views:

233

answers:

3

Here's the deal: I'm moving a .NET website to Python. I have a database with passwords hashed using the System.Security.Cryptography.SHA1Managed utility.

I'm creating the hash in .NET with the following code:

string hashedPassword = Cryptographer.CreateHash("MYHasher", userInfo.Password);

The MYHasher block looks like this:

<add algorithmType="System.Security.Cryptography.SHA1Managed, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=blahblahblah"
    saltEnabled="true" type="Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.HashAlgorithmProvider, Microsoft.Practices.EnterpriseLibrary.Security.Cryptography, Version=3.0.0.0, Culture=neutral, PublicKeyToken=daahblahdahdah"
    name="MYHasher" />

So for a given password, I get back and store in the database a 48 byte salted sha1. I assume the last 8 bytes are the salt. I have tried to reproduce the hashing process in python by doing a sha1(salt + password) and sha1(password + salt) but I'm having no luck.

My question to you:

  1. How are the public keys being used?
  2. How is the password rehashed using the salt.
  3. How is the salt created? (e.g., When I say saltEnabled="true", what extra magic happens?)

I need specific details that don't just reference other .NET libraries, I'm looking for the actual operational logic that happens in the blackbox.

Thanks!

+1  A: 

According to this previous thread, this should be something like sha1(password+salt)+salt. SHA-1 output is twenty bytes, so for 48 bytes this should be a 28-byte salt, not an 8-byte salt, unless some sort of encoding was used.

Thomas Pornin
+1  A: 

When you use the string CreateHash(string, string) overload, the following occurs:

  1. The string is converted to bytes using UTF16 (using Encoding.Unicode.GetBytes()).
  2. A random 16-byte salt is generated.
  3. The salt is appended to the converted string and hashed.
  4. The salt is appended to the hash.
  5. The hash+salt is converted back to a string using base64 (using Convert.ToBase64String()).
Rasmus Faber
A: 

Where does it store this random 16-byte salt? I need to be able to reproduce the exact same hash.

benbinary