Please Help - Encryption Problems

[Jamie Sutherland]

Hi,
I have a problem in that I have 2 applications writing to the same Database.
One App is web based and the other is windows/forms based.
Both have the same job in that they can reset a users password in the
database. Both are using SHA1 encryption however they both ghive different
results when the programs are run.
If I run the windows exe file and set the password to password the exe
encrypts as follows: 5BAA61E4C9B93F3F68225B6CF8331B7EE68FD8

If I run the web based version with the word password I get the following:
5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8

Notice the web version has extra in it.
Please help..... Below is the code I have been using for both versions:

Web Version:
Dim PwdAs String = "password"
Dim hashedPwd As String =
FormsAuthentication.HashPasswordForStoringInConfigFile(Pwd, "SHA1")
Return hashedPwd


Windows Exe Version:
Dim PwdAs String = Trim("password")
Dim Data As Byte()
Data = System.Text.Encoding.ASCII.GetBytes(Pwd)
Dim shaM As New SHA1Managed
Dim resultHash As Byte() = shaM.ComputeHash(Data)
Dim hashedpwd = ""
Dim b As Byte
For Each b In resultHash
hashedpwd += Hex(b)
Next
Return hashedpwd


Thanks
Jamie

 

[Joe Kaplan \(MVP - ADSI\)]

It is probably an encoding problem. Forms auth uses UTF8 encoding and you
are using ASCII. I suggest you try switching to UTF8 first.

Joe K.

 

[Hernan de Lahitte]

I agree with Joe suggestion.
FormsAuthentication.HashPasswordForStoringInConfigFile method actually
encode in UTF8 and not in ASCII as you do in the WinForms scenario. BTW, I
suggest to use the same methods for both clients
(HashPasswordForStoringInConfigFile should be well suited in this case).
However, if you are hashing passwords for storing in a DB, I recommend you
to add a salt value for dictionary attacks mitigation. Check out this code
from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp:

Creating a Salt Value
The following code shows how to generate a salt value by using random number
generation functionality provided by the RNGCryptoServiceProvider class
within the System.Security.Cryptography namespace.

public static string CreateSalt(int size)
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
return Convert.ToBase64String(buff);
}Creating a Hash Value (with Salt)
The following code fragment shows how to generate a hash value from a
supplied password and salt value.

public static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = string.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "SHA1");
return hashedPwd;
}


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Joe Kaplan \(MVP - ADSI\)]

I also agree with Hernan in that adding random salt is very important to
prevent dictionary attacks. There have been some excellent articles written
on this topic recently.

Joe K.

I agree with Joe suggestion.
FormsAuthentication.HashPasswordForStoringInConfigFile method actually
encode in UTF8 and not in ASCII as you do in the WinForms scenario. BTW, I
suggest to use the same methods for both clients
(HashPasswordForStoringInConfigFile should be well suited in this case).
However, if you are hashing passwords for storing in a DB, I recommend you
to add a salt value for dictionary attacks mitigation. Check out this code
from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp:

Creating a Salt Value
The following code shows how to generate a salt value by using random number
generation functionality provided by the RNGCryptoServiceProvider class
within the System.Security.Cryptography namespace.

public static string CreateSalt(int size)
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
return Convert.ToBase64String(buff);
}Creating a Hash Value (with Salt)
The following code fragment shows how to generate a hash value from a
supplied password and salt value.

public static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = string.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "SHA1");
return hashedPwd;
}


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

It is probably an encoding problem. Forms auth uses UTF8 encoding and you
are using ASCII. I suggest you try switching to UTF8 first.

Joe K.

 

[Jamie Sutherland]

Thanks Guys,
You have been so much help. FYI. I am using salt but i though to remove the
code save space etc....Have any of you people had any experiance of writting
a VLE (virtual Learning Enviroment) (teaching Online) if so what could thing
could you recommend?

Again Many Thanks, I will try on Monday.


Jamie

I also agree with Hernan in that adding random salt is very important to
prevent dictionary attacks. There have been some excellent articles written
on this topic recently.

Joe K.

I agree with Joe suggestion.
FormsAuthentication.HashPasswordForStoringInConfigFile method actually
encode in UTF8 and not in ASCII as you do in the WinForms scenario. BTW, I
suggest to use the same methods for both clients
(HashPasswordForStoringInConfigFile should be well suited in this case).
However, if you are hashing passwords for storing in a DB, I recommend you
to add a salt value for dictionary attacks mitigation. Check out this code
from

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp:

Creating a Salt Value
The following code shows how to generate a salt value by using random number
generation functionality provided by the RNGCryptoServiceProvider class
within the System.Security.Cryptography namespace.

public static string CreateSalt(int size)
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
return Convert.ToBase64String(buff);
}Creating a Hash Value (with Salt)
The following code fragment shows how to generate a hash value from a
supplied password and salt value.

public static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = string.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "SHA1");
return hashedPwd;
}


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

in message news:%[email protected]...

It is probably an encoding problem. Forms auth uses UTF8 encoding and you
are using ASCII. I suggest you try switching to UTF8 first.

Joe K.

message Hi,
I have a problem in that I have 2 applications writing to the same
Database.
One App is web based and the other is windows/forms based.
Both have the same job in that they can reset a users password in the
database. Both are using SHA1 encryption however they both ghive different
results when the programs are run.
If I run the windows exe file and set the password to password the exe
encrypts as follows: 5BAA61E4C9B93F3F68225B6CF8331B7EE68FD8

If I run the web based version with the word password I get the following:
5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8

Notice the web version has extra in it.
Please help..... Below is the code I have been using for both versions:

Web Version:
Dim PwdAs String = "password"
Dim hashedPwd As String =
FormsAuthentication.HashPasswordForStoringInConfigFile(Pwd, "SHA1")
Return hashedPwd


Windows Exe Version:
Dim PwdAs String = Trim("password")
Dim Data As Byte()
Data = System.Text.Encoding.ASCII.GetBytes(Pwd)
Dim shaM As New SHA1Managed
Dim resultHash As Byte() = shaM.ComputeHash(Data)
Dim hashedpwd = ""
Dim b As Byte
For Each b In resultHash
hashedpwd += Hex(b)
Next
Return hashedpwd


Thanks
Jamie