustomerID As String, salt As Byte(), intzahliterats As Integer, intzahl As Integer, isnewSession As Boolean) As Threading.Tasks.Task(Of String)
         If isnewSession = False Then
             Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary())
             Dim Key() As Byte = Guid.NewGuid().ToByteArray()
-            Dim token As String
-            Dim MyMin As Integer = 155, MyMax As Integer = 875, My1stRandomNumber As Integer, My2ndRandomNumber As Integer
-            ' Create a random number generator
-            Dim Generator As System.Random = New System.Random()
-            ' Get a random number >= MyMin and <= MyMax
-            My1stRandomNumber = Generator.Next(MyMin, MyMax + 1) ' Note: Next function returns numbers _less than_ max, so pass in max + 1 to include max as a possible value
+            Dim token As Byte()
 
-            ' Get another random number (don't create a new generator, use the same one)
-            My2ndRandomNumber = Generator.Next(MyMin, MyMax + 1)
-            If String.IsNullOrEmpty(username) = False And String.IsNullOrEmpty(passw) = False And String.IsNullOrEmpty(CustomerID) = False Then
-                Try
-                    Dim salt As String = VERAG_VARIABLES.GenerateSalt(My1stRandomNumber)
-                    Dim passw As String = password
-                    token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(passw, salt, 101, My1stRandomNumber))
-                    Session.Add("Tokensalt", VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(token))
-                    Session.Add("salt", VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(salt))
-                    Return token
-                Catch Ex As Exception
-                    'Dim Msg, Style, Title As String
-                    'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given."
-                    'Style = vbRetry + vbExclamation + vbDefaultButton1
-                    'Title = "Error05: Token-Generierung"
-                    'MsgBox(Msg, Style, Title)
-                    'If MsgBox(Msg, Style, Title).Retry Then
-                    'genToken(username, password, email)
-                    Dim salt As String = VERAG_VARIABLES.GenerateSalt(My1stRandomNumber)
-                    Dim passw As String = password
-                    token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(passw, salt, 101, My2ndRandomNumber))
+            token = Await VERAG_VARIABLES.HashPassword(Convert.ToBase64String(time.Concat(Key).ToArray()), salt, intzahliterats, intzahl)
+                Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token))
 
+                'Dim Msg, Style, Title As String
+                'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given."
+                'Style = vbRetry + vbExclamation + vbDefaultButton1
+                'Title = "Error05: Token-Generierung"
+                'MsgBox(Msg, Style, Title)
+                'If MsgBox(Msg, Style, Title).Retry Then
+                'genToken(username, password, email)
+                token = Await VERAG_VARIABLES.HashPassword(Convert.ToBase64String(time.Concat(Key).ToArray()), salt, intzahliterats, intzahl)
+                Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token))
 
-                    'Else
-                    'MsgBox("Token-Generation has not been successful." & vbCrLf & "Please try again in five seconds!")
-                    Dim jetzt As DateTime = DateTime.UtcNow
-                    Dim wenn As DateTime = DateTime.UtcNow.AddSeconds(-5)
+                'Else
+                'MsgBox("Token-Generation has not been successful." & vbCrLf & "Please try again in five seconds!")
+                Dim jetzt As DateTime = DateTime.UtcNow
+                Dim wenn As DateTime = DateTime.UtcNow.AddSeconds(-5)
+
+                If jetzt < wenn Then
+                    Return "NotYet"
+                Else
+                    token = Await VERAG_VARIABLES.HashPassword(Convert.ToBase64String(time.Concat(Key).ToArray()), salt, intzahliterats, intzahl)
+                    Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token))
+                    'End If
+                End If
 
-                    If jetzt < wenn Then
-                        Return "NotYet"
-                    Else
-                        token = gensaltToken(username, password, CustomerID, Session.IsNewSession)
-                        Return token
-                        'End If
-                    End If
-                End Try
-            Else
-                Return String.Empty
-            End If
-        Else
-            Return "Error in Session ID. It has changed. Please check admin!"
         End If
     End Function
 End Class