CODEWITHSUNDEEP
asp.net-corehashpasswordsforms-authentication
Barry Franklin
Barry Franklin

Reputation: 1820

Encrypting Password Like Forms Authentication in .net Core

I have an old app that runs a read only membership provider. I am tasked with creating an admin page to help with adding/changing/deleting users from this app. The membership provider uses FormsAuthentication, which I cannot use because my admin app is in .net Core. I'm trying to reverse-engineer the way they encrypt using FormsAuthentication and I have this so far:

They use:

FormsAuthentication.HashPasswordForStoringInConfigFile(password, "sha1").ToLower();

I've reverse-engineered it to:

(string pwd is passed in)

HashAlgorithm hashAlgorithm = new HMASHA1();
var step1 = Encoding.UTF8.GetBytes(pwd);
var step2 = hashAlgorithm.ComputeHash(step1);
var step3 = BinaryToHex(step2);

And step3 comes out to something like this "AD626B9D42073B299ECFC664CCB7A8B01F3AF726", which looks like what the passwords look like in the XML user file for the old app.

I'm just curious if I use this method of hashing (which works in .net core), will the hashed passwords be able to be "validated" by FormsAuthentication?

My tests so far don't seem to be working. Any ideas? Am I doing it wrong?

EDIT: it is not HMASHA1, it's SHA1Cng - which I can't use because it is in System.Core in the .net framework 4.something... what can I use to do this in .net core?

Upvotes: 2

Views: 2149

Answers (2)

aegsomweb
aegsomweb

Reputation: 83

Slightly different take, legacy hashed passwords in database

string incoming = inCrypt(inputPassword);
incoming=Regex.Replace(incoming, @"[^0-9a-zA-Z]", "");


  public string inCrypt(string pwd)
        {
            var sha1 = SHA1.Create();
            var step1 = System.Text.Encoding.UTF8.GetBytes(pwd);
            var step2 = sha1.ComputeHash(step1);
            var step3 = BitConverter.ToString(step2);
            return step3.ToString();
        }

it worked, and the hashed passwords can be compared as strings.

Upvotes: 1

Barry Franklin
Barry Franklin

Reputation: 1820

I figured it out, this works:

using System.Security.Cryptography;

var sha1 = SHA1.Create();
var step1 = Encoding.UTF8.GetBytes(pwd);
var step2 = sha1.ComputeHash(step1);
var step3 = BinaryToHex(step2);

BinaryToHex and it's associated functions are copied from System.Web.Security.Cryptography.CryptoUtil

Would still like to be able to do this in reverse and decrypt passwords.

Upvotes: 2

Related Questions