Support Windows and Windows Phone apps #70
Comments
|
FYI, I was able to re-implement the password hasher using the Windows.Security.Cryptography namespace. public static string HashPassword(string password)
{
var salt = CryptographicBuffer.GenerateRandom(SaltSize);
var passwordBytes = CryptographicBuffer.ConvertStringToBinary(password, BinaryStringEncoding.Utf8);
var deriver = KeyDerivationAlgorithmProvider.OpenAlgorithm(KeyDerivationAlgorithmNames.Pbkdf2Sha1);
var passwordKey = deriver.CreateKey(passwordBytes);
var parameters = KeyDerivationParameters.BuildForPbkdf2(salt, Pbkdf2IterCount);
var subkey = CryptographicEngine.DeriveKeyMaterial(passwordKey, parameters, Pbkdf2SubkeyLength);
var outputBytes = new byte[1 + SaltSize + Pbkdf2SubkeyLength];
Buffer.BlockCopy(salt.ToArray(), 0, outputBytes, 1, SaltSize);
Buffer.BlockCopy(subkey.ToArray(), 0, outputBytes, 1 + SaltSize, Pbkdf2SubkeyLength);
return Convert.ToBase64String(outputBytes);
}
public static bool VerifyHashedPassword(string hashedPassword, string password)
{
var hashedPasswordBytes = Convert.FromBase64String(hashedPassword);
if (hashedPasswordBytes.Length != 1 + SaltSize + Pbkdf2SubkeyLength || hashedPasswordBytes[0] != 0)
return false;
var salt = new byte[SaltSize];
Buffer.BlockCopy(hashedPasswordBytes, 1, salt, 0, SaltSize);
var storedSubkey = new byte[Pbkdf2SubkeyLength];
Buffer.BlockCopy(hashedPasswordBytes, 1 + SaltSize, storedSubkey, 0, Pbkdf2SubkeyLength);
var passwordBytes = CryptographicBuffer.ConvertStringToBinary(password, BinaryStringEncoding.Utf8);
var deriver = KeyDerivationAlgorithmProvider.OpenAlgorithm(KeyDerivationAlgorithmNames.Pbkdf2Sha1);
var passwordKey = deriver.CreateKey(passwordBytes);
var parameters = KeyDerivationParameters.BuildForPbkdf2(salt.AsBuffer(), Pbkdf2IterCount);
var generatedSubkey = CryptographicEngine.DeriveKeyMaterial(passwordKey, parameters, Pbkdf2SubkeyLength);
return CryptographicBuffer.Compare(storedSubkey.AsBuffer(), generatedSubkey);
} |
|
Which components in particular? Do we need another repository split out from this out from this one? |
|
@davidfowl I talked to @divega and @rustd about the scenarios I'm hoping for. I think the plan is to have some building-block components that are portable (like |
|
AccountLockout and TwoFactorAuth checks are defined in SignInManager which pulls in OWIN as well. Users should able to do AccountLockOut in Desktop/ Store and PhoneApps so we should split this |
|
As we talked about yesterday afternoon with @HaoK, we need to move the definition of the abstraction of the SignInManager to Core, then we make the "web security" implementation of it rely on OWIN. This should not only give us what Brice wanted but also nice DI registration extension methods. |
|
Tracking with #120 |
Many components in this project are not tied to ASP.NET/OWIN, and I would love to be able to use them for local authentication in my Windows and Windows Phone apps.
The text was updated successfully, but these errors were encountered: