views:

1076

answers:

2

Hi

Does anyone know how Asp.net membership generates their salt key and then how they encode it(ie is it salt + password or password + salt)?

I am using sha1 with my membership but I would like to recreate the same salts so the built in membership stuff could hash the stuff the same way as my stuff can.

Thanks

Edit 2

Never Mind I mis read it and was thinking it said bytes not bit. So I was passing in 128 bytes not 128bits.

Edit

I been trying to make it so this is what I have

  public string EncodePassword(string password, string salt)
        {
            byte[] bytes = Encoding.Unicode.GetBytes(password);
            byte[] src = Encoding.Unicode.GetBytes(salt);
            byte[] dst = new byte[src.Length + bytes.Length];

            Buffer.BlockCopy(src, 0, dst, 0, src.Length);
            Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

            HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");

            byte[] inArray = algorithm.ComputeHash(dst);

            return Convert.ToBase64String(inArray);
        }

        private byte[] createSalt(byte[] saltSize)
        {
            byte[] saltBytes = saltSize;

            RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

            rng.GetNonZeroBytes(saltBytes);
            return saltBytes;
        }

So I have not tried to see if the asp.net membership will recognize this yet the hashed password looks close. I just don't know how to convert it to base64 for the salt.

I did this

       byte[] storeSalt = createSalt(new byte[128]);
        string salt = Encoding.Unicode.GetString(storeSalt);
        string base64Salt = Convert.ToBase64String(storeSalt);

        int test = base64Salt.Length;

Test length is 172 what is well over the 128bits so what am I doing wrong?

This is what their salt looks like

vkNj4EvbEPbk1HHW+K8y/A==

This is what my salt looks like

E9oEtqo0livLke9+csUkf2AOLzFsOvhkB/NocSQm33aySyNOphplx9yH2bgsHoEeR/aw/pMe4SkeDvNVfnemoB4PDNRUB9drFhzXOW5jypF9NQmBZaJDvJ+uK3mPXsWkEcxANn9mdRzYCEYCaVhgAZ5oQRnnT721mbFKpfc4kpI=
+2  A: 

This post has a good discussion of their default algorithm.

http://stackoverflow.com/questions/1137368/what-is-default-hash-algorithm-that-asp-net-membership-uses

Hope that helps!

Edit- The answer I was referring to is the code in the top post

   public string EncodePassword(string pass, string salt)
    {
        byte[] bytes = Encoding.Unicode.GetBytes(pass);
        byte[] src = Encoding.Unicode.GetBytes(salt);
        byte[] dst = new byte[src.Length + bytes.Length];
        Buffer.BlockCopy(src, 0, dst, 0, src.Length);
        Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
        HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
        byte[] inArray = algorithm.ComputeHash(dst);
        return Convert.ToBase64String(inArray);
    }

They are combining Unicode Salt + Pass using BlockCopy

-- In response to your question:

Both algorithms are necessary and fulfill different roles...

RNG Crypto is used to generate the salt. It is basically a long string of random data. This is generated and stored on a per user basis. Typically this is done when a user is created or a password is changed.

BlockCopy is just the method they use to combine the salt with the password. The above code essentially equates to Salt + Password.

You aren't going to be able to recreate a salt value as it is completely random. It is, however, stored for each user by the framework.

Combining the salt with the password and hashing it using the technique above will allow you to verify users passwords using the hashed value stored by the framework.

I think we both read your question differently. The code I posted won't generate your salt, but it will let you use it in a way that is compatible with ASP.net membership.

Sorry my explanation isn't the best- does that answer your question?

apocalypse9
Does not tell you how Microsoft does the Salt.
CodeToGlory
The top post shows the algorithm - I've copied it here for clarity.
apocalypse9
Sorry- I see what you mean. I assumed that he was looking for how it was combined to recreate from existing data.
apocalypse9
Hi I don't get it. What is blockCopy in the documentation they say they use RNGCrypto. It also does not generate the salt.
chobo2
Grr - Having trouble explaining clearly in the comments. I'll add everything to the body of my post. Sorry.
apocalypse9
It is getting their like see my edit. I need to figure out how to generate the salt then I can truly test if .net membership stuff can figure out what is going on. except I can't get 128bit length for the salt.
chobo2
+1  A: 

Here is one way of doing it. A salt is just a random number, you can use RNGCryptoServiceProvider class in the framework library to produce good random number to use as salt

private const int ITERATIONS = 10000;
private const int SALT_SIZE = 32;
private const int HASH_SIZE = 32;

public void SaltAndHashPassword(string password, out byte[] salt,
  out byte[] hash)
{
  Rfc2898DeriveBytes rdb = new Rfc2898DeriveBytes(
    password,
    SALT_SIZE,
    ITERATIONS);

  salt = rdb.Salt;
  hash = rdb.GetBytes(HASH_SIZE);
}
CodeToGlory
Hi I found on msdn this"PasswordSalt: Randomly generated 128-bit value used to salt password hashes; stored in base-64-encoded form"http://msdn.microsoft.com/en-us/library/aa478949.aspxSo what would I do up the salt_size to 128? how about hash size?
chobo2
they also have thisMembershipPasswordFormat.Hashed (the default), which stores salted hashes generated from passwords and password answers. The salt is a random 128-bit value generated by the .NET Framework's RNGCryptoServiceProvider class. Each password/password answer pair is salted with this unique value, and the salt is stored in the aspnet_Membership table's PasswordSalt field. The result of hashing the password and the salt is stored in the Password field. Similarly, the result of hashing the password answer and the salt is stored in the PasswordAnswer field.
chobo2
makes me wonder if it is Password + Salt.
chobo2