How does SimpleMembershipProvider.EncryptPassword work?

Question

I am building an application that use SimpleMembershipProvider. I have to write something about how creating a new user works. Now I have to write about encrypting the password (and add the citation).

When I create a new user, I just use WebSecurity.CreateUserAndAccount method. It automatically stores user and his password into the database, and it also encrypts his password.

What mechanism is used here? I cannot find anything on the internet about that.

Is Rfc2898DeriveBytes class used?

Answer 1

You'll find that if you go through the callstack, you will eventually end up in SimpleMembershipProvider.CreateAccount(string, string, bool)

This method calls string hashedPassword = Crypto.HashPassword(password); where Crypto is a helper class.

This method looks like the following:

public static string HashPassword(string password)
{
    if (password == null)
    {
        throw new ArgumentNullException("password");
    }

    // Produce a version 0 (see comment above) password hash.
    byte[] salt;
    byte[] subkey;
    using (var deriveBytes = new Rfc2898DeriveBytes(password, SaltSize, PBKDF2IterCount))
    {
        salt = deriveBytes.Salt;
        subkey = deriveBytes.GetBytes(PBKDF2SubkeyLength);
    }

    byte[] outputBytes = new byte[1 + SaltSize + PBKDF2SubkeyLength];
    Buffer.BlockCopy(salt, 0, outputBytes, 1, SaltSize);
    Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SaltSize, PBKDF2SubkeyLength);
    return Convert.ToBase64String(outputBytes);
}

I believe this should answer your question.