SHA1 encoding differences with FormsAuthentication and SHA1CryptoServiceProvider

Discussion in 'ASP .Net Security' started by Super Julius, May 12, 2004.

  1. Super Julius

    Super Julius Guest

    Folks,

    I am struggling with the following problem. When I encode a string
    using FormsAuthentication or SHA1CryptoServiceProvider, I don't get
    the same encoding.

    In fact I have a SHA1 ASP implementation for one of our legacy
    application but I have done the migration using the following code:

    private string Hash(string toHash)
    {
    string hashed = "";

    SHA1 sha1 = new SHA1CryptoServiceProvider();
    byte[] hash = sha1.ComputeHash(System.Text.Encoding.UTF8.GetBytes(toHash));

    foreach(byte b in hash)
    hashed += Convert.ToString(b, 16).ToUpper();

    return hashed;
    }

    I then noticed that some values were not encoded the same way. So I
    tried using FormsAuthentication.HashPasswordForStoringInConfigFile(value,
    "SHA1"). Guess what the it encodes the values the same way the ASP
    SHA1 does.

    Basically this means that the code above with
    SHA1CryptoServiceProvider is just wrong. I have tried using all the
    encoding available when getting the bytes out of the string but I
    cannot get the same encoding.

    A value for which it does not work: ArntzHans

    Result with SHA1CryptoServiceProvider:
    1C4F53FA399F44D81BF4F8540B5127FB44EDA2

    Result with FormsAuthentication:
    1C4F53FA399F440D81BF4F8540B5127FB404EDA2
    * *

    Note that the 2 '0' characters outlined on the 2nd result are missing
    from the first encoding.

    I have read a few threads from users having the same problem, but no
    concrete solution to the problem

    Wish someone can help me solving this out

    Thx
    Julien
     
    Super Julius, May 12, 2004
    #1
    1. Advertising

  2. Your problem is in the Hexa encoding loop. The ToString( b, 16) method gives
    you a one char lenght for hexa values of one digit. I suggest you to use
    this function for hexa encoding.

    BitConverter.ToString( hash ).Replace( "-", string.Empty ).ToUpper()

    --
    Hernan de Lahitte
    Lagash Systems S.A.
    http://weblogs.asp.net/hernandl


    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Super Julius" <> wrote in message
    news:...
    > Folks,
    >
    > I am struggling with the following problem. When I encode a string
    > using FormsAuthentication or SHA1CryptoServiceProvider, I don't get
    > the same encoding.
    >
    > In fact I have a SHA1 ASP implementation for one of our legacy
    > application but I have done the migration using the following code:
    >
    > private string Hash(string toHash)
    > {
    > string hashed = "";
    >
    > SHA1 sha1 = new SHA1CryptoServiceProvider();
    > byte[] hash =

    sha1.ComputeHash(System.Text.Encoding.UTF8.GetBytes(toHash));
    >
    > foreach(byte b in hash)
    > hashed += Convert.ToString(b, 16).ToUpper();
    >
    > return hashed;
    > }
    >
    > I then noticed that some values were not encoded the same way. So I
    > tried using FormsAuthentication.HashPasswordForStoringInConfigFile(value,
    > "SHA1"). Guess what the it encodes the values the same way the ASP
    > SHA1 does.
    >
    > Basically this means that the code above with
    > SHA1CryptoServiceProvider is just wrong. I have tried using all the
    > encoding available when getting the bytes out of the string but I
    > cannot get the same encoding.
    >
    > A value for which it does not work: ArntzHans
    >
    > Result with SHA1CryptoServiceProvider:
    > 1C4F53FA399F44D81BF4F8540B5127FB44EDA2
    >
    > Result with FormsAuthentication:
    > 1C4F53FA399F440D81BF4F8540B5127FB404EDA2
    > * *
    >
    > Note that the 2 '0' characters outlined on the 2nd result are missing
    > from the first encoding.
    >
    > I have read a few threads from users having the same problem, but no
    > concrete solution to the problem
    >
    > Wish someone can help me solving this out
    >
    > Thx
    > Julien
     
    Hernan de Lahitte, May 12, 2004
    #2
    1. Advertising

  3. Super Julius

    Super Julius Guest

    Thanks Hernan for your answer.

    You pointed right the issue. The problem was my convert to hex value
    with Convert.ToString(b, 16).

    I have not tested your solution as I fixed the issue just before your
    post :) by using String.Format

    Anyway I guess this can be relevant to other folks...

    Here is the new code with

    private string Hash(string toHash)
    {
    string hashed = "";

    SHA1 sha1 = new SHA1CryptoServiceProvider();
    byte[] hash =
    sha1.ComputeHash(System.Text.Encoding.UTF8.GetBytes(toHash));

    foreach(byte b in hash)
    hashed += String.Format("{0,2:X2}", b);

    return hashed;
    }

    Cheers
    Julius

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    Super Julius, May 12, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dil via .NET 247

    SHA1 length of resulting hash

    Dil via .NET 247, Aug 4, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    17,963
    Dil via .NET 247
    Aug 4, 2004
  2. LMZ
    Replies:
    5
    Views:
    534
    Martin v. Löwis
    Apr 6, 2008
  3. Home_Job_opportunity
    Replies:
    0
    Views:
    503
    Home_Job_opportunity
    Jan 8, 2009
  4. Home_Job_opportunity
    Replies:
    0
    Views:
    589
    Home_Job_opportunity
    Jan 14, 2009
  5. Adam Tauno Williams
    Replies:
    2
    Views:
    869
    Stefan Behnel
    Dec 30, 2010
Loading...

Share This Page