Hello all. I'm working on a project for a community college which
allows the Alumni to update their contact information over the web. We
would like to mail the Alumni a physical letter which has the link to
the web form that collects the data. The Alumni then will enter in
their ID number which would allow them to update their account.

I would also like to include an MD5 hash of their ID number and a
private key. This would prevent anyone from viewing or modifying
someone else's records.

What would be the best way to generate the MD5s so that they can be
easily added to the mail merge?

Thanks for your time,
-Jay

key. This would prevent anyone from viewing or modifying someone else's records.

can you explain?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

The pysical letter sent to the Alumnus will include their Personal
Identification Number and an MD5 hash of their PIN + a private key
stored on the web server.

When they attempt to log in, the website verifies that the hash they
provide is correct.

If someone attempted to use another person's pin they would not be able
to log in because they would have no way of generating the correct MD5
hash.

Obviously, I know, no encryption is uncrackable, but this will prevent
trivial attepts at using the system as a searchable directory of Alumni
contact information.

Hi,

why all the hassle with the private key - give them a password (or a pin)
- store the SHA1/256 hash of it in your db.

When they log in with the pwd/pin - create a hash from that and compare with
the stored value...

In 1.1 use the PasswordDeriveBytes class, in 2.0 the Rfc2898DeriveBytes


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

The issue with that method is that our PIN number is basically their
Alumni ID number. If we only required that from them than anyone could
simply enter a different pin and possibly view another person's record.

By storing the PIN as a hash in our db we would simply be obscuring it.
That isn't needed as the PIN is not private information.

By making the user provide their PIN as well as a password(PIN +
Private Key => hashed) we get authentication credentials that can only
be supplied by us. There would be no way for a savvy user to generate
their own.  Also, we are saved the added overhead of storing the hash
in the db. Instead we just generate it as needed for the mailings.

All that being said, it was a pretty simple task to write an applet
that generates the keys needed and then import that into an Excell file
for our College Foundation.

I flag this as <complete>.

Client/Server application with single login-SecureStream?
Securing a .NET webapp with ActiveDir and SQL-server?
Application Security and Trust
How can I access more properties of the AD Acount
How to make Windows inaccessible from my software user?
Directory access check
Kerberos S4U problem
SHA1Managed class has different results in 2.0 vs. 1.1??
LogParser - Error
Which Certificate store does IIS look at