asp.net-mvc – ASP.NET MVC 3应用程序,BCrypt.CheckPassword失

我正在努力在ASP.NET MVC 3应用程序中实现安全性,并使用BCrypt实现 found here来处理密码的加密和验证.用户注册屏幕加密用户提供的密码,并将散列密码保存到数据库中.我在登录页面上遇到密码验证问题,但我似乎无法弄清楚原因.

我的注册控制器操作包含以下内容：

[HttpPost]
[RequireHttps]
public ActionResult Register(Registration registration)
{
    // Validation logic...

    try
    {
        var user = new User
        {
            Username = registration.Username,Password = Password.Hash(HttpUtility.HtmlDecode(registration.Password)),EmailAddress = registration.EmailAddress,FirstName = registration.FirstName,MiddleInitial = registration.MiddleInitial,LastName = registration.LastName,DateCreated = DateTime.Now,DateModified = DateTime.Now,LastLogin = DateTime.Now
        };

        var userId = _repository.CreateUser(user);
    }
    catch (Exception ex)
    {
        ModelState.AddModelError("User","Error creating user,please try again.");
        return View(registration);
    }

    // Do some other stuff...
}

这是Password.Hash：

public static string Hash(string password)
{
    return BCrypt.HashPassword(password,BCrypt.GenerateSalt(12));
}

这就是我处理登录的方式：

[HttpPost]
[RequireHttps]
public ActionResult Login(Credentials login)
{
    // Validation logic...

    var authorized = _repository.CredentialsAreValid(HttpUtility.HtmlDecode(login.username),login.password);
    if (authorized)
    {
        // log the user in...
    }
    else
    {
        ModelState.AddModelError("AuthFail","Authentication failed,please try again");
        return View(login);
    }
}

CredentialsAreValid包含对BCrypt.CheckPassword的调用：

public bool CredentialsAreValid(string username,string password)
{
    var user = GetUser(username);
    if (user == null)
        return false;

    return Password.Compare(password,user.Password);
}

Password.Compare：

public static bool Compare(string password,string hash)
{
    return BCrypt.CheckPassword(password,hash);
}

最后,这就是BCrypt.CheckPassword正在做的事情：

public static bool CheckPassword(string plaintext,string hashed)
{
    return StringComparer.Ordinal.Compare(hashed,HashPassword(plaintext,hashed)) == 0;
}

所以,是的…我不知道发生了什么,但我知道的是,我的登录控制器操作中的布尔授权变量由于某种原因总是返回false.

我过去在至少其他几个项目中使用了这个完全相同的BCrypt类,并且从来没有遇到任何问题. ASP.NET MVC 3是否对发布的数据执行了一些奇怪的,不同的编码,这些数据是我缺少的或需要处理不同的东西？要么是,要么是SQL CE 4做的(那是我目前正在使用的数据存储区)？在我的代码中,所有内容似乎都是按照我所知道的顺序排列,但由于某种原因,密码检查每次都失败了.有人有主意吗？

谢谢.

更新：以下是BCrypt类中包含的代码注释,以及它如何使用和工作的示例.

/// <summary>BCrypt implements OpenBSD-style Blowfish password hashing
/// using the scheme described in "A Future-Adaptable Password Scheme"
/// by Niels Provos and David Mazieres.</summary>
/// <remarks>
/// <para>This password hashing system tries to thwart offline
/// password cracking using a computationally-intensive hashing
/// algorithm,based on Bruce Schneier's Blowfish cipher. The work
/// factor of the algorithm is parametized,so it can be increased as
/// computers get faster.</para>
/// <para>To hash a password for the first time,call the
/// <c>HashPassword</c> method with a random salt,like this:</para>
/// <code>
/// string hashed = BCrypt.HashPassword(plainPassword,BCrypt.GenerateSalt());
/// </code>
/// <para>To check whether a plaintext password matches one that has
/// been hashed previously,use the <c>CheckPassword</c> method:</para>
/// <code>
/// if (BCrypt.CheckPassword(candidatePassword,storedHash)) {
///     Console.WriteLine("It matches");
/// } else {
///     Console.WriteLine("It does not match");
/// }
/// </code>
/// <para>The <c>GenerateSalt</c> method takes an optional parameter
/// (logRounds) that determines the computational complexity of the
/// hashing:</para>
/// <code>
/// string strongSalt = BCrypt.GenerateSalt(10);
/// string strongerSalt = BCrypt.GenerateSalt(12);
/// </code>
/// <para>
/// The amount of work increases exponentially (2**log_rounds),so
/// each increment is twice as much work. The default log_rounds is
/// 10,and the valid range is 4 to 31.
/// </para>
/// </remarks>