/// <summary> /// Validate the user hash. The data base random salt is added to the password, the SHA256 procedure is to apply a logic XOR /// to the password and the data base salt. /// The HMAC procedure use hash function in combination with a SharedHMACPassword. The ouput is computed n times to /// make the HMAC function very slow. /// This procedure must be the same as the creatHash to generate the same hash to compare it with the data base hash /// </summary> /// <param name="true">returns true if the input hash is the same as the data base hash.</param> /// <param name="false">returns dalse if the input hash is not the same as the data base hash.</param> /// <returns></returns> public static bool ValidateUserHash(string password, UserKeyPair userKeys) { string shaInput = password + userKeys.Salt; SHA256 mySHA256 = SHA256Managed.Create(); byte[] shaFirstRound; shaFirstRound = mySHA256.ComputeHash(Encoding.UTF8.GetBytes(shaInput)); HMACSHA256 myHMAC = new HMACSHA256(SharedHMACPassword); //Compute HMAC n times starting with shaFirstRound using a password for HMAC for (int i = 0; i < iteration; i++) { shaFirstRound = myHMAC.ComputeHash(shaFirstRound); } string computedHash = Convert.ToBase64String(shaFirstRound); //Compare the input hash with the data base hash if (computedHash == userKeys.HashedPassword) { return(true); } return(false); }
/// <summary> /// Password validation. /// </summary> /// <param name="username">The username.</param> /// <param name="password">The password.</param> /// <returns></returns> /// <Author> Daniel Molina </Author> /// <LastModification> 25/11/2017 - 15:41 </LastModification> /// <LastModificationBy> Daniel Molina </LastModificationBy> public static UserResponse PasswordValidation(string username, string password) { try { //Verify the password //Get user data by the username User user = UserController.GetByUsername(username); //Get user by username or email if (user == null) { user = UserController.GetByEmail(username); if (user == null) { Logger.Logger.Info(profileName, "Method Response: User not found. Username:"******"Method Response: User is Deleted. Username:"******"Method Response: User is not Active. Username:"******"Method Response: User is Disactive. Userlogin:"******"Method Response: Incorrect password." + username); return(new UserResponse { Code = (int)ResponseCode.Incorrect_password_or_username, Message = ResponseCode.Incorrect_password_or_username.ToString() }); } //Correct password, reset the User password retries User updateUserInfoAfterLogin = new User(); updateUserInfoAfterLogin.UserID = user.UserID; updateUserInfoAfterLogin.Username = user.Username; updateUserInfoAfterLogin.Password = user.Password; updateUserInfoAfterLogin.Name = user.Name; updateUserInfoAfterLogin.Lastname = user.Lastname; updateUserInfoAfterLogin.Email = user.Email; updateUserInfoAfterLogin.Salt = user.Salt; updateUserInfoAfterLogin.PasswordRetries = 0; updateUserInfoAfterLogin.MaxRetries = user.MaxRetries; updateUserInfoAfterLogin.IsActive = user.IsActive; updateUserInfoAfterLogin.IsDeleted = user.IsDeleted; updateUserInfoAfterLogin.LastLoginDate = DateTime.Now; updateUserInfoAfterLogin.Culture = GlobalManager.Instance.Culture; UserController.Update(updateUserInfoAfterLogin); List <UserDto> newRegisterDto = new List <UserDto>(); newRegisterDto.Add(new UserDto(updateUserInfoAfterLogin)); //Store global information that is going to be used along the application. GlobalManager.Instance.Name = updateUserInfoAfterLogin.Name; GlobalManager.Instance.Lastname = updateUserInfoAfterLogin.Lastname; GlobalManager.Instance.LoginDate = DateTime.Now; GlobalManager.Instance.UserId = updateUserInfoAfterLogin.UserID; GlobalManager.Instance.Username = updateUserInfoAfterLogin.Username; GlobalManager.Instance.Password = updateUserInfoAfterLogin.Password; GlobalManager.Instance.Email = updateUserInfoAfterLogin.Email; GlobalManager.Instance.Culture = updateUserInfoAfterLogin.Culture; return(new UserResponse { Code = (int)ResponseCode.Successful, Message = ResponseCode.Successful.ToString() }); } catch (Exception ex) { Logger.Logger.ErrorL("PasswordRetriesListByUtilityID", "Endpoint not found exception", ex); return(new UserResponse { Code = (int)ResponseCode.Exception, Message = ResponseCode.Exception.ToString() + ": " + ex.Message }); } }