Semi-Formal specification of FSCAuth

Here I'm going to describe in a semi-formal manner of how FSCAuth works. Hopefully, emphasizing the algorithm, rather than the implementation.

A few definitions:

  • Hash(x): The Hasher function. By default this creates SHA256 hash in FSCAuth
  • UserID: The UserData.UniqueID string
  • Username: The user name of the user
  • PasswordHash: The created password hash
  • Password: the plaintext password
  • UniqueHash: The UniqueHash value for the entire site
  • Base: the base path of the website. If CookieUseBase is false, then this is an empty string.
  • IP: The IP address of the client. If CookieUseIP is false, then this is an empty string.
  • UserAgent: The user agent string from the client's browser. If CookieUseBrowserInfo is false, then this is an empty string.
  • Now(): The current time as a 32bit UTC Unix timestamp
  • + is for string concatenation. "abc"+"xyz" is equal to "abcxzc"

To create a new user, the only thing we must create the password hash. A password hash is constructed as follows

PasswordHash := Hash("fscauth" + Password + Username + UniqueID + UniqueHash);

Then, when creating a new authentication cookie, we populate two fields. Expires, Secret, and Name. The cookie name itself is created by Hash(SiteName) + "_login" or SiteName+"_login" depending upon the HashCookieName variable. The Name variable is just the plaintext username of the user to be authenticated. The Expires variable is a UTC Unix timestamp of when the cookie should expire.

Secret :=  Hash(PasswordHash + IP + Base + UserAgent + Expires + UniqueHash + SiteName)

By incorporating UniqueHash into the cookies and password hashes, this makes a site extremely secure, as long as UniqueHash is kept secret. The contents of this variable can be kept either in the Web.config or the C# source code.

As well as this, a unique per-user Salt is used for each hash(user determined as to how the salt is put into the hash)

Tags: fscauth
Posted: 4/23/2011 4:28:58 AM


Posting comments is currently disabled(probably due to spam)