kcbruce

Premise: I'm writing a php app that runs alongside ASP .NET site. I want to utilize the existing users and roles tables in the MSSQL server and can, except for one thing- matching the hashed passwords in the database. I found a blog that shows how .NET does the hashing (with salt) so I can try to recreate it in PHP. A developer on Twitter sent me this link which shows the .NET membership procedure for developing the hashes for passwords. 1. private static HashAlgorithm passwordHasher = HashAlgorithm.Create("SHA1"); 2. 3. private bool ValidateUser(string username, string password) 4. { 5. var user = GlobalApplication.Database.Users.FirstOrDefault(u => u.UserName == username); 6. if (user == null) return false; 7. 8. byte[] saltBytes = Convert.FromBase64String(user.Membership.PasswordSalt); 9. byte[] passwordBytes = Encoding.UTF8.GetBytes(password); 10. byte[] bytesToHash = new byte[saltBytes.Length + passwordBytes.Length]; 11. saltBytes.CopyTo(bytesToHash, 0); 12. passwordBytes.CopyTo(bytesToHash, saltBytes.Length); 13. byte[] hash = passwordHasher.ComputeHash(bytesToHash); 14. string base64Hash = Convert.ToBase64String(hash); 15. return user.Membership.Password == base64Hash 16. } This was very useful is seeing what is done in C# and clues me into the procedures needed to replicate it in PHP I've gleemed over search results that SHA1 is the hash algorithm used (and PHP has implementations of this). However a couple of hurdles I've run into: 1. converting the UTF-8 password into bytes in PHP comes back as a string of 1's and 0's and the salt unpacks as true binary (returning +7ª\ætR<_9deji|Ï) 2. not sure the "copyTo()" method is easily replaced by straight out concatenation Thoughts? my PHP code version of above: <?php $hash_password = "bgT8AutbQgtlec0VNhhtmAXdXxvI0V/96Vj48KRz26E="; $salt = "KzeqXOZ0UjwYOWRlaml8zw=="; $password = "church"; $salt = base64_decode($salt); //convert salt back to it's binary state $passwordBytes = bstr2bin(utf8_encode($password)); //convert password to utf8 then binary echo "$salt<br>"; //prints "+7ª\ætR<9deji|Ï" echo "$passwordBytes<br>"; //prints 11000110110100001110101011100100110001101101000 $bytesToHash = $salt + $passwordBytes; //combine the 2 binary objs $hash = sha1($bytesToHash, true); //sha1 hash it $hashedpassword = base64_encode($hash); //base64 encode it into a string echo "$hashedpassword<br>$hash_password"; ?> last "echo" prints: 2mOfuA7gRcDEYNJF9fjN83em+Jw= bgT8AutbQgtlec0VNhhtmAXdXxvI0V/96Vj48KRz26E=