The bottom line is to create a custom FTP Authentication Provider. In order to do this one must inherit from IFtpAuthenticationProvider interface and then register that assembly in GAC. After that the assembly needs to be registered in IIS's FTP settings.
In order for this to be accomplished I have to use the database which holds my user information in the database from the custom Membership and Role providers we have developed previously. So, that means I have to use a local class library app.config file and read it with ConfigurationManager.OpenMappedExeConfiguration(). I read the connection strings from there and I'm even able to provide it to Linq-To-Sql classes dynamically. No problem there.
Next, I try to create a class that inherits from SqlMembershipProvider so that I can use it's own system to decrypt the password for a user. But, the problem is that it has to read machineKey values from configuration. The only way you can provide custom configuration to a SqlMembershipProvider is trough it's Initialize method (which is not intended for us to use it in our code anyway). But anyway I tried and failed. I've been able to provide it a custom membership settings but not machineKey settings.
So, I decided to go radical. I said: I have the decryptionKey from machineKey so I'll try to decrypt the password manually.
So far I've tried using RijndaelManaged:
private string UnEncodePassword(string encodedPassword, string secretKey)
{
string password = encodedPassword;
var keyBytes = new byte[16];
var secretKeyBytes = Encoding.UTF8.GetBytes(secretKey);
Array.Copy(secretKeyBytes, keyBytes, Math.Min(keyBytes.Length, secretKeyBytes.Length));
RijndaelManaged rm = new RijndaelManaged
{
Mode = CipherMode.CBC,
Padding = PaddingMode.PKCS7,
KeySize = 128,
BlockSize = 128,
Key = keyBytes,
IV = keyBytes
};
var encryptedBytes = Convert.FromBase64String(encodedPassword);
password = Encoding.UTF8.GetString(Decrypt(encryptedBytes, rm));
return password;
}
I'm kind of aware that I'm shooting blanks here since I'm not eve sure what kind of padding is used and most importantly even if I could I'm not hitting the right IV. The best I'v done so far is to get some junkish response like: �21l�<��(�\t��].
So I need some pointers. Even suggestions on how to tackle this whole issue from another perspective are welcome.
EDIT:
Just to make things a little bit more clear. I'm not trying to crack the password or anything. I have the password and I have the decryptionKey etc. I just want to find a way to Encrypt/Decrypt it so that I can make a user validation.
I am fully aware that encrypting/decrypting passwords are not the best approach in the first place, but there are reasons why that is being done that way.
I do agree with the others that hashed passwords are generally more secure that enrypted ones.
But because you can't choose why do you have to use the Encryption or Decription methods from MembershipProvider (btw, I don't even think it's possible).
Why don't you create your own encryption methods and use them in the web application and your class library.