I'm currently migrating a CakePhp app to ASP.NET. One thing that is blocking me at this point is that I'm unable to get the right hashing method to get the right password fit so users are able to sign-in from the ASP.NET app.
I have the salt value that is set in config/core.php file.
I've googled to try to determined where to find which hashing algorithm is used, and was not able to find the right query or no result.
here is my C# method so far to hash the password.
public static string ToHash(this string password, string salt)
{
if (string.IsNullOrEmpty(password))
return "";
var provider = new SHA1CryptoServiceProvider();
var encoding = new UnicodeEncoding();
var bytes = provider.ComputeHash(encoding.GetBytes(salt + password));
return Encoding.UTF8.GetString(bytes);
}
I've tried to put the salt before or after the password, it's currently no matching at all, here is the hash password from the cakephp mysql database:
c7fb60ef77dbe3d1681a68e6741ee3a23cc1f41d
Here is what I have from my method
��3[v"���1�:�ѐ��
Not really sure where/how to solve this problem. Any help or hint would be appreciated.
Thanks
I have it!
At least it works for my configuration:
Find salt from Core.php (search for Security.salt in the file). Then, use this code (very similar to the question):
string input = textBox1.Text;
input = "your salt should be here" + input;
var provider = new SHA1CryptoServiceProvider();
var encoding = new UTF8Encoding();
var bytes = provider.ComputeHash(encoding.GetBytes(input));
sha1result.Text = Bin2Hex(bytes);
Helper for Bin2Hex is also here:
public static string Bin2Hex(byte[] ba)
{
string hex = BitConverter.ToString(ba);
return hex.Replace("-", "");
}
It wasn't easy finding it, I searched through some of internet (no results!) and finally resorted to source-digging.
Don't have the Cake sources with me right now, but you should easily be able to look up Cake's hashing and salting method in the source.
The above differences in data look like Cake transforms the hash bytes into a string with the hash's bytes in hex base. Whatever the difference in the hash method, you'll have to convert the C# hash's result into such a string as well before comparing them (or go the other way and parse Cake's hex string and build a byte array out of it).
Related
This should be so simple but I've spent 4 hours fiddling with this code and I just can't seem to get it to work.
The PHP code works as follows (I didn't write it and I can't change it, so I'm stuck with it):
$password = hash('sha512', "HelloWorld1");
$salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true);
$hashed = hash('sha512', $password.$salt);
$hashed and $salt are stored in the DB as is. That means $salt is already hashed for later on.
I have no idea why they decided to hash everything but what's done is done.
In this case, the result is
Pswd: ab3e648d69a71b33d0420fc3bfc9e2e8e3ef2a300385ea26bc22057a84cd9a5c359bd15c4a0a552122309e58938ce310839cd9d2ecad5f294266015d823331dd
Salt: fb5a0f741db0be2439dc14662aae3fc68eb5e16b446385d3ddd319b862d5e2d4f50488a39487b27fdd8ff7b7b76420fc3ebef2bce9e082ac15c9f2d6fe7d87fc
Now the login code on the C# side just needs to match a plain text hashed password along with the already hashed salt.
string password = "HelloWorld1";
string storedSalt = "fb5a0f741db0be2439dc14662aae3fc68eb5e16b446385d3ddd319b862d5e2d4f50488a39487b27fdd8ff7b7b76420fc3ebef2bce9e082ac15c9f2d6fe7d87fc";
using(SHA512 shaManaged = new SHA512Managed())
{
byte[] hashPassword = shaManaged.ComputeHash(Encoding.UTF8.GetBytes(password));
string hashPasswordString = BitConverter.ToString(hashPassword).Replace("-", "");
byte[] finalHash = shaManaged.ComputeHash(Encoding.UTF8.GetBytes(hashPasswordString + storedSalt));
Debug.WriteLine("Calculated Hash Password: " + BitConverter.ToString(finalHash).Replace("-", ""));
}
Essentially the idea is to
Hash the plain text password first (same as with the PHP code).
Convert the byte array to a string that matches the PHP format of hashing.
Then hash the hashed password and previously hashed salt together.
The result is as follows:
Stored Hash Password: AB3E648D69A71B33D0420FC3BFC9E2E8E3EF2A300385EA26BC22057A84CD9A5C359BD15C4A0A552122309E58938CE310839CD9D2ECAD5F294266015D823331DD
Calculated Hash Password: 189ABBA71AAEDDE5C8154558B68D59500A72E64D5F3F3C07EFA94F0126571FBB68C6ADD105E0C029BABF30CADD8A6A6B6E4749075854461A88EE1CE545E84507
Hopefully someone can spot where I'm going wrong :)
You have to tweak your code a little bit. Note the ToLowerInvariant(). C# returns upper case letters as string. As you see in your original code $salt and $password are returned with lower case letters, so your self calculated password hash hashPasswordString must also be lower case before concatenating with your storedSalt to gain the correct finalHash. Your shown expected result again uses upper case letters (maybe before stored it was converted in PHP?) so you don't need ToLowerCaseInvariant() on your final hash string.
Here is the code:
string password = "HelloWorld1";
string storedSalt = "fb5a0f741db0be2439dc14662aae3fc68eb5e16b446385d3ddd319b862d5e2d4f50488a39487b27fdd8ff7b7b76420fc3ebef2bce9e082ac15c9f2d6fe7d87fc";
using (SHA512 shaManaged = new SHA512Managed())
{
byte[] hashPassword = shaManaged.ComputeHash(Encoding.UTF8.GetBytes(password));
string hashPasswordString = BitConverter.ToString(hashPassword).Replace("-", "").ToLowerInvariant(); // Note the ToLowerInvariant();
byte[] finalHash = shaManaged.ComputeHash(Encoding.UTF8.GetBytes(hashPasswordString + storedSalt));
return BitConverter.ToString(finalHash).Replace("-", "");
}
Below are 2 similar code blocks. They take a string, encrypt in SHA512, then convert to Base64, I had trouble getting the second code block to produce the same results as my manual test using online calculators and encoders. So I broke the process down step by step and discovered that it was capable of producing the same results as my manual test but only if it behaved like the first code block. Why do these two code blocks produce different results? Thanks!
private void EditText_AfterTextChanged(object sender, AfterTextChangedEventArgs e)
{
//This builds a string to encrypt.
string domain = txtDomain.Text;
string username = txtUsername.Text;
string pin = txtPin.Text;
txtPreview.Text = string.Format("{0}+{1}+{2}", domain, username, pin);
//This takes the above string, encrypts it.
StringBuilder Sb = new StringBuilder();
SHA512Managed HashTool = new SHA512Managed();
Byte[] PhraseAsByte = System.Text.Encoding.UTF8.GetBytes(string.Concat(txtPreview.Text));
Byte[] EncryptedBytes = HashTool.ComputeHash(PhraseAsByte);
HashTool.Clear();
//This rebuilds the calculated hash for manual comparison.
foreach (Byte b in EncryptedBytes)
Sb.Append(b.ToString("x2"));
txtHash.Text = Sb.ToString();
//This takes the rebuilt hash and re-converts it to bytes before encoding it in Base64
EncryptedBytes = System.Text.Encoding.UTF8.GetBytes(string.Concat(txtHash.Text));
txtResult.Text = Convert.ToBase64String(EncryptedBytes);
}
and
private void EditText_AfterTextChanged(object sender, AfterTextChangedEventArgs e)
{
//This builds a string to encrypt.
string domain = txtDomain.Text;
string username = txtUsername.Text;
string pin = txtPin.Text;
txtPreview.Text = string.Format("{0}+{1}+{2}", domain, username, pin);
//This takes the above string, encrypts it.
StringBuilder Sb = new StringBuilder();
SHA512Managed HashTool = new SHA512Managed();
Byte[] PhraseAsByte = System.Text.Encoding.UTF8.GetBytes(string.Concat(txtPreview.Text));
Byte[] EncryptedBytes = HashTool.ComputeHash(PhraseAsByte);
HashTool.Clear();
//This takes the EncryptedBytes and converts them to base64.
txtResult.Text = Convert.ToBase64String(EncryptedBytes);
//This reverses the EncryptedBytes into readable hash for manual comparison
foreach (Byte b in EncryptedBytes)
Sb.Append(b.ToString("x2"));
txtHash.Text = Sb.ToString();
}
Found the answer, no thanks to your less-than-useful downvotes..
Encoding.Unicode is Microsoft's misleading name for UTF-16 (a double-wide encoding, used in the Windows world for historical reasons but not used by anyone else). http://msdn.microsoft.com/en-us/library/system.text.encoding.unicode.aspx
If you inspect your bytes array, you'll see that every second byte is 0x00 (because of the double-wide encoding).
You should be using Encoding.UTF8.GetBytes instead.
But also, you will see different results depending on whether or not you consider the terminating '\0' byte to be part of the data you're hashing. Hashing the two bytes "Hi" will give a different result from hashing the three bytes "Hi". You'll have to decide which you want to do. (Presumably you want to do whichever one your friend's PHP code is doing.)
For ASCII text, Encoding.UTF8 will definitely be suitable. If you're aiming for perfect compatibility with your friend's code, even on non-ASCII inputs, you'd better try a few test cases with non-ASCII characters such as é and 家 and see whether your results still match up. If not, you'll have to figure out what encoding your friend is really using; it might be one of the 8-bit "code pages" that used to be popular before the invention of Unicode. (Again, I think Windows is the main reason that anyone still needs to worry about "code pages".)
Source: Hashing a string with Sha256
I'm not coming up with the same values (using a known password).
I suspect it may be something having to do with encodings, but all the things I've tried haven't worked thus far:
windows code (c#?):
private static string EncodePassword(string password, string salt)
{
string encodedPassword = password;
HMACSHA1 hash = new HMACSHA1 { Key = Convert.FromBase64String(salt) };
encodedPassword = Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password)));
return encodedPassword;
}
perl code run on linux:
use Modern::Perl '2015';
use Digest::SHA qw(hmac_sha1 hmac_sha1_base64);
use MIME::Base64 qw(decode_base64 encode_base64);
use Unicode::String qw(utf16be utf16le);
say encode_base64(hmac_sha1($password, decode_base64($salt)));
# (or, equivalently)
say hmac_sha1_base64($password, decode_base64($salt));
my $le16 = utf16le($password);
my $be16 = utf16be($password);
say "ok, try utf-16 (le, then be)...";
say encode_base64(hmac_sha1($le16, decode_base64($salt)));
say encode_base64(hmac_sha1($be16, decode_base64($salt)));
# try reversing the hmac output?
my $hmac_bytes = hmac_sha1($password, decode_base64($salt));
my $rev_bytes = reverse $hmac_bytes;
say encode_base64($rev_bytes);
In the original C# code, in this line:
encodedPassword = Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password)));
a call to Encoding.Unicode.GetBytes transforms the password to a byte array via a UTF-16LE encoder.
You have to do the same transformation to get the same hash in Perl:
use Digest::SHA qw(hmac_sha1);
use MIME::Base64 qw(decode_base64 encode_base64);
use Encode qw(encode);
$utf16LEPassword = encode("UTF-16LE", $password);
print encode_base64(hmac_sha1($utf16LEPassword, decode_base64($salt)));
I'm trying to get a website Login page and a C# launcher to connect to a MySQL database, my C# code converts a string to SHA256 but in uppercase. So I figured it would be easier to change in PHP, so using strtoupper I pass the variable string for the encrypted password. It works great the only problem is this:
bec4c38f480db265e86e1650b1515216be5095f7a049852f76eea9934351b9ac - Original
BEC4C38F48DB265E86E1650B1515216BE5095F7A049852F76EEA9934351B9AC - C#
^ Right here there is meant to be a 0
I'm not sure what's gone wrong as both are using the exact same encryption method and it's odd that it's only one Character... Has anyone experienced this before?
PHP to encrypt text to SHA256 and then strtoupper:
$encrypt_password=(hash('sha256', $mypassword));
$s_password = strtoupper($encrypt_password);
C# Convert string to SHA256:
System.Security.Cryptography.SHA256 sha256 = new System.Security.Cryptography.SHA256Managed();
byte[] sha256Bytes = System.Text.Encoding.Default.GetBytes(txtpass.Text);
byte[] cryString = sha256.ComputeHash(sha256Bytes);
string sha256Str = string.Empty;
for (int i = 0; i < cryString.Length; i++)
{
sha256Str += cryString[i].ToString("X");
}
This is the only code that involves encrypting on both sides.
A value like 13 is just "D" not "0D" like would represented in the hash. You need to pad values that are less than 2 digits. Use "X2" as the format string.
The question is pretty much self-explanatory. I Googled many sites, many methods, tried many encodings, but I can't get it to match.
I'm trying to make the string "asdasd" match. (http://www.fileformat.info/tool/hash.htm?text=asdasd)
Try this
using System.Security.Cryptography
public static string HashPassword(string unhashedPassword)
{
return BitConverter.ToString(new SHA512CryptoServiceProvider().ComputeHash(Encoding.Default.GetBytes(unhashedPassword))).Replace("-", String.Empty).ToUpper();
}
BitConverter works just fine ...
var testVal = "asdasd";
var enc = new ASCIIEncoding();
var bytes = enc.GetBytes( testVal );
var sha = new SHA512Managed();
var result = sha.ComputeHash( bytes );
var resStr = BitConverter.ToString( result );
var nodash = resStr.Replace( "-", "" );
nodash.Dump();
(Fixed for 512-bit hash, sorry :)
I just spent several hours trying to get a .NET hash function to match PHP's Crypt function. Not fun.
There are multiple challenges here, since the PHP implementation of Crypt returns a base64 encoded string, and doesn't do multiple hashing iterations (e.g. 5000 is default for Crypt.) I was not able to get similar outputs from .NET using several libraries, until I found CryptSharp. It accepts a salt similar to PHP's (or the original C) function (e.g. "$6$round=5000$mysalt"). Note that there is no trailing $, and that if you don't provide a salt it will autogenerate a random one.
You can find CryptSharp here:
http://www.zer7.com/software.php?page=cryptsharp
Good background reading:
- http://www.akkadia.org/drepper/SHA-crypt.txt