Different MD5 hashes in .NET and Classic ASP

M

MartyNg

I am running a system that has both Classic ASP applications and a
smattering of ASP.NET applications. We want to store passwords on a SQL
Server table as their MD5 hashes.

What is the safest way to get this hash value, and be able to verify it
against user logins in both Classic ASP and ASP.NET?

We have been working with the system.security.cryptopgraphy MD5
functions in .NET, and the functions here for Classic ASP
http://rossm.net/Electronics/Computers/Software/ASP/MD5.htm

We cannot seem to get the hashes to match up between platforms, even
after taking other forum posts into consideration, such as making sure
we are using UTF-8 encoding and such.

Would it be possible to create a web service in .NET that would return
the correct hashes on both platforms? We're new to .NET, so any sample
code or links to something similar in action would be great! Thank you.
 
C

Chris Fulstow

Hi,

I think this approach would definitely work, but you might have an
unnecessary overhead when calling the web service. Also, there isn't
any built-in support for web services in classic ASP, so you'd need to
write your own web service consumer with MSXML, or find a third-party
component to do it for you.

A better approach might be to wrap up your System.Security.Cryptography
MD5 .NET functions into an assembly, then use regasm.exe to make it
available to your ASP, as if it were a standard legacy COM component.

There some more info in the MS Knowledge Base article:
http://support.microsoft.com/?kbid=817248

Hope this helps,

Chris
 
K

Klaus H. Probst

We cannot seem to get the hashes to match up between platforms, even
after taking other forum posts into consideration, such as making sure
we are using UTF-8 encoding and such.

Good shankers, an MD5 digest of the same data should be *exactly* the same
regardless of what application or platform it was generated with. That's
why it's called an algorithm.

You need to figure out which of the two calculations is wrong (or maybe
both of them are!), and FIX them, not come up with a hack to go get the
hash from the source you *think* is right!

Verify the output of your code against an implementation you know is
right, like the md5sum utility that comes with Linsux or the BSDs. There
are lots of other tested/verified implementations out there.

The other problem you might be running into is the way you 'prepare' the
bytes (bad analogy) to feed them to the hash generator. Python for example
will generate different hashes for the same data read from a file if you
make the mistake of not opening the file in 'binary' mode.

In .NET this is not a problem as long as you use a *binary* reader, like
System.IO.FileStream. You mentioned UTF-8... that's besides the point. The
MD5 algo works on *bytes*, so string encoding is irrelevant in that
context.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top