tags:

views:

81

answers:

2
+1  Q: 

SHA1CryptoServiceProvider in .NET doesn't match UNIX shasum

I'm trying to share authentication between an ASP.NET app and another UNIX-based app, where the hashed password is stored in the database. I need to ensure the hashing algorithms on both platforms match.

This is how I'm hashing in C#:

var sha1 = new SHA1CryptoServiceProvider();
var passwordBytes = Encoding.UTF8.GetBytes(password);
var passwordHash = sha1.ComputeHash(passwordBytes);
var base64 = Convert.ToBase64String(passwordHash);
return base64;

If I use the password p@ssw0rd the hash is 57B2AD99044D337197C0C39FD3823568FF81E48A and the base64 of that hash is V7KtmQRNM3GXwMOf04I1aP+B5Io=. The base64 hash is what is stored in the db.

If I do the same thing on UNIX, I get a totally different hash:

echo p@ssw0rd | iconv -f ISO-8859-1 -t UTF-8 | shasum -a 1 | base64 -e produces ZTU3NmQwNmUzMTAwNmRkNzFhNTFjZTg5ZjViMGI4NWM2NTMyNzg3OCAgLQo=

If you try it with OpenSSL, use this echo "p@ssw0rd" |  openssl dgst -sha1 | openssl enc -base64 and you will get the same hash.

What is different about the two SHA1 algorithms that causes different hashes to be computed? I'm not salting these either.

UPDATE

The secret sauce is as follows: echo -n "p@ssw0rd" | openssl dgst -sha1 -binary | openssl enc -base64

echo -n strips the newline, and -binary is essential.

Hope this can help someone.

Thanks, Mark

+4  A: 
  • echo adds a newline, you need to do echo -n
  • shasum might do the same, check the output of that before you pipe it to base64)
  • sha1.ComputeHash() gives you back binary hash representation ,not the hexadecimal representation as the shasum utility produces - which means you're base64 encoding different things in C# vs the unix command line. Use e.g. var passwordHashHex = String.Concat(Array.ConvertAll(passwordHash , x => x.ToString("X2")); to convert to hex before you do the base64 conversion in C#
nos  2010-07-13 20:52:51
A: 

According to the manual:

The sums are computed as described in FIPS PUB 180-2. When checking, the input should be a former output of this program. The default mode is to print a line with checksum, a character indicating type ('*' for binary, '?' for portable, ' ' for text), and name for each FILE.

It's probably (I don't know) generating a salted hash. It's not of a length consistent with just a hash value alone.

Have you tried using "sha1sum" instead? I get conflicting information on this one, but it might work.

csharptest.net  2010-07-13 21:11:00

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?