views:

486

answers:

2

I have been on this problem for a while. I need to compare a paasword that the user enters to a password that is in the membership DB. The password is hashed and has a salt. Because of the lack of documentation I do not know if the salt is append to the password and then hashed how how it is created.

I am unable to get this to match. The hash returned from the function never matches the hash in the DB and I know for fact it is the same password. Microsoft seems to hash the password in a different way then I am.

I hope someone has some insights please.

Here is my code:

 protected void Button1_Click(object sender, EventArgs e)
    {   
        //HERE IS THE PASSWORD I USE, SAME ONE IS HASHED IN THE DB
        string pwd = "Letmein44";
       //HERE IS THE SALT FROM THE DB
        string saltVar = "SuY4cf8wJXJAVEr3xjz4Dg==";
        //HERE IS THE PASSWORD THE WAY IT STORED IN THE DB AS HASH
        string bdPwd = "mPrDArrWt1+tybrjA0OZuEG1P5w=";
    // FOR COMPARISON I DISPLAY IT
        TextBox1.Text = bdPwd;
        // HERE IS WHERE I DISPLAY THE return from THE FUNCTION, IT SHOULD MATCH THE PASSWORD FROM THE DB.
        TextBox2.Text = getHashedPassUsingUserIdAsSalt(pwd, saltVar);

    }
private string getHashedPassUsingUserIdAsSalt(string vPass, string vSalt)
    {
        string vSourceText = vPass + vSalt;          
        System.Text.UnicodeEncoding vUe = new System.Text.UnicodeEncoding();
        byte[] vSourceBytes = vUe.GetBytes(vSourceText);            
        System.Security.Cryptography.SHA1CryptoServiceProvider vSHA = new System.Security.Cryptography.SHA1CryptoServiceProvider();
        byte[] vHashBytes = vSHA.ComputeHash(vSourceBytes);            
        return Convert.ToBase64String(vHashBytes);
    }
+1  A: 

Using a tool like Reflector, you can see what the membership provider does. This is what has worked for me in the past (assumes passwordFormat 1, i.e. SHA1) :

public static string GenerateHash(string pwd, string saltAsBase64)
{
    byte[] p1 = Convert.FromBase64String(saltAsBase64);
    return GenerateHash(pwd, p1);
}

public static string GenerateHash(string pwd, byte[] saltAsByteArray)
{
    System.Security.Cryptography.SHA1 sha = new System.Security.Cryptography.SHA1CryptoServiceProvider();

    byte[] p1 = saltAsByteArray;
    byte[] p2 = System.Text.Encoding.Unicode.GetBytes(pwd);

    byte[] data = new byte[p1.Length + p2.Length];

    p1.CopyTo(data, 0);
    p2.CopyTo(data, p1.Length);

    byte[] result = sha.ComputeHash(data);

    string res = Convert.ToBase64String(result);
    return res;
}

Where : "saltAsBase64" is from the PasswordSalt column of aspnet_Membership table.

EDIT :

Example usage :

        string pwd = "Letmein44";
        string saltAsBase64 = "SuY4cf8wJXJAVEr3xjz4Dg==";

        string hash = GenerateHash(pwd, saltAsBase64);  
        // hash : "mPrDArrWt1+tybrjA0OZuEG1P5w="    
Moe Sisko
@Moe, you are the best, you saved me. I do not know how to thank you.If there is anything at all I can do , name it.Thank you everybody for all your input, all of you have been so helpful. I just hope one day I will be as good as you and can also help others.Steve
Steve
+1  A: 

So much work! Microsoft makes life much easier:

string myhash = System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(password + salt, "SHA1");

seraphym
I don't think this does what the op is after. Given the user's raw password, and base64 encoded salt (from the PasswordSalt column of the aspnet_Membership table), you ought to be able to generate the Password column of that aspnet_Membership table row. Although it looks like a handy function, this doesn't seem to do exactly that.
Moe Sisko
You are correct. Did look good for the job at hand at first glance. I guess that is why it did not come straight to mind.
Sky Sanders