Question Change Password with Encryption Password

tashiduks

Member
Joined
Apr 19, 2010
Messages
22
Programming Experience
Beginner
Hi,

I have a problem with changing the password from Microsoft Access Database. I get an Error "No data exists for the row/column". The password in the database is encrypted and when I change the password it should be decrypting the password and new password should be updated with encryption again.

I have following Encryption and Decryption Function:
VB.NET:
Imports System.Collections.Generic
Imports System.Linq
Imports System.Web
Imports System.Text
Imports System.Security.Cryptography
Imports System.Security.Cryptography.X509Certificates
Public Class EncryptionDecryption
    Public Shared Function ComputeHash(ByVal plainText As String, ByVal hashAlgorithm As String, ByVal saltBytes As Byte()) As String
        ' If salt is not specified, generate it.
        If saltBytes Is Nothing Then
            ' Define min and max salt sizes.
            Dim minSaltSize As Integer = 4
            Dim maxSaltSize As Integer = 8

            ' Generate a random number for the size of the salt.
            Dim random As New Random()
            Dim saltSize As Integer = random.[Next](minSaltSize, maxSaltSize)

            ' Allocate a byte array, which will hold the salt.
            saltBytes = New Byte(saltSize - 1) {}

            ' Initialize a random number generator.
            Dim rng As New RNGCryptoServiceProvider()

            ' Fill the salt with cryptographically strong byte values.
            rng.GetNonZeroBytes(saltBytes)
        End If

        ' Convert plain text into a byte array.
        Dim plainTextBytes As Byte() = Encoding.UTF8.GetBytes(plainText)

        ' Allocate array, which will hold plain text and salt.
        Dim plainTextWithSaltBytes As Byte() = New Byte(plainTextBytes.Length + (saltBytes.Length - 1)) {}

        ' Copy plain text bytes into resulting array.
        For i As Integer = 0 To plainTextBytes.Length - 1
            plainTextWithSaltBytes(i) = plainTextBytes(i)
        Next

        ' Append salt bytes to the resulting array.
        For i As Integer = 0 To saltBytes.Length - 1
            plainTextWithSaltBytes(plainTextBytes.Length + i) = saltBytes(i)
        Next

        Dim hash As HashAlgorithm

        ' Make sure hashing algorithm name is specified.
        If hashAlgorithm Is Nothing Then
            hashAlgorithm = ""
        End If

        ' Initialize appropriate hashing algorithm class.
        Select Case hashAlgorithm.ToUpper()

            Case "SHA384"
                hash = New SHA384Managed()
                Exit Select

            Case "SHA512"
                hash = New SHA512Managed()
                Exit Select
            Case Else

                hash = New MD5CryptoServiceProvider()
                Exit Select
        End Select

        ' Compute hash value of our plain text with appended salt.
        Dim hashBytes As Byte() = hash.ComputeHash(plainTextWithSaltBytes)

        ' Create array which will hold hash and original salt bytes.
        Dim hashWithSaltBytes As Byte() = New Byte(hashBytes.Length + (saltBytes.Length - 1)) {}

        ' Copy hash bytes into resulting array.
        For i As Integer = 0 To hashBytes.Length - 1
            hashWithSaltBytes(i) = hashBytes(i)
        Next

        ' Append salt bytes to the result.
        For i As Integer = 0 To saltBytes.Length - 1
            hashWithSaltBytes(hashBytes.Length + i) = saltBytes(i)
        Next

        ' Convert result into a base64-encoded string.
        Dim hashValue As String = Convert.ToBase64String(hashWithSaltBytes)

        ' Return the result.
        Return hashValue
    End Function

    Public Function VerifyHash(ByVal plainText As String, ByVal hashAlgorithm As String, ByVal hashValue As String) As Boolean

        ' Convert base64-encoded hash value into a byte array.
        Dim hashWithSaltBytes As Byte() = Convert.FromBase64String(hashValue)

        ' We must know size of hash (without salt).
        Dim hashSizeInBits As Integer, hashSizeInBytes As Integer

        ' Make sure that hashing algorithm name is specified.
        If hashAlgorithm Is Nothing Then
            hashAlgorithm = ""
        End If

        ' Size of hash is based on the specified algorithm.
        Select Case hashAlgorithm.ToUpper()

            Case "SHA384"
                hashSizeInBits = 384
                Exit Select

            Case "SHA512"
                hashSizeInBits = 512
                Exit Select
            Case Else

                ' Must be MD5
                hashSizeInBits = 128
                Exit Select
        End Select

        ' Convert size of hash from bits to bytes.
        hashSizeInBytes = hashSizeInBits \ 8

        ' Make sure that the specified hash value is long enough.
        If hashWithSaltBytes.Length < hashSizeInBytes Then
            Return False
        End If

        ' Allocate array to hold original salt bytes retrieved from hash.
        Dim saltBytes As Byte() = New Byte(hashWithSaltBytes.Length - hashSizeInBytes - 1) {}

        ' Copy salt from the end of the hash to the new array.
        For i As Integer = 0 To saltBytes.Length - 1
            saltBytes(i) = hashWithSaltBytes(hashSizeInBytes + i)
        Next

        ' Compute a new hash string.
        Dim expectedHashString As String = ComputeHash(plainText, hashAlgorithm, saltBytes)

        ' If the computed hash matches the specified hash,
        ' the plain text value must be correct.
        Return (hashValue = expectedHashString)
    End Function

End Class

I have following Code with my Change Password page :
VB.NET:
Imports System.Data
Imports System.Configuration
Imports System.Data.OleDb
Public Class ChangePassword
    Inherits System.Web.UI.Page
    'Declaration
    Dim SQLStr As String
    Dim cmd As New OleDbCommand
    Dim DT As New DataTable
    Dim DA As New OleDbDataAdapter
    Dim DS As New DataSet
    Dim bNewData, bEditData As Boolean
    Dim DBConnection As OleDbConnection = New OleDbConnection
    Dim ConnStr As String = ConfigurationManager.ConnectionStrings("SQLDBConnection").ToString
    Dim TDES As New SQLEncrDecr.EncryptionDecryption
    Private Sub FormLoad()
        Try
            lblMessage.Visible = False
            lblSystemError.Visible = False
            If Session.Item("UserName") = "" Then
                Response.Redirect("~/Login.aspx")
            Else
                UserInfo.Text = "WelCome " & Session.Item("UserName").ToString
                UserName_Label.Text = Session.Item("UserName").ToString
                txtUserID.Text = UserName_Label.Text
                txtUserID.Enabled = False
            End If
        Catch ex As Exception
            lblSystemError.Visible = True
            lblSystemError.Text = ex.Message.ToString()
        End Try
    End Sub
Protected Sub btnChangePassword_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnChangePassword.Click
        Try
            DBConnection.ConnectionString = ConnStr
            DBConnection.Open()
            SQLStr = "SELECT * FROM UserInformation"
            cmd = New OleDbCommand(SQLStr, DBConnection)
            Dim reader As OleDbDataReader = cmd.ExecuteReader()
            Dim up As Byte
            Dim uPassword As String = reader("Password").ToString()
            Dim uFlag As Boolean = TDES.VerifyHash(txtOldPassword.Text, "SHA512", uPassword)
            While reader.Read()
                If txtOldPassword.Text = reader("Password").ToString And uFlag = True Then
                    'If uFlag = True Then
                    up = 1
                End If
            End While
            reader.Close()
            DBConnection.Close()
            If up = 1 Then
                DBConnection.Open()
                Dim uPass As String = SQLEncrDecr.EncryptionDecryption.ComputeHash(txtNewPassword.Text, "SHA512", Nothing)
                SQLStr = "UPDATE UserInformation SET Password = @Password WHERE UserName = '" & txtUserID.Text & "'"
                cmd = New OleDbCommand(SQLStr, DBConnection)
                cmd.Parameters.Add(New OleDbParameter("@Password", OleDbType.VarChar, 50))
                cmd.Parameters("@Password").Value = uPass
                cmd.ExecuteNonQuery()
                DBConnection.Close()
                lblMessage.Visible = True
                lblMessage.Text = "Success"
            Else
                lblMessage.Visible = True
                lblMessage.Text = "Incorrect"
            End If
        Catch ex As Exception
            lblSystemError.Visible = True
            lblSystemError.Text = ex.Message.ToString()
        End Try
    End Sub

My Web Config file contains this connection string:
VB.NET:
<connectionStrings>
		<add name="SQLDBConnection" connectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|Security.mdb;Persist Security Info=True"/>
</connectionStrings>

I don't where it went wrong. Can somebody help me out?

Thanks.
 
Firstly, you talk about encryption and decryption yet your code seems to be using hashing. Hashing is not encryption because hashing is one-way and encryption is two-way, i.e. you cannot get back to the original data from a hashed value.

As for the issue, it's because you're trying to get data from a data reader without calling Read first.
 
HI,

Thanks for the response. Sorry it was my mistake, and yes I am using HASHING. Can you please help me out why I am getting the error message?

Thanks
 
I have also tried with following code but it seems not working:

VB.NET:
 DBConnection.ConnectionString = ConnStr
            DBConnection.Open()
            SQLStr = "SELECT * FROM UserInformation WHERE UserName = '" & txtUserID.Text & "'"
            cmd = New OleDbCommand(SQLStr, DBConnection)
            cmd.Parameters.AddWithValue("UserName", txtUserID.Text)
            Dim reader As OleDbDataReader = cmd.ExecuteReader()
            If reader.HasRows Then
                reader.Read()
                Dim oldHash As String = reader("Password")
                reader.Close()
                Dim oldPwdHash As String = SQLEncrDecr.EncryptionDecryption.ComputeHash(txtOldPassword.Text, "SHA512", Nothing)
                Dim newPwdHAsh As String = SQLEncrDecr.EncryptionDecryption.ComputeHash(txtNewPassword.Text, "SHA512", Nothing)
                If oldHash = oldPwdHash Then
                    SQLStr = "UPDATE UserInformation SET Password = @Password WHERE UserName = @UserName"
                    cmd = New OleDbCommand(SQLStr, DBConnection)
                    cmd.Parameters.AddWithValue("@Password", newPwdHAsh)
                    cmd.Parameters.AddWithValue("@UserName", txtUserID.Text)
                    cmd.ExecuteNonQuery()
                End If
            End If

When I debug the DBConnection getting close after this line of code :
VB.NET:
                 If oldHash = oldPwdHash Then
 
Back
Top