edv/VERAG_Homepage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implementierung einer besseren Radom und rechenintensiveren Hash-Aart

Browse Source
This commit is contained in:
ja
2021-12-03 11:34:50 +01:00
parent 9ceee298b5
commit 17f4d7faad
8 changed files with 154 additions and 255 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
App_Code/VERAG_VARIABLES.vb
View File

@@ -1,8 +1,12 @@
Imports System.Security.Cryptography Imports System.Security.Cryptography
Imports Microsoft.VisualBasic Imports Microsoft.VisualBasic
Imports Konscious.Security.Cryptography
Public Class VERAG_VARIABLES Public Class VERAG_VARIABLES
Public Shared errornumb As Integer = 0 Public Shared errornumb As Integer = 0
Shared Function getiterationnumber() As Integer
Return RandomInteger(Math.Pow(2, 2), Math.Pow(2, 8))
End Function
Shared Sub initerrorcount() Shared Sub initerrorcount()
errornumb = 0 errornumb = 0
End Sub End Sub
@@ -15,20 +19,38 @@ Public Class VERAG_VARIABLES
Shared Function getErrorcodeindez(Errorcode As String) As String Shared Function getErrorcodeindez(Errorcode As String) As String
Return VERAG_PROG_ALLGEMEIN.cCryptography3.Decrypt(Errorcode) Return VERAG_PROG_ALLGEMEIN.cCryptography3.Decrypt(Errorcode)
End Function End Function
Public Shared Function GenerateSalt(ByVal nSalt As Integer) As String Public Shared Function GenerateSalt(ByVal nSalt As Integer) As Byte()
Dim saltBytes = New Byte(nSalt) {} Dim saltBytes = New Byte(nSalt) {}
Using provider = New RNGCryptoServiceProvider() Using provider = New RNGCryptoServiceProvider()
provider.GetNonZeroBytes(saltBytes) provider.GetNonZeroBytes(saltBytes)
End Using End Using
Return saltBytes
Return Convert.ToBase64String(saltBytes) 'Convert.ToBase64String(saltBytes)
End Function
Public Shared Async Function HashPassword(ByVal password As String, ByVal salt As Byte(), ByVal nIterations As Integer, ByVal nHash As Integer) As Threading.Tasks.Task(Of Byte())
Dim Argon As Argon2id = New Argon2id(Encoding.UTF8.GetBytes(password))
Argon.Salt = salt
Argon.DegreeOfParallelism = 6
Argon.Iterations = nIterations
Argon.MemorySize = 4096
Return Await Argon.GetBytesAsync(nHash)
'Return Convert.ToBase64String(Argon.GetBytes(nHash))
Return Argon.GetBytes(nHash)
'Dim saltBytes = Convert.FromBase64String(salt)
'Using rfc2898DeriveBytes = New Rfc2898DeriveBytes(password, saltBytes, nIterations)
'End Using
End Function End Function
Public Shared Function HashPassword(ByVal password As String, ByVal salt As String, ByVal nIterations As Integer, ByVal nHash As Integer) As String
Dim saltBytes = Convert.FromBase64String(salt)
Using rfc2898DeriveBytes = New Rfc2898DeriveBytes(password, saltBytes, nIterations) Public Shared Async Function Verifyhash(ByVal passw As String, ByVal salt As Byte(), ByVal hash As Byte(), ByVal nIterations As Integer, ByVal nHash As Integer) As Threading.Tasks.Task(Of Boolean)
Return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(nHash)) Dim newHash As Byte() = Await HashPassword(passw, salt, nIterations, nHash)
End Using Return hash.SequenceEqual(newHash)
End Function
Public Shared Function RandomInteger(ByVal min As Integer, ByVal _
max As Integer) As Integer
Dim rand As New RNGCryptoServiceProvider()
Dim one_byte() As Byte = {0}
rand.GetBytes(one_byte)
Return min + (max - min) * (one_byte(0) / 255)
End Function End Function
End Class End Class

6
Web.config
View File

@@ -26,11 +26,11 @@
<system.web> <system.web>
<webServices> <webServices>
<protocols> <protocols>
<add name="HttpGet"/> <add name="HttpGet" />
<add name="HttpPost"/> <add name="HttpPost" />
</protocols> </protocols>
<conformanceWarnings> <conformanceWarnings>
<remove name='BasicProfile1_1'/> <remove name="BasicProfile1_1" />
</conformanceWarnings> </conformanceWarnings>
</webServices> </webServices>
<authentication mode="Forms"> <authentication mode="Forms">

2
login/Change_PW.aspx
View File

@@ -1,4 +1,4 @@
<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Change_PW.aspx.vb" Debug="true" Inherits="login_Change_PW" %> <%@ Page Language="VB" AutoEventWireup="false" CodeFile="Change_PW.aspx.vb" Debug="true" Inherits="login_Change_PW" Async="true" %>
<!DOCTYPE html> <!DOCTYPE html>

212
login/Change_PW.aspx.vb
View File

@@ -1,10 +1,13 @@
 
Imports System.Data.SqlClient Imports System.Data.SqlClient
Imports System.Security.Cryptography Imports System.Security.Cryptography
Imports System.Threading.Tasks
Partial Class login_Change_PW Partial Class login_Change_PW
Inherits System.Web.UI.Page Inherits System.Web.UI.Page
Dim intzahl As Integer = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 10))
Dim intzahliterats As Integer = VERAG_VARIABLES.getiterationnumber
Dim salt As Byte() = VERAG_VARIABLES.GenerateSalt(intzahl)
Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load
Dim url = Request.ServerVariables("URL") Dim url = Request.ServerVariables("URL")
Session.Add("urltochangepw", url) Session.Add("urltochangepw", url)
@@ -124,7 +127,7 @@ Partial Class login_Change_PW
MsgBox("") MsgBox("")
End Sub End Sub
Protected Sub btn_submitpw_Click(sender As Object, e As EventArgs) Protected Async Sub btn_submitpw_Click(sender As Object, e As EventArgs)
Dim tempstr As String = "" Dim tempstr As String = ""
Dim UsernameDB As String = String.Empty Dim UsernameDB As String = String.Empty
Dim pwDB As String = String.Empty Dim pwDB As String = String.Empty
@@ -235,10 +238,10 @@ Partial Class login_Change_PW
ConnectionString = "Server=DEVELOPER.verag.ost.dmn\DEVSQL;Database=VERAG_HOMEPAGE;Uid=AppUser;Pwd=yp/THDd?xM+pZ$;" ConnectionString = "Server=DEVELOPER.verag.ost.dmn\DEVSQL;Database=VERAG_HOMEPAGE;Uid=AppUser;Pwd=yp/THDd?xM+pZ$;"
'ConnectionString = "Server=db593295684.db.1and1.com;Database=db593295684;Uid=dbo593295684;Pwd=atilla#2;" 'ConnectionString = "Server=db593295684.db.1and1.com;Database=db593295684;Uid=dbo593295684;Pwd=atilla#2;"
End If End If
Dim isPasswhash As String = gensaltPassw(usrname, tempstr, Email, Session.IsNewSession) Dim isPasswhash As Byte() = Await gensaltPasswAsync(usrname, tempstr, salt, intzahliterats, intzahl, Email, Session.IsNewSession)
Dim isPasswDBhash As String = gensaltPassw(UsernameDB, pwDB, EmailDB, Session.IsNewSession) Dim isPasswDBhash As Byte() = Await gensaltPasswAsync(UsernameDB, pwDB, salt, intzahliterats, intzahl, EmailDB, Session.IsNewSession)
If regexval_txt_Pw.IsValid = True Then If regexval_txt_Pw.IsValid = True Then
If String.Equals(isPasswhash, isPasswDBhash) = False Then If Await VERAG_VARIABLES.Verifyhash(tempstr, salt, isPasswhash, intzahliterats, intzahl) = True Then
Using con As New SqlConnection(ConnectionString) Using con As New SqlConnection(ConnectionString)
Using cmd As New SqlCommand("UPDATE [VERAG_HOMEPAGE].[dbo].[Users] SET [Password]=@Password WHERE [Username]=@Username AND [UserId]=@UserId") Using cmd As New SqlCommand("UPDATE [VERAG_HOMEPAGE].[dbo].[Users] SET [Password]=@Password WHERE [Username]=@Username AND [UserId]=@UserId")
' cmd.CommandType = CommandType.StoredProcedure ' cmd.CommandType = CommandType.StoredProcedure
@@ -351,7 +354,7 @@ Partial Class login_Change_PW
End If End If
End Sub End Sub
Protected Sub btn_submitpw_M_Click(sender As Object, e As EventArgs) Protected Async Sub btn_submitpw_M_Click(sender As Object, e As EventArgs)
Dim tempstr As String = "" Dim tempstr As String = ""
Dim pwDB As String = String.Empty Dim pwDB As String = String.Empty
Dim EmailDB As String = String.Empty Dim EmailDB As String = String.Empty
@@ -406,28 +409,28 @@ Partial Class login_Change_PW
If dr.HasRows Then If dr.HasRows Then
dr.Read() dr.Read()
tempstr = txt_Pw_M.Text tempstr = txt_Pw_M.Text
EmailDB = dr("Email").ToString EmailDB = dr("Email").ToString
pwDB = dr("Password").ToString pwDB = dr("Password").ToString
usrnmDB = dr("Username").ToString usrnmDB = dr("Username").ToString
TheUsrIdDB = dr("UserId").ToString TheUsrIdDB = dr("UserId").ToString
customerIDDB = dr("KundenNr").ToString customerIDDB = dr("KundenNr").ToString
If String.Equals(usrname, usrnmDB, StringComparison.CurrentCulture) = True Then If String.Equals(usrname, usrnmDB, StringComparison.CurrentCulture) = True Then
isusernameright = True isusernameright = True
End If End If
If String.Equals(Email, EmailDB, StringComparison.CurrentCulture) = True Then If String.Equals(Email, EmailDB, StringComparison.CurrentCulture) = True Then
isemailright = True isemailright = True
End If End If
If String.Equals(txt_Pw_M.Text, pwDB, StringComparison.CurrentCulture) = False Then If String.Equals(txt_Pw_M.Text, pwDB, StringComparison.CurrentCulture) = False Then
ispwrEqual = False ispwrEqual = False
End If End If
If String.Equals(UsrID, TheUsrIdDB, StringComparison.CurrentCulture) = True Then If String.Equals(UsrID, TheUsrIdDB, StringComparison.CurrentCulture) = True Then
isUSrIDright = True isUSrIDright = True
End If End If
If String.Equals(THEUsrID, customerIDDB, StringComparison.CurrentCulture) = True Then If String.Equals(THEUsrID, customerIDDB, StringComparison.CurrentCulture) = True Then
isctmrIDright = True isctmrIDright = True
End If End If
If String.Compare(usrname, dr("Username")) = True Then If String.Compare(usrname, dr("Username")) = True Then
isusernameright = True isusernameright = True
End If End If
End If End If
@@ -454,10 +457,10 @@ Partial Class login_Change_PW
End If End If
Using con As New SqlConnection(ConnectionString) Using con As New SqlConnection(ConnectionString)
Dim isPasswhash As String = gensaltPassw(usrname, tempstr, Email, Session.IsNewSession) Dim isPasswhash As Byte() = Await gensaltPasswAsync(usrname, tempstr, salt, intzahliterats, intzahl, Email, Session.IsNewSession)
Dim isPasswDBhash As String = gensaltPassw(usrnmDB, pwDB, EmailDB, Session.IsNewSession) Dim isPasswDBhash As Byte() = Await gensaltPasswAsync(usrnmDB, pwDB, salt, intzahliterats, intzahl, EmailDB, Session.IsNewSession)
If regexval_txt_Pw.IsValid = True Then If regexval_txt_Pw.IsValid = True Then
If String.Equals(isPasswhash, isPasswDBhash, StringComparison.CurrentCulture) = False Then If Await VERAG_VARIABLES.Verifyhash(tempstr, salt, isPasswhash, intzahliterats, intzahl) = True AndAlso Await VERAG_VARIABLES.Verifyhash(pwDB, salt, isPasswDBhash, intzahliterats, intzahl) = True Then
Using cmd As New SqlCommand("UPDATE [VERAG_HOMEPAGE].[dbo].[Users] SET Password=@Password WHERE Username=@Username AND UserId=@UserId") Using cmd As New SqlCommand("UPDATE [VERAG_HOMEPAGE].[dbo].[Users] SET Password=@Password WHERE Username=@Username AND UserId=@UserId")
' cmd.CommandType = CommandType.StoredProcedure ' cmd.CommandType = CommandType.StoredProcedure
cmd.Parameters.AddWithValue("@Username", usrname) cmd.Parameters.AddWithValue("@Username", usrname)
@@ -522,79 +525,29 @@ Partial Class login_Change_PW
End If End If
End If End If
End Sub End Sub
Function gensaltPassw(username As String, password As String, email As String, isnewSession As Boolean) As String
Dim intzahl = RandomInteger(Math.Pow(2, 8), Math.Pow(2, 12)) Async Function gensaltPasswAsync(username As String, password As String, salt As Byte(), intzahliterats As Integer, intzahl As Integer, email As String, isnewSession As Boolean) As Task(Of Byte())
If isnewSession = False Then If isnewSession = False Then
Dim token As String Dim token As Byte()
If String.IsNullOrEmpty(username) = False AndAlso String.IsNullOrEmpty(email) = False Then 'Dim tok As Byte = Convert.ToBase64String(time.Concat(Key).ToArray())
If String.IsNullOrEmpty(password) = False Then Dim tok As String = password
Try token = Await VERAG_VARIABLES.HashPassword(password, salt, intzahliterats, intzahl)
Return token
Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl)
Dim tok As String = password
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 1491, intzahl))
salt = String.Empty
tok = String.Empty
Return token
Catch Ex As Exception
'Dim Msg, Style, Title As String
'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given."
'Style = vbRetry + vbExclamation + vbDefaultButton1
'Title = "Error05: Token-Generierung"
'MsgBox(Msg, Style, Title)
'If MsgBox(Msg, Style, Title).Retry Then
'genToken(username, password, email)
Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl)
Dim tok As String = password
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 901, intzahl))
salt = String.Empty
tok = String.Empty
Return token
End Try
Else
Return String.Empty
End If
End If
Return String.Empty
Else
Return "Error in Session ID. It has changed. Please check admin!"
End If End If
End Function End Function
Function gennewsaltToken(username As String, password As String, email As String, CustomerID As String, isnewSession As Boolean, theUserID As String) As String Async Function gennewsaltToken(username As String, password As String, email As String, salt As Byte(), CustomerID As String, intzahlits As Integer, intzahl As Integer, isnewSession As Boolean, theUserID As String) As Task(Of String)
If isnewSession = False Then If isnewSession = False Then
Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary()) Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary())
Dim Key() As Byte = Guid.NewGuid().ToByteArray() Dim Key() As Byte = Guid.NewGuid().ToByteArray()
Dim token As String Dim token As Byte()
Dim intzahl = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14))
Dim intzahl2 = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14))
Dim Rand As Random = New Random
If String.IsNullOrEmpty(theUserID) = False Then If String.IsNullOrEmpty(theUserID) = False Then
Try
Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl)
Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray())
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl))
salt = String.Empty
tok = String.Empty
Return token
Catch Ex As Exception
'Dim Msg, Style, Title As String
'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given."
'Style = vbRetry + vbExclamation + vbDefaultButton1
'Title = "Error05: Token-Generierung"
'MsgBox(Msg, Style, Title)
'If MsgBox(Msg, Style, Title).Retry Then
'genToken(username, password, email)
Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl2)
Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray())
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl2))
salt = String.Empty
tok = String.Empty
Return token
End Try Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray())
token = Await VERAG_VARIABLES.HashPassword(tok, salt, intzahlits, intzahl)
Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token))
Else Else
Return String.Empty Return String.Empty
End If End If
@@ -603,72 +556,33 @@ Partial Class login_Change_PW
End If End If
End Function End Function
Function gensaltToken(STrings As String) As String Async Function gensaltTokenAsync(STrings As String) As Task(Of String)
If String.IsNullOrEmpty(STrings) = False Then If String.IsNullOrEmpty(STrings) = False Then
Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary()) Dim token As Byte()
Dim Key() As Byte = Guid.NewGuid().ToByteArray()
Dim token As String
Dim intzahl = RandomInteger(Math.Pow(2, 5), Math.Pow(2, 7)) Dim salt As Byte() = VERAG_VARIABLES.GenerateSalt(intzahl)
Dim Rand As Random = New Random Dim tok As String = STrings
token = Await VERAG_VARIABLES.HashPassword(tok, salt, intzahliterats, intzahl)
Try Return Convert.ToBase64String(token)
Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl)
Dim tok As String = VERAG_PROG_ALLGEMEIN.cCryptography3.Decrypt(STrings) Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token))
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl))
salt = String.Empty
tok = String.Empty
Return token
Catch Ex As Exception
Dim intzahl2 = RandomInteger(Math.Pow(2, 5), Math.Pow(2, 7))
'Dim Msg, Style, Title As String
'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given."
'Style = vbRetry + vbExclamation + vbDefaultButton1
'Title = "Error05: Token-Generierung"
'MsgBox(Msg, Style, Title)
'If MsgBox(Msg, Style, Title).Retry Then
'genToken(username, password, email)
Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl2)
Dim tok As String = VERAG_PROG_ALLGEMEIN.cCryptography3.Decrypt(STrings)
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl2))
salt = String.Empty
tok = String.Empty
Return token
End Try
Else Else
Dim token As String Dim token As Byte()
Dim intzahliterats = RandomInteger(Math.Pow(2, 10), Math.Pow(2, 12))
Dim intzahl = RandomInteger(Math.Pow(2, 5), Math.Pow(2, 7))
Dim intzahl = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14)) Dim salt As Byte() = VERAG_VARIABLES.GenerateSalt(intzahl)
Dim Rand As Random = New Random
Try
Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl)
Dim tok As String = STrings Dim tok As String = STrings
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl)) token = Await VERAG_VARIABLES.HashPassword(tok, salt, intzahliterats, intzahl)
salt = String.Empty
tok = String.Empty
Return token
Catch Ex As Exception
Dim intzahl2 = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14))
'Dim Msg, Style, Title As String
'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given."
'Style = vbRetry + vbExclamation + vbDefaultButton1
'Title = "Error05: Token-Generierung"
'MsgBox(Msg, Style, Title)
'If MsgBox(Msg, Style, Title).Retry Then
'genToken(username, password, email)
Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl2)
Dim tok As String = STrings
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl2))
salt = String.Empty
tok = String.Empty
Return token
End Try Return Convert.ToBase64String(token)
Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token))
End If End If
End Function End Function
Public Function RandomInteger(ByVal min As Integer, ByVal _ Shared Function RandomInteger(ByVal min As Integer, ByVal _
max As Integer) As Integer max As Integer) As Integer
Dim rand As New RNGCryptoServiceProvider() Dim rand As New RNGCryptoServiceProvider()
Dim one_byte() As Byte = {0} Dim one_byte() As Byte = {0}

40
login/ForgotPW.aspx.vb
View File

@@ -605,8 +605,8 @@ Partial Class ForgotPW
Async Function Findtokenhashsalt(username As String, password As String, email As String, customerID As String, isusernameright As Boolean, isuserIDright As Boolean, isuserEmailright As Boolean, isnewsess As Boolean, UserID As String) As Task(Of String) Async Function Findtokenhashsalt(username As String, password As String, email As String, customerID As String, isusernameright As Boolean, isuserIDright As Boolean, isuserEmailright As Boolean, isnewsess As Boolean, UserID As String) As Task(Of String)
Dim t As Task(Of String) Dim t As Task(Of String)
t = Task.Run(Function() As String t = Task.Run(Async Function() As Task(Of String)
Return gensaltToken(username, password, email, customerID, isusernameright, isuserIDright, isuserEmailright, isnewsess, UserID) Return Await gensaltToken(username, password, email, customerID, isusernameright, isuserIDright, isuserEmailright, isnewsess, UserID)
End Function) End Function)
Return Await t Return Await t
End Function End Function
@@ -755,39 +755,24 @@ Partial Class ForgotPW
Return min + (max - min) * (one_byte(0) / 255) Return min + (max - min) * (one_byte(0) / 255)
End Function End Function
Function gensaltToken(username As String, password As String, email As String, CustomerID As String, isusrnmright As Boolean, iscstmIDright As Boolean, isemailright As Boolean, isnewSession As Boolean, theUserID As String) As String Async Function gensaltToken(username As String, password As String, email As String, CustomerID As String, isusrnmright As Boolean, iscstmIDright As Boolean, isemailright As Boolean, isnewSession As Boolean, theUserID As String) As Task(Of String)
If isnewSession = False Then If isnewSession = False Then
Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary()) Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary())
Dim Key() As Byte = Guid.NewGuid().ToByteArray() Dim Key() As Byte = Guid.NewGuid().ToByteArray()
Dim token As String Dim token As Byte()
Dim intzahl = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14)) Dim intzahl = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14))
Dim intzahl2 = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 14)) Dim intzahl2 = RandomInteger(Math.Pow(2, 7), Math.Pow(2, 10))
Dim intzahliterats = RandomInteger(Math.Pow(2, 5), Math.Pow(2, 10))
Dim Rand As Random = New Random Dim Rand As Random = New Random
If isusrnmright = True And iscstmIDright = True And isemailright = True AndAlso String.IsNullOrEmpty(theUserID) = False Then If isusrnmright = True And iscstmIDright = True And isemailright = True AndAlso String.IsNullOrEmpty(theUserID) = False Then
Try
Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl)
Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray())
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl))
salt = String.Empty
tok = String.Empty
Return token
Catch Ex As Exception
'Dim Msg, Style, Title As String
'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given."
'Style = vbRetry + vbExclamation + vbDefaultButton1
'Title = "Error05: Token-Generierung"
'MsgBox(Msg, Style, Title)
'If MsgBox(Msg, Style, Title).Retry Then
'genToken(username, password, email)
Dim salt As String = VERAG_VARIABLES.GenerateSalt(intzahl2)
Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray())
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(tok, salt, 10191, intzahl2))
salt = String.Empty
tok = String.Empty
Return token
End Try Dim salt As Byte() = VERAG_VARIABLES.GenerateSalt(intzahl)
'Dim tok As Byte = Convert.ToBase64String(time.Concat(Key).ToArray())
Dim tok As String = Convert.ToBase64String(time.Concat(Key).ToArray())
token = Await VERAG_VARIABLES.HashPassword(tok, salt, intzahliterats, intzahl)
Return Convert.ToBase64String(token)
Else Else
Return String.Empty Return String.Empty
End If End If
@@ -835,7 +820,6 @@ Partial Class ForgotPW
End If End If
End Function End Function
Function RandomString(r As Random, max As Integer) As String Function RandomString(r As Random, max As Integer) As String
Dim s As String = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!§$%&/?=" Dim s As String = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!§$%&/?="
Dim sb As New StringBuilder Dim sb As New StringBuilder

2
login/login_FLEX.aspx
View File

@@ -1,4 +1,4 @@
<%@ Page Language="VB" Debug="true" AutoEventWireup="false" CodeFile="login_FLEX.aspx.vb" Inherits="login_FLEX" EnableSessionState="True" %> <%@ Page Language="VB" Debug="true" AutoEventWireup="false" CodeFile="login_FLEX.aspx.vb" Inherits="login_FLEX" EnableSessionState="True" Async="true" %>
<!DOCTYPE html> <!DOCTYPE html>

103
login/login_FLEX.aspx.vb
View File

@@ -1,14 +1,15 @@
Imports System.Data.SqlClient Imports System.Data.SqlClient
Imports System.Data Imports System.Data
Imports System.Security.Cryptography Imports System.Security.Cryptography
Partial Class login_FLEX Partial Class login_FLEX
Inherits System.Web.UI.Page Inherits System.Web.UI.Page
Private Customer_ID As String = String.Empty
Dim Customer_ID As String = String.Empty Private UserNaMe As String = String.Empty
Dim UserNaMe As String = String.Empty Private passw As String = String.Empty
Dim passw As String = String.Empty Private USERID As String = String.Empty
Dim USERID As String = String.Empty Private salt As Byte()
Private intzahl As Integer
Private intzahliterats As Integer
Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load
VERAG_VARIABLES.initerrorcount() VERAG_VARIABLES.initerrorcount()
If Page.IsPostBack = True Then If Page.IsPostBack = True Then
@@ -16,8 +17,11 @@ Partial Class login_FLEX
Else Else
Page.MaintainScrollPositionOnPostBack = False Page.MaintainScrollPositionOnPostBack = False
End If End If
intzahl = VERAG_VARIABLES.RandomInteger(Math.Pow(2, 7), Math.Pow(2, 10))
intzahliterats = VERAG_VARIABLES.getiterationnumber
salt = VERAG_VARIABLES.GenerateSalt(intzahl)
End Sub End Sub
Protected Sub ValidateUser(sender As Object, e As EventArgs) Protected Async Sub ValidateUser(sender As Object, e As EventArgs)
' cDBFunctions.GetNewOpenConnection() ' cDBFunctions.GetNewOpenConnection()
Dim ConnectionString = "" Dim ConnectionString = ""
@@ -183,16 +187,6 @@ Partial Class login_FLEX
dr.Close() dr.Close()
con.Close() con.Close()
End Using End Using
Using cmd2 As New SqlCommand("UPDATE [VERAG_HOMEPAGE].[dbo].[Users] SET [LastLoginDate]=@Date WHERE [Username]=@Username AND [KundenNr]=@KundenNr AND Password=@Password")
cmd2.Parameters.AddWithValue("Date", Date.Now.ToString)
cmd2.Parameters.AddWithValue("Username", UserNaMe)
cmd2.Parameters.AddWithValue("KundenNr", Customer_ID)
cmd2.Parameters.AddWithValue("Password", passw)
cmd2.Connection = con
con.Open()
cmd2.ExecuteNonQuery()
con.Close()
End Using
End Using End Using
If String.IsNullOrEmpty(tb2_M.Text) = False AndAlso String.IsNullOrEmpty(tb2.Text) = True Then If String.IsNullOrEmpty(tb2_M.Text) = False AndAlso String.IsNullOrEmpty(tb2.Text) = True Then
@@ -204,7 +198,10 @@ Partial Class login_FLEX
'Dim str = gensaltToken(UserNaMe, passw, Customer_ID, Session.IsNewSession) 'Dim str = gensaltToken(UserNaMe, passw, Customer_ID, Session.IsNewSession)
'MsgBox(str) 'MsgBox(str)
'End If 'End If
FormsAuthentication.RedirectFromLoginPage(UserNaMe, True) Dim hashpw As Byte() = Await VERAG_VARIABLES.HashPassword(passw, salt, intzahliterats, intzahl)
If Await VERAG_VARIABLES.Verifyhash(passw, salt, hashpw, intzahliterats, intzahl) = True Then
FormsAuthentication.RedirectFromLoginPage(UserNaMe, True)
End If
End Sub End Sub
@@ -220,58 +217,38 @@ Partial Class login_FLEX
Session.Add("CustomerID", Customer_ID) Session.Add("CustomerID", Customer_ID)
Session.Add("PW", passw) Session.Add("PW", passw)
End Sub End Sub
Function gensaltToken(username As String, password As String, CustomerID As String, isnewSession As Boolean) As String Async Function gensaltToken(username As String, password As String, CustomerID As String, salt As Byte(), intzahliterats As Integer, intzahl As Integer, isnewSession As Boolean) As Threading.Tasks.Task(Of String)
If isnewSession = False Then If isnewSession = False Then
Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary()) Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary())
Dim Key() As Byte = Guid.NewGuid().ToByteArray() Dim Key() As Byte = Guid.NewGuid().ToByteArray()
Dim token As String Dim token As Byte()
Dim MyMin As Integer = 155, MyMax As Integer = 875, My1stRandomNumber As Integer, My2ndRandomNumber As Integer
' Create a random number generator
Dim Generator As System.Random = New System.Random()
' Get a random number >= MyMin and <= MyMax
My1stRandomNumber = Generator.Next(MyMin, MyMax + 1) ' Note: Next function returns numbers _less than_ max, so pass in max + 1 to include max as a possible value
' Get another random number (don't create a new generator, use the same one) token = Await VERAG_VARIABLES.HashPassword(Convert.ToBase64String(time.Concat(Key).ToArray()), salt, intzahliterats, intzahl)
My2ndRandomNumber = Generator.Next(MyMin, MyMax + 1) Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token))
If String.IsNullOrEmpty(username) = False And String.IsNullOrEmpty(passw) = False And String.IsNullOrEmpty(CustomerID) = False Then
Try
Dim salt As String = VERAG_VARIABLES.GenerateSalt(My1stRandomNumber)
Dim passw As String = password
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(passw, salt, 101, My1stRandomNumber))
Session.Add("Tokensalt", VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(token))
Session.Add("salt", VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(salt))
Return token
Catch Ex As Exception
'Dim Msg, Style, Title As String
'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given."
'Style = vbRetry + vbExclamation + vbDefaultButton1
'Title = "Error05: Token-Generierung"
'MsgBox(Msg, Style, Title)
'If MsgBox(Msg, Style, Title).Retry Then
'genToken(username, password, email)
Dim salt As String = VERAG_VARIABLES.GenerateSalt(My1stRandomNumber)
Dim passw As String = password
token = VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(VERAG_VARIABLES.HashPassword(passw, salt, 101, My2ndRandomNumber))
'Dim Msg, Style, Title As String
'Msg = "Token Generation failed" & vbCrLf & "A new E-mail has been sent to the intern e-mail given."
'Style = vbRetry + vbExclamation + vbDefaultButton1
'Title = "Error05: Token-Generierung"
'MsgBox(Msg, Style, Title)
'If MsgBox(Msg, Style, Title).Retry Then
'genToken(username, password, email)
token = Await VERAG_VARIABLES.HashPassword(Convert.ToBase64String(time.Concat(Key).ToArray()), salt, intzahliterats, intzahl)
Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token))
'Else 'Else
'MsgBox("Token-Generation has not been successful." & vbCrLf & "Please try again in five seconds!") 'MsgBox("Token-Generation has not been successful." & vbCrLf & "Please try again in five seconds!")
Dim jetzt As DateTime = DateTime.UtcNow Dim jetzt As DateTime = DateTime.UtcNow
Dim wenn As DateTime = DateTime.UtcNow.AddSeconds(-5) Dim wenn As DateTime = DateTime.UtcNow.AddSeconds(-5)
If jetzt < wenn Then
Return "NotYet"
Else
token = Await VERAG_VARIABLES.HashPassword(Convert.ToBase64String(time.Concat(Key).ToArray()), salt, intzahliterats, intzahl)
Return VERAG_PROG_ALLGEMEIN.cCryptography3.Encrypt(Convert.ToBase64String(token))
'End If
End If
If jetzt < wenn Then
Return "NotYet"
Else
token = gensaltToken(username, password, CustomerID, Session.IsNewSession)
Return token
'End If
End If
End Try
Else
Return String.Empty
End If
Else
Return "Error in Session ID. It has changed. Please check admin!"
End If End If
End Function End Function
End Class End Class

2
packages.config
View File

@@ -10,6 +10,8 @@
<package id="K4os.Compression.LZ4" version="1.2.6" targetFramework="net47" /> <package id="K4os.Compression.LZ4" version="1.2.6" targetFramework="net47" />
<package id="K4os.Compression.LZ4.Streams" version="1.2.6" targetFramework="net47" /> <package id="K4os.Compression.LZ4.Streams" version="1.2.6" targetFramework="net47" />
<package id="K4os.Hash.xxHash" version="1.0.6" targetFramework="net47" /> <package id="K4os.Hash.xxHash" version="1.0.6" targetFramework="net47" />
<package id="Konscious.Security.Cryptography.Argon2" version="1.2.1" targetFramework="net47" />
<package id="Konscious.Security.Cryptography.Blake2" version="1.0.9" targetFramework="net47" />
<package id="Microsoft.CodeAnalysis.Analyzers" version="3.0.0" targetFramework="net47" developmentDependency="true" /> <package id="Microsoft.CodeAnalysis.Analyzers" version="3.0.0" targetFramework="net47" developmentDependency="true" />
<package id="Microsoft.CodeAnalysis.Common" version="3.9.0" targetFramework="net47" /> <package id="Microsoft.CodeAnalysis.Common" version="3.9.0" targetFramework="net47" />
<package id="Microsoft.CodeAnalysis.CSharp" version="3.9.0" targetFramework="net47" /> <package id="Microsoft.CodeAnalysis.CSharp" version="3.9.0" targetFramework="net47" />