Will the SHA256Managed Class return different results when run on different machines?

Question

I am attempting to build an authentication mechanism using API keys for access.

As a precaution against relay attacks, I am hashing the API key with the current DateTime and checking on the server side.

Using the same code to hash on both the client and server, I get different results from each of the two calls.

I.E: the Client hashes its API key and sends the hashed key and the datetime "salt" to the server.

The server takes the expected api key and hashed with the datetime sent from the client.

My hashes never match(Client hash != server hash).

This only occurs when I am running the client and server on seperate machines(actually another developer is attempting to write the client portion)

Everything works fine when I test on my local machine(running both client and server portions and attempting the authentication).

Question Given the same input, will the .NET SHA256Managed class ComputeHash method return different results when run on different computers?

Answer 1

The hash should always be the same. Your problem is likely because you are using the string representation of the date as the salt, and the string representation is different on each machine due to locale settings.

Answer 2

Take care if you use string because the encoding, current culture... might differ between different computers and that will give you different results (because the input is different byte-wise).

Answer 3

Given the same input, will the .NET SHA256Managed class ComputeHash method return different results when run on different computers?

No. If it does than the implementation is broken (unlikely), or the input is different.