SQLMembershipProvider: Comparing Hashed Passwords

Discussion in 'ASP .Net Security' started by nigeaman, Mar 3, 2006.

  1. nigeaman

    nigeaman Guest

    Hi

    I am using the SQLMembershipProvider (SQL Server 2000) in ASP.NET 2.0 for
    forms authentication using a hashed password format.

    I am trying to compare a password the users enters with a list of old
    passwords the user has set and then restrict users entering the same password
    when they attempt to change their password.

    I have created the new audit table to store a copy of the passwords and salt
    values from the aspnet_membership table but cannot hash a password entered by
    the user to match the password in the database.

    I have a password in clear text and the encrypted salt value retreived from
    the aspnet_membership table. What actions do I need to perform on both to get
    the encrypted password result that is stored in the aspnet_membership table ?

    Thanks in advance
    Nige
    nigeaman, Mar 3, 2006
    #1
    1. Advertising

  2. Hello,

    Normally, HashResult = HashString(PasswordSalt + Password);

    byte[] HashString(string s)
    {
    ....
    byte[] data = new byte[DATA_SIZE];
    byte[] result;

    SHA1 sha = new SHA1CryptoServiceProvider();
    result = sha.ComputeHash(data);

    }

    Hope this help,


    Luke Zhang
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Luke Zhang [MSFT], Mar 6, 2006
    #2
    1. Advertising

  3. nigeaman

    nigeaman Guest

    Hi Luke,

    What field is used to create the Password Salt stored in the
    aspnet_membership table ? I have tried hashing the UserName and UserID
    separately using the function below but this still does not match the
    PasswordSalt field contained against a specific user in the aspnet_membership
    table.

    Dim hashedtext As String = Convert.ToBase64String(HashString(PasswordSalt +
    newPassword))

    Private Function HashString(ByVal s As String) As Byte()

    Dim ue As New System.Text.UnicodeEncoding()
    Dim ueString As Byte() = ue.GetBytes(s)
    Dim RetVal As Byte() = Nothing

    Dim sha As System.Security.Cryptography.SHA1 = New
    System.Security.Cryptography.SHA1CryptoServiceProvider()
    RetVal = sha.ComputeHash(ueString)

    Return RetVal

    End Function

    Thanks
    Nigel


    "Luke Zhang [MSFT]" wrote:

    > Hello,
    >
    > Normally, HashResult = HashString(PasswordSalt + Password);
    >
    > byte[] HashString(string s)
    > {
    > ....
    > byte[] data = new byte[DATA_SIZE];
    > byte[] result;
    >
    > SHA1 sha = new SHA1CryptoServiceProvider();
    > result = sha.ComputeHash(data);
    >
    > }
    >
    > Hope this help,
    >
    >
    > Luke Zhang
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    nigeaman, Mar 6, 2006
    #3
  4. Hi,

    the password salt is randomly generated.

    If you want to know what is really going on - grab a copy of reflector and
    examine SqlMembershipProvider.ValidateUser
    there you'll find the logic you are trying to rebuild.

    Another approach would be to handle MembershipProvider.ValidatingPassword
    - the gets called by CreateUserWizard, ChangePassword and PasswordRecovery -

    this gives you the chance to store the password in a history/check them and
    cancel the provider operation
    ..

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Luke,
    >
    > What field is used to create the Password Salt stored in the
    > aspnet_membership table ? I have tried hashing the UserName and UserID
    > separately using the function below but this still does not match the
    > PasswordSalt field contained against a specific user in the
    > aspnet_membership table.
    >
    > Dim hashedtext As String =
    > Convert.ToBase64String(HashString(PasswordSalt + newPassword))
    >
    > Private Function HashString(ByVal s As String) As Byte()
    >
    > Dim ue As New System.Text.UnicodeEncoding()
    > Dim ueString As Byte() = ue.GetBytes(s)
    > Dim RetVal As Byte() = Nothing
    > Dim sha As System.Security.Cryptography.SHA1 = New
    > System.Security.Cryptography.SHA1CryptoServiceProvider()
    > RetVal = sha.ComputeHash(ueString)
    > Return RetVal
    >
    > End Function
    >
    > Thanks Nigel
    >
    > "Luke Zhang [MSFT]" wrote:
    >
    >> Hello,
    >>
    >> Normally, HashResult = HashString(PasswordSalt + Password);
    >>
    >> byte[] HashString(string s)
    >> {
    >> ....
    >> byte[] data = new byte[DATA_SIZE];
    >> byte[] result;
    >> SHA1 sha = new SHA1CryptoServiceProvider(); result =
    >> sha.ComputeHash(data);
    >>
    >> }
    >>
    >> Hope this help,
    >>
    >> Luke Zhang
    >> (This posting is provided "AS IS", with no warranties, and confers no
    >> rights.
    Dominick Baier [DevelopMentor], Mar 6, 2006
    #4
  5. nigeaman

    nigeaman Guest

    Hi Luke,

    FYI: I have also tried adding the hashed PasswordSalt for a specific user
    stored in the database to the clear text Password the users enters. See code
    in my previous message. I have also tried using MD5 encryption, but still
    cannot match the password stored in the database.

    Dim passwordsalt As String = "lV8UArBDHMgv/Ts1IuLXyA=="

    Dim md5Hasher As New
    System.Security.Cryptography.MD5CryptoServiceProvider()

    Dim hashedBytes As Byte()
    Dim encoder As New UTF8Encoding()

    'hashedBytes =
    md5Hasher.ComputeHash(encoder.GetBytes(passwordsalt + newPassword))
    hashedBytes = md5Hasher.ComputeHash(encoder.GetBytes(username))

    Dim hashedText As String = Convert.ToBase64String(hashedBytes)

    Thnaks
    Nigel

    "nigeaman" wrote:

    > Hi Luke,
    >
    > What field is used to create the Password Salt stored in the
    > aspnet_membership table ? I have tried hashing the UserName and UserID
    > separately using the function below but this still does not match the
    > PasswordSalt field contained against a specific user in the aspnet_membership
    > table.
    >
    > Dim hashedtext As String = Convert.ToBase64String(HashString(PasswordSalt +
    > newPassword))
    >
    > Private Function HashString(ByVal s As String) As Byte()
    >
    > Dim ue As New System.Text.UnicodeEncoding()
    > Dim ueString As Byte() = ue.GetBytes(s)
    > Dim RetVal As Byte() = Nothing
    >
    > Dim sha As System.Security.Cryptography.SHA1 = New
    > System.Security.Cryptography.SHA1CryptoServiceProvider()
    > RetVal = sha.ComputeHash(ueString)
    >
    > Return RetVal
    >
    > End Function
    >
    > Thanks
    > Nigel
    >
    >
    > "Luke Zhang [MSFT]" wrote:
    >
    > > Hello,
    > >
    > > Normally, HashResult = HashString(PasswordSalt + Password);
    > >
    > > byte[] HashString(string s)
    > > {
    > > ....
    > > byte[] data = new byte[DATA_SIZE];
    > > byte[] result;
    > >
    > > SHA1 sha = new SHA1CryptoServiceProvider();
    > > result = sha.ComputeHash(data);
    > >
    > > }
    > >
    > > Hope this help,
    > >
    > >
    > > Luke Zhang
    > > (This posting is provided "AS IS", with no warranties, and confers no
    > > rights.)
    > >
    > >
    nigeaman, Mar 6, 2006
    #5
  6. nigeaman

    nigeaman Guest

    Hi Dominick

    Thanks for the tip. Tried downloading Reflector from
    http://www.aisto.com/roeder/dotnet/ but the link is broken . Do you have a
    copy or no another site I can download this tool from.

    Many Thanks
    Nigel

    "Dominick Baier [DevelopMentor]" wrote:

    > Hi,
    >
    > the password salt is randomly generated.
    >
    > If you want to know what is really going on - grab a copy of reflector and
    > examine SqlMembershipProvider.ValidateUser
    > there you'll find the logic you are trying to rebuild.
    >
    > Another approach would be to handle MembershipProvider.ValidatingPassword
    > - the gets called by CreateUserWizard, ChangePassword and PasswordRecovery -
    >
    > this gives you the chance to store the password in a history/check them and
    > cancel the provider operation
    > ..
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hi Luke,
    > >
    > > What field is used to create the Password Salt stored in the
    > > aspnet_membership table ? I have tried hashing the UserName and UserID
    > > separately using the function below but this still does not match the
    > > PasswordSalt field contained against a specific user in the
    > > aspnet_membership table.
    > >
    > > Dim hashedtext As String =
    > > Convert.ToBase64String(HashString(PasswordSalt + newPassword))
    > >
    > > Private Function HashString(ByVal s As String) As Byte()
    > >
    > > Dim ue As New System.Text.UnicodeEncoding()
    > > Dim ueString As Byte() = ue.GetBytes(s)
    > > Dim RetVal As Byte() = Nothing
    > > Dim sha As System.Security.Cryptography.SHA1 = New
    > > System.Security.Cryptography.SHA1CryptoServiceProvider()
    > > RetVal = sha.ComputeHash(ueString)
    > > Return RetVal
    > >
    > > End Function
    > >
    > > Thanks Nigel
    > >
    > > "Luke Zhang [MSFT]" wrote:
    > >
    > >> Hello,
    > >>
    > >> Normally, HashResult = HashString(PasswordSalt + Password);
    > >>
    > >> byte[] HashString(string s)
    > >> {
    > >> ....
    > >> byte[] data = new byte[DATA_SIZE];
    > >> byte[] result;
    > >> SHA1 sha = new SHA1CryptoServiceProvider(); result =
    > >> sha.ComputeHash(data);
    > >>
    > >> }
    > >>
    > >> Hope this help,
    > >>
    > >> Luke Zhang
    > >> (This posting is provided "AS IS", with no warranties, and confers no
    > >> rights.)

    >
    >
    >
    >
    nigeaman, Mar 6, 2006
    #6
  7. nigeaman

    nigeaman Guest

    Managed to download Reflector - fantastic tool. Thanks for this pointer
    Dominick.

    This is the code create a hashed password:

    Friend Function EncodePassword(ByVal pass As String, ByVal salt As
    String) As String
    Dim buffer1 As Byte() = Encoding.Unicode.GetBytes(pass)
    Dim buffer2 As Byte() = Convert.FromBase64String(salt)
    Dim buffer3 As Byte() = New Byte((buffer2.Length +
    buffer1.Length) - 1) {}
    Dim buffer4 As Byte() = Nothing
    Buffer.BlockCopy(buffer2, 0, buffer3, 0, buffer2.Length)
    Buffer.BlockCopy(buffer1, 0, buffer3, buffer2.Length,
    buffer1.Length)
    Dim algorithm1 As System.Security.Cryptography.HashAlgorithm =
    System.Security.Cryptography.HashAlgorithm.Create(Membership.HashAlgorithmType)
    If algorithm1 Is Nothing Then
    Throw New Exception("Error creating hash algorithm type:
    SHA1")
    End If
    buffer4 = algorithm1.ComputeHash(buffer3)
    Return Convert.ToBase64String(buffer4)
    End Function


    "nigeaman" wrote:

    > Hi Dominick
    >
    > Thanks for the tip. Tried downloading Reflector from
    > http://www.aisto.com/roeder/dotnet/ but the link is broken . Do you have a
    > copy or no another site I can download this tool from.
    >
    > Many Thanks
    > Nigel
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    > > Hi,
    > >
    > > the password salt is randomly generated.
    > >
    > > If you want to know what is really going on - grab a copy of reflector and
    > > examine SqlMembershipProvider.ValidateUser
    > > there you'll find the logic you are trying to rebuild.
    > >
    > > Another approach would be to handle MembershipProvider.ValidatingPassword
    > > - the gets called by CreateUserWizard, ChangePassword and PasswordRecovery -
    > >
    > > this gives you the chance to store the password in a history/check them and
    > > cancel the provider operation
    > > ..
    > >
    > > ---------------------------------------
    > > Dominick Baier - DevelopMentor
    > > http://www.leastprivilege.com
    > >
    > > > Hi Luke,
    > > >
    > > > What field is used to create the Password Salt stored in the
    > > > aspnet_membership table ? I have tried hashing the UserName and UserID
    > > > separately using the function below but this still does not match the
    > > > PasswordSalt field contained against a specific user in the
    > > > aspnet_membership table.
    > > >
    > > > Dim hashedtext As String =
    > > > Convert.ToBase64String(HashString(PasswordSalt + newPassword))
    > > >
    > > > Private Function HashString(ByVal s As String) As Byte()
    > > >
    > > > Dim ue As New System.Text.UnicodeEncoding()
    > > > Dim ueString As Byte() = ue.GetBytes(s)
    > > > Dim RetVal As Byte() = Nothing
    > > > Dim sha As System.Security.Cryptography.SHA1 = New
    > > > System.Security.Cryptography.SHA1CryptoServiceProvider()
    > > > RetVal = sha.ComputeHash(ueString)
    > > > Return RetVal
    > > >
    > > > End Function
    > > >
    > > > Thanks Nigel
    > > >
    > > > "Luke Zhang [MSFT]" wrote:
    > > >
    > > >> Hello,
    > > >>
    > > >> Normally, HashResult = HashString(PasswordSalt + Password);
    > > >>
    > > >> byte[] HashString(string s)
    > > >> {
    > > >> ....
    > > >> byte[] data = new byte[DATA_SIZE];
    > > >> byte[] result;
    > > >> SHA1 sha = new SHA1CryptoServiceProvider(); result =
    > > >> sha.ComputeHash(data);
    > > >>
    > > >> }
    > > >>
    > > >> Hope this help,
    > > >>
    > > >> Luke Zhang
    > > >> (This posting is provided "AS IS", with no warranties, and confers no
    > > >> rights.)

    > >
    > >
    > >
    > >
    nigeaman, Mar 6, 2006
    #7
  8. Thank Dominick Baier for providing the informaiton about reflector, it can
    better help us understand the problem. Actually, the underlying arithmetic
    is not public (even we can know some from reflector) and the password salt
    is randomly generated. So the best solution for this issue, is to generate
    a customized MembershipProvider, record the password history and encrypt
    the password by your self.


    Luke Zhang
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Luke Zhang [MSFT], Mar 7, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Daniel
    Replies:
    1
    Views:
    1,048
    Kevin Collins
    Aug 14, 2003
  2. Matt Breedlove
    Replies:
    1
    Views:
    421
    Eduard W. Lohmann
    Nov 24, 2003
  3. Glenn
    Replies:
    0
    Views:
    1,056
    Glenn
    Jun 28, 2007
  4. bthumber

    FormAuthentication hashed passwords

    bthumber, Oct 30, 2008, in forum: ASP .Net Security
    Replies:
    0
    Views:
    531
    bthumber
    Oct 30, 2008
  5. Ian
    Replies:
    3
    Views:
    166
Loading...

Share This Page