Please Help - Encryption Problems

  • Thread starter Thread starter Jamie Sutherland
  • Start date Start date
J

Jamie Sutherland

Hi,
I have a problem in that I have 2 applications writing to the same Database.
One App is web based and the other is windows/forms based.
Both have the same job in that they can reset a users password in the
database. Both are using SHA1 encryption however they both ghive different
results when the programs are run.
If I run the windows exe file and set the password to password the exe
encrypts as follows: 5BAA61E4C9B93F3F68225B6CF8331B7EE68FD8

If I run the web based version with the word password I get the following:
5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8

Notice the web version has extra in it.
Please help..... Below is the code I have been using for both versions:

Web Version:
Dim PwdAs String = "password"
Dim hashedPwd As String =
FormsAuthentication.HashPasswordForStoringInConfigFile(Pwd, "SHA1")
Return hashedPwd


Windows Exe Version:
Dim PwdAs String = Trim("password")
Dim Data As Byte()
Data = System.Text.Encoding.ASCII.GetBytes(Pwd)
Dim shaM As New SHA1Managed
Dim resultHash As Byte() = shaM.ComputeHash(Data)
Dim hashedpwd = ""
Dim b As Byte
For Each b In resultHash
hashedpwd += Hex(b)
Next
Return hashedpwd


Thanks
Jamie
 
It is probably an encoding problem. Forms auth uses UTF8 encoding and you
are using ASCII. I suggest you try switching to UTF8 first.

Joe K.
 
I agree with Joe suggestion.
FormsAuthentication.HashPasswordForStoringInConfigFile method actually
encode in UTF8 and not in ASCII as you do in the WinForms scenario. BTW, I
suggest to use the same methods for both clients
(HashPasswordForStoringInConfigFile should be well suited in this case).
However, if you are hashing passwords for storing in a DB, I recommend you
to add a salt value for dictionary attacks mitigation. Check out this code
from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp:

Creating a Salt Value
The following code shows how to generate a salt value by using random number
generation functionality provided by the RNGCryptoServiceProvider class
within the System.Security.Cryptography namespace.

public static string CreateSalt(int size)
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
return Convert.ToBase64String(buff);
}Creating a Hash Value (with Salt)
The following code fragment shows how to generate a hash value from a
supplied password and salt value.

public static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = string.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "SHA1");
return hashedPwd;
}


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.
 
I also agree with Hernan in that adding random salt is very important to
prevent dictionary attacks. There have been some excellent articles written
on this topic recently.

Joe K.

Hernan de Lahitte said:
I agree with Joe suggestion.
FormsAuthentication.HashPasswordForStoringInConfigFile method actually
encode in UTF8 and not in ASCII as you do in the WinForms scenario. BTW, I
suggest to use the same methods for both clients
(HashPasswordForStoringInConfigFile should be well suited in this case).
However, if you are hashing passwords for storing in a DB, I recommend you
to add a salt value for dictionary attacks mitigation. Check out this code
from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp:

Creating a Salt Value
The following code shows how to generate a salt value by using random number
generation functionality provided by the RNGCryptoServiceProvider class
within the System.Security.Cryptography namespace.

public static string CreateSalt(int size)
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
return Convert.ToBase64String(buff);
}Creating a Hash Value (with Salt)
The following code fragment shows how to generate a hash value from a
supplied password and salt value.

public static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = string.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "SHA1");
return hashedPwd;
}


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

Joe Kaplan (MVP - ADSI) said:
It is probably an encoding problem. Forms auth uses UTF8 encoding and you
are using ASCII. I suggest you try switching to UTF8 first.

Joe K.
 
Thanks Guys,
You have been so much help. FYI. I am using salt but i though to remove the
code save space etc....Have any of you people had any experiance of writting
a VLE (virtual Learning Enviroment) (teaching Online) if so what could thing
could you recommend?

Again Many Thanks, I will try on Monday.


Jamie


Joe Kaplan (MVP - ADSI) said:
I also agree with Hernan in that adding random salt is very important to
prevent dictionary attacks. There have been some excellent articles written
on this topic recently.

Joe K.

Hernan de Lahitte said:
I agree with Joe suggestion.
FormsAuthentication.HashPasswordForStoringInConfigFile method actually
encode in UTF8 and not in ASCII as you do in the WinForms scenario. BTW, I
suggest to use the same methods for both clients
(HashPasswordForStoringInConfigFile should be well suited in this case).
However, if you are hashing passwords for storing in a DB, I recommend you
to add a salt value for dictionary attacks mitigation. Check out this code
from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp:
Creating a Salt Value
The following code shows how to generate a salt value by using random number
generation functionality provided by the RNGCryptoServiceProvider class
within the System.Security.Cryptography namespace.

public static string CreateSalt(int size)
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
return Convert.ToBase64String(buff);
}Creating a Hash Value (with Salt)
The following code fragment shows how to generate a hash value from a
supplied password and salt value.

public static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = string.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "SHA1");
return hashedPwd;
}


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

in message news:%[email protected]...
It is probably an encoding problem. Forms auth uses UTF8 encoding and you
are using ASCII. I suggest you try switching to UTF8 first.

Joe K.

message Hi,
I have a problem in that I have 2 applications writing to the same
Database.
One App is web based and the other is windows/forms based.
Both have the same job in that they can reset a users password in the
database. Both are using SHA1 encryption however they both ghive different
results when the programs are run.
If I run the windows exe file and set the password to password the exe
encrypts as follows: 5BAA61E4C9B93F3F68225B6CF8331B7EE68FD8

If I run the web based version with the word password I get the following:
5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8

Notice the web version has extra in it.
Please help..... Below is the code I have been using for both versions:

Web Version:
Dim PwdAs String = "password"
Dim hashedPwd As String =
FormsAuthentication.HashPasswordForStoringInConfigFile(Pwd, "SHA1")
Return hashedPwd


Windows Exe Version:
Dim PwdAs String = Trim("password")
Dim Data As Byte()
Data = System.Text.Encoding.ASCII.GetBytes(Pwd)
Dim shaM As New SHA1Managed
Dim resultHash As Byte() = shaM.ComputeHash(Data)
Dim hashedpwd = ""
Dim b As Byte
For Each b In resultHash
hashedpwd += Hex(b)
Next
Return hashedpwd


Thanks
Jamie
 
Back
Top