theKindOfMe

December 4, 2008

ASP.net Membership Password Hashing Algorithm

Filed under: Uncategorized — Tags: , , — yasi8h @ 1:47 am

Recently i had the chance to work with ASP.net membership(http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx). after deciding on adding the database schema required by asp.net to our application database it self. there were some questions left on how to use the data in these (asp.net services)tables(the data related to user logins were in aspnet_Membership table) with some other non server side application who use the same database. specifically i needed to find out how asp.net password hashing algorithm works. so when another application wants to use the that user login data for something, it knows how to generate the correct hash and do the authentication for the users.

It was apparent that it was using a “hash + (random?)salt per user” to store the passwords(well after all this is configurable. in my case it was configured to use ‘hash’ method to store the passwords for the users).  after much googling i found out that there are some options that we can give asp.net on what hashing algorithm to use via <machineKey> element in the config file. this article noted that asp.net by default used SHA1. but still i didn’t know how it exactly generated the hash(ie: is it password + salt or is it salt + password…etc). so i used Reflector to find out. the interesting code is in System.Web.Security.MembershipProvider.EncodePassword.

so with that code(- some unneeded logic) you can successfully generate the same password hash that asp would.

internal string EncodePassword(string pass,  string salt)
{
   byte[] bytes = Encoding.Unicode.GetBytes(pass);
   byte[] src = Convert.FromBase64String(salt);
   byte[] dst = new byte[src.Length + bytes.Length];
   byte[] inArray = null;
   Buffer.BlockCopy(src, 0, dst, 0, src.Length);
   Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

   HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
   inArray = algorithm.ComputeHash(dst);

   return Convert.ToBase64String(inArray);
}

hope this helps someone/myself(in the future)

About these ads

4 Comments »

  1. great job mate! that’s excactly what I was looking for, cheers

    Comment by rob — April 24, 2009 @ 1:42 pm

  2. Worked like a charm. Thank you

    Comment by Sean — October 5, 2010 @ 5:03 pm

  3. Hi iam getting error here

    Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

    Here is the Error

    ‘bool’ does not contain a definition for ‘BlockCopy’ and no extension method ‘BlockCopy’ accepting a first argument of type ‘bool’ could be found (are you missing a using directive or an assembly reference?)

    Please give me suggestion to get out of it.

    Comment by Srinivas — April 26, 2011 @ 6:52 am

  4. In this case we think on System.Buffer class so you shoud use

    System.Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    System.Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

    I also wrote similar article:

    http://svakodnevnica.com.ba/index.php?option=com_kunena&func=view&catid=4&id=4&Itemid=5&lang=en

    Also I have one question! Is it possible to rewrite this function in MSSQL without calling dll-s from it ?

    Fehim.

    Comment by Fox — August 4, 2011 @ 12:29 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Silver is the New Black Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: