zanyar halabjay

zanyar halabjay

  • 1.9k
  • 3
  • 100

pbkdf2 problem when compare password with the hash on mysql

Nov 14 2019 11:40 AM
i have a problem when i want to compare my password with that password that hashed in mysql database and always say incorrect while i login it is my code for hashing and comparing:
 
 
  1. class Hashing    
  2.  {    
  3.      const int salt_size = 32;    
  4.      const int hash_size = 32;    
  5.      const int iteration = 167319;    
  6.     
  7.      public static string Generate(string password)    
  8.      {    
  9.    
  10.          var salt = new byte[salt_size];    
  11.          using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider()) {    
  12.              rng.GetBytes(salt);    
  13.          }    
  14.     
  15.   
  16.          using (Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(password, salt, iteration))    
  17.          {    
  18.              byte[] hash = pbkdf2.GetBytes(salt_size);    
  19.     
  20.              
  21.              return Convert.ToBase64String(salt) + "|" + iteration + "|" + Convert.ToBase64String(hash);    
  22.          }    
  23.             
  24.     
  25.      }    
  26.     
  27.      public static bool isCorrect(string pass,string hash)    
  28.      {    
  29.              
  30.       
  31.          string[] hashsplit = hash.Split('|');    
  32.          byte[] salt = Convert.FromBase64String(hashsplit[0]);    
  33.          int iteration = Int32.Parse(hashsplit[1]);    
  34.          string hashed = hashsplit[2];    
  35.     
  36.       
  37.          using (Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(pass,salt,iteration))    
  38.          {    
  39.              byte[] Hash = pbkdf2.GetBytes(salt_size);    
  40.     
  41.            
  42.              if (hashed == Convert.ToBase64String(Hash))    
  43.              {    
  44.                  return true;    
  45.              }    
  46.              else    
  47.              {    
  48.    
  49.                  return false;    
  50.              }    
  51.          }    
  52.     
  53.      }    
  54.  }    
 
and this code is for checking username and password from mysql:
 
  1. class Lg : Msql_connection  
  2.  {  
  3.     
  4.      private string username { setget; }  
  5.      private string pass { setget; }  
  6.   
  7.      public bool validate_Login(string username, string pass)  
  8.      {  
  9.          bool check = false;  
  10.          MySqlDataReader mdr;  
  11.          MySqlDataReader mdr2;  
  12.          MySqlDataReader mdr3;  
  13.          string passw = "";  
  14.          using (MySqlCommand mcmd3 = new MySqlCommand())  
  15.          {  
  16.              mcmd3.CommandText = "select password from login";  
  17.              mcmd3.Connection = msc;  
  18.              msc.Close();  
  19.              msc.Open();  
  20.              mdr3 = mcmd3.ExecuteReader();  
  21.              if (mdr3.Read())  
  22.              {  
  23.                  passw = mdr3["password"].ToString();  
  24.              }  
  25.              msc.Close();  
  26.          }  
  27.   
  28.              using (MySqlCommand mcmd2 = new MySqlCommand())  
  29.          {  
  30.              mcmd2.CommandText = "select hid,attempt,time from login_attempt";  
  31.              mcmd2.Connection = msc;  
  32.   
  33.              msc.Close();  
  34.              msc.Open();  
  35.              mdr2 = mcmd2.ExecuteReader();  
  36.   
  37.              if (mdr2.Read()&&int.Parse(mdr2["attempt"].ToString()) < 4)  
  38.              {  
  39.                  using (MySqlCommand mcmd = new MySqlCommand())  
  40.                  {  
  41.                      mcmd.CommandText = "select username,password from login where binary username=@user and password=@pass";  
  42.                      mcmd.Connection = msc;  
  43.                      msc.Close();  
  44.                      msc.Open();  
  45.                      mcmd.Parameters.Add("@user", MySqlDbType.VarChar).Value = this.username=username;  
  46.                      mcmd.Parameters.Add("@pass", MySqlDbType.Text).Value = this.pass = Hashing.isCorrect(pass, passw).ToString();  
  47.                      mdr = mcmd.ExecuteReader();  
  48.   
  49.                      if (mdr.HasRows)  
  50.                      {  
  51.   
  52.                          if (mdr.Read())  
  53.                          {  
  54.                              reset_Attempt();  
  55.                              MessageBox.Show("correct");  
  56.                              check = true;  
  57.                          }  
  58.                      }  
  59.                      else  
  60.                      {  
  61.                          check = false;  
  62.                          update_Attempt();  
  63.   
  64.                          MessageBox.Show("incorrect");  
  65.                      }  
  66.                  }  
  67.   
  68.              }  
  69.              else if (int.Parse(mdr2["attempt"].ToString()) >= 4)  
  70.              {  
  71.                  check = false;  
  72.                  MessageBox.Show("You have been restrict");  
  73.                  set_time();  
  74.   
  75.              }  
  76.                
  77.          }  
  78.          
  79.          msc.Close();  
  80.   
  81.          return check;  
  82.      }  
  83. }