tags:

views:

1076

answers:

2
Q: 

Asp.net membership salt?

Hi

Does anyone know how Asp.net membership generates their salt key and then how they encode it(ie is it salt + password or password + salt)?

I am using sha1 with my membership but I would like to recreate the same salts so the built in membership stuff could hash the stuff the same way as my stuff can.

Thanks

Edit 2

Never Mind I mis read it and was thinking it said bytes not bit. So I was passing in 128 bytes not 128bits.

Edit

I been trying to make it so this is what I have

  public string EncodePassword(string password, string salt)
        {
            byte[] bytes = Encoding.Unicode.GetBytes(password);
            byte[] src = Encoding.Unicode.GetBytes(salt);
            byte[] dst = new byte[src.Length + bytes.Length];

            Buffer.BlockCopy(src, 0, dst, 0, src.Length);
            Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

            HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");

            byte[] inArray = algorithm.ComputeHash(dst);

            return Convert.ToBase64String(inArray);
        }

        private byte[] createSalt(byte[] saltSize)
        {
            byte[] saltBytes = saltSize;

            RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

            rng.GetNonZeroBytes(saltBytes);
            return saltBytes;
        }

So I have not tried to see if the asp.net membership will recognize this yet the hashed password looks close. I just don't know how to convert it to base64 for the salt.

I did this

       byte[] storeSalt = createSalt(new byte[128]);
        string salt = Encoding.Unicode.GetString(storeSalt);
        string base64Salt = Convert.ToBase64String(storeSalt);

        int test = base64Salt.Length;

Test length is 172 what is well over the 128bits so what am I doing wrong?

This is what their salt looks like

vkNj4EvbEPbk1HHW+K8y/A==

This is what my salt looks like

E9oEtqo0livLke9+csUkf2AOLzFsOvhkB/NocSQm33aySyNOphplx9yH2bgsHoEeR/aw/pMe4SkeDvNVfnemoB4PDNRUB9drFhzXOW5jypF9NQmBZaJDvJ+uK3mPXsWkEcxANn9mdRzYCEYCaVhgAZ5oQRnnT721mbFKpfc4kpI=
+2  A: 

This post has a good discussion of their default algorithm.

http://stackoverflow.com/questions/1137368/what-is-default-hash-algorithm-that-asp-net-membership-uses

Hope that helps!

Edit- The answer I was referring to is the code in the top post

   public string EncodePassword(string pass, string salt)
    {
        byte[] bytes = Encoding.Unicode.GetBytes(pass);
        byte[] src = Encoding.Unicode.GetBytes(salt);
        byte[] dst = new byte[src.Length + bytes.Length];
        Buffer.BlockCopy(src, 0, dst, 0, src.Length);
        Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
        HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
        byte[] inArray = algorithm.ComputeHash(dst);
        return Convert.ToBase64String(inArray);
    }

They are combining Unicode Salt + Pass using BlockCopy

-- In response to your question:

Both algorithms are necessary and fulfill different roles...

RNG Crypto is used to generate the salt. It is basically a long string of random data. This is generated and stored on a per user basis. Typically this is done when a user is created or a password is changed.

BlockCopy is just the method they use to combine the salt with the password. The above code essentially equates to Salt + Password.

You aren't going to be able to recreate a salt value as it is completely random. It is, however, stored for each user by the framework.

Combining the salt with the password and hashing it using the technique above will allow you to verify users passwords using the hashed value stored by the framework.

I think we both read your question differently. The code I posted won't generate your salt, but it will let you use it in a way that is compatible with ASP.net membership.

Sorry my explanation isn't the best- does that answer your question?

apocalypse9  2009-08-12 18:34:15
Does not tell you how Microsoft does the Salt.
CodeToGlory  2009-08-12 18:41:18
The top post shows the algorithm - I've copied it here for clarity.
apocalypse9  2009-08-12 19:23:07
Sorry- I see what you mean. I assumed that he was looking for how it was combined to recreate from existing data.
apocalypse9  2009-08-12 19:26:48
Hi I don't get it. What is blockCopy in the documentation they say they use RNGCrypto. It also does not generate the salt.
chobo2  2009-08-12 19:48:05
Grr - Having trouble explaining clearly in the comments. I'll add everything to the body of my post. Sorry.
apocalypse9  2009-08-12 20:11:33
It is getting their like see my edit. I need to figure out how to generate the salt then I can truly test if .net membership stuff can figure out what is going on. except I can't get 128bit length for the salt.
chobo2  2009-08-12 20:26:40
+1  A: 

Here is one way of doing it. A salt is just a random number, you can use RNGCryptoServiceProvider class in the framework library to produce good random number to use as salt

private const int ITERATIONS = 10000;
private const int SALT_SIZE = 32;
private const int HASH_SIZE = 32;

public void SaltAndHashPassword(string password, out byte[] salt,
  out byte[] hash)
{
  Rfc2898DeriveBytes rdb = new Rfc2898DeriveBytes(
    password,
    SALT_SIZE,
    ITERATIONS);

  salt = rdb.Salt;
  hash = rdb.GetBytes(HASH_SIZE);
}
CodeToGlory  2009-08-12 18:37:19
Hi I found on msdn this"PasswordSalt: Randomly generated 128-bit value used to salt password hashes; stored in base-64-encoded form"http://msdn.microsoft.com/en-us/library/aa478949.aspxSo what would I do up the salt_size to 128? how about hash size?
chobo2  2009-08-12 19:23:11
they also have thisMembershipPasswordFormat.Hashed (the default), which stores salted hashes generated from passwords and password answers. The salt is a random 128-bit value generated by the .NET Framework's RNGCryptoServiceProvider class. Each password/password answer pair is salted with this unique value, and the salt is stored in the aspnet_Membership table's PasswordSalt field. The result of hashing the password and the salt is stored in the Password field. Similarly, the result of hashing the password answer and the salt is stored in the PasswordAnswer field.
chobo2  2009-08-12 19:24:08
makes me wonder if it is Password + Salt.
chobo2  2009-08-12 19:26:05

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?