Reputation: 1678
ASP.NET Identity - Verify Password Without Framework
Background
I am using the
Microsoft.AspNet.Identity;
framework in an MVC website. I implement all the standard features like password retrieval, email confirmations etc. in the site.
My Problem
I want to create a very basic App in Xamarin c#, but I want it to use the database that I have set up with my website, and that - of course - includes verifying passwords.
By my thoughts it should go something like this:
- User enters login details on phone.
- Phone hashes password and consumes WCF service which takes hash string as input
- Returns bool. Depending on hash verification.
I can not use
Microsoft.AspNet.Identity;
on my Xamarin App.
Question
How do I recreate the hash that Asp.Identity uses so I can verify the passwords?
If the case is that I have to consume the WCF with the raw password (Is this safe?) and do the hashing on the service itself - will I be able to use Identity framework? If not then I still have the problem of creating / verifying the hash.
Also if I am way off base with my understanding of these hash functions please feel free to educate me :)
Extra Info
The hash functions I have tried give completely different hashes to that of the Identity framework - and in my testing I have found that creating users with exactly the same passwords gives different hashes. (Due to the salt used?)
Upvotes: 0
Views: 1131
Answers (1)
Reputation: 1678
Okay I have found a solution
Posting for the sake of people with similar problems
Referring to this answer by zespri. Upvoted by the way.
I have decided to consume the WCF with the raw password and username and simply use the function to verify that the answer stated above provides.
EDIT
Just to clarify it is this bit of code (Taken from the above link), that I use to verify the password:
public static bool VerifyHashedPassword(string hashedPassword, string password)
{
byte[] buffer4;
if (hashedPassword == null)
{
return false;
}
if (password == null)
{
throw new ArgumentNullException("password");
}
byte[] src = Convert.FromBase64String(hashedPassword);
if ((src.Length != 0x31) || (src[0] != 0))
{
return false;
}
byte[] dst = new byte[0x10];
Buffer.BlockCopy(src, 1, dst, 0, 0x10);
byte[] buffer3 = new byte[0x20];
Buffer.BlockCopy(src, 0x11, buffer3, 0, 0x20);
using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, dst, 0x3e8))
{
buffer4 = bytes.GetBytes(0x20);
}
return ByteArraysEqual(buffer3, buffer4);
}
Upvotes: 1
Related Questions
- How can i manually hash password just like asp.net identity does
- Asp.net MVC - How to hash password
- ASP.NET Identity Password Validation
- How to check password manually in Asp.Net identity 2?
- ASP.NET MVC 4 Hash algorithm
- Asp.net Identity password hashing
- AspNet Identity Authentication hashing machine specific
- Validation of asp.net identity password
- ASP.Net Identity Manual Password Hashing
- Manual Password Verification ASP.NET