Using SQL Server 2005 CLR SPs to create Commerce Server 2007 User Profile Password Hashes

crisag — Tue, 19 Sep 2006 17:24:00 GMT

Do you need convert passwords stored originally using plain-text on databases to the one-way hash format used by the new version of the Commerce Server?

Don’t think that Commerce Server never used hashes to store passwords. It has always implemented this kind of functionality. Sometimes developers simple opt do not use hashes and decide store passwords using plain-text… :(

On the previous versions of CS the algorithm used was MD5 but one of the new features implemented by the last version was the use of the SHA256 hash algorithm to store passwords and other one-way pieces of information.

Would you like a SQL 2005 stored procedure to generate CS2007 compatible hashes using the plain-text stored sources?

It can be used only passing the plain-text password as a parameter; the result of the procedure is a Commerce Server 2007 compatible hash already formatted using little-endian.

The procedure was developed using the new .Net compatible stored procedures implemented by the last version of Microsoft SQL Server.

The code:

using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;

using System.Text;
using System.Security.Cryptography;

public partial class StoredProcedures
{
    [Microsoft.SqlServer.Server.SqlProcedure]
    public static void Hash( string inputPassword )
    {
        try
        {
            SqlContext.Pipe.Send(ComputeHash(inputPassword));
        }
        catch (Exception e)
        {
            SqlContext.Pipe.Send("Um erro ocorreu: " + e.Message);
        }
    }

    private static string ComputeHash( string inputPassword )
    {
        byte[] saltBytes;

        Random random = new Random(); // gera um numero randomico para o tamanho da semente.
        int saltSize = random.Next(4, 4);
        saltBytes = new byte[saltSize]; // aloca o vetor que armazenará o salt

// inicializa o gerador de números randomicos
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

rng.GetNonZeroBytes(saltBytes); // preenche a semente

        System.Text.UnicodeEncoding encode = new System.Text.UnicodeEncoding();

        // encoding format is little endian
        byte[] dataBuffer = new byte[encode.GetByteCount(inputPassword) + 4]; // get number of bytes and create buffer

// copia os bytes to texto para o vetor
saltBytes.CopyTo(dataBuffer, 0);

byte[] inputPasswordBytes = encode.GetBytes(inputPassword);

        // copia os bytes da senha após os 4 destinados a semente
        inputPasswordBytes.CopyTo(dataBuffer, 4);
        HashAlgorithm SHA256 = new SHA256Managed();
        byte[] hash = SHA256.ComputeHash(dataBuffer);

        System.Text.StringBuilder sb = new System.Text.StringBuilder();
        foreach (byte outputByte in saltBytes) sb.Append(outputByte.ToString("x2").ToUpper());
        foreach (byte outputByte in hash) sb.Append(outputByte.ToString("x2").ToUpper());
        return sb.ToString();

}

You can use the Deploy command of the Microsoft Visual Studio 2005 to install the procedure on your SQL Server 2005 or you can use the following procedure to have it working on your environment:

1. Make sure that CLR Integration is enabled on the SQL server.

EXEC sp_configure 'clr enabled', 1
RECONFIGURE
GO

2. Compile the code to generate the HashProcedure.dll file.
3. Execute the following T-SQL code against the SQL Server to add the CLR stored procedure:

CREATE ASSEMBLY HashProcedure
FROM 'C:\Work\Projetos\HashProcedure\bin\Debug\HashProcedure.dll'
WITH PERMISSION_SET = SAFE
GO

4. Execute the following T-SQL code against the SQL Server do create a SQL Server 2005 stored procedure that Consumes the CLR code:

CREATE PROC Hash
@inputPassword NVARCHAR(4000)
AS
EXTERNAL NAME HashProcedure.StoredProcedures.Hash
GO

[]’s.

This posting is provided "AS IS" with no warranties, and confers no rights.

Cristiano WebLog : SQL Server 2005

Using SQL Server 2005 CLR SPs to create Commerce Server 2007 User Profile Password Hashes