Recreating .NET's membership password hash algorithm

[kcbruce]

Premise:

I'm writing a php app that runs alongside ASP .NET site. I want to utilize the existing users and roles tables in the MSSQL server and can, except for one thing- matching the hashed passwords in the database. I found a blog that shows how .NET does the hashing (with salt) so I can try to recreate it in PHP.

 

A developer on Twitter sent me this link which shows the .NET membership procedure for developing the hashes for passwords.

 

1.     private static HashAlgorithm passwordHasher = HashAlgorithm.Create("SHA1"); 

2.  

3.     private bool ValidateUser(string username, string password) 

4.     { 

5.         var user = GlobalApplication.Database.Users.FirstOrDefault(u => u.UserName == username); 

6.         if (user == null) return false; 

7.  

8.         byte[] saltBytes = Convert.FromBase64String(user.Membership.PasswordSalt); 

9.         byte[] passwordBytes = Encoding.UTF8.GetBytes(password); 

10.     byte[] bytesToHash = new byte[saltBytes.Length + passwordBytes.Length]; 

11.     saltBytes.CopyTo(bytesToHash, 0); 

12.     passwordBytes.CopyTo(bytesToHash, saltBytes.Length); 

13.     byte[] hash = passwordHasher.ComputeHash(bytesToHash); 

14.     string base64Hash = Convert.ToBase64String(hash); 

15.     return user.Membership.Password == base64Hash

16. }

 

This was very useful is seeing what is done in C# and clues me into the procedures needed to replicate it in PHP

I've gleemed over search results that SHA1 is the hash algorithm used (and PHP has implementations of this).

 

However a couple of hurdles I've run into:

1. converting the UTF-8 password into bytes in PHP comes back as a string of 1's and 0's and the salt unpacks as true binary (returning +7ª\ætR<_9deji|Ï)

2. not sure the "copyTo()" method is easily replaced by straight out concatenation

 

Thoughts?

 

my PHP code version of above:

 

<?php

                $hash_password = "bgT8AutbQgtlec0VNhhtmAXdXxvI0V/96Vj48KRz26E=";

                $salt = "KzeqXOZ0UjwYOWRlaml8zw==";

 

                $password = "church";

 

                $salt = base64_decode($salt); //convert salt back to it's binary state

 

                $passwordBytes = bstr2bin(utf8_encode($password)); //convert password to utf8 then binary

 

                echo "$salt<br>"; //prints "+7ª\ætR<9deji|Ï"

                echo "$passwordBytes<br>"; //prints 11000110110100001110101011100100110001101101000

 

                $bytesToHash = $salt + $passwordBytes; //combine the 2 binary objs

                $hash = sha1($bytesToHash, true);  //sha1 hash it

                $hashedpassword = base64_encode($hash); //base64 encode it into a string

 

                echo "$hashedpassword<br>$hash_password";

?>

last "echo" prints:

2mOfuA7gRcDEYNJF9fjN83em+Jw=

bgT8AutbQgtlec0VNhhtmAXdXxvI0V/96Vj48KRz26E=

               

 

[s0c0]

Yuo might not find a lot of help on here, but I'll try and help you.  For one, who knows how MS implemented SHA1.  You can see that piece of code is using a class called HashAlgorithm, who knows if that's built into the .NET framework or if it was code by some third-party programmer.

 

With that said, the only glaring thing I can see missing from your code is the UTF-8 encoding.

 

Another thing to look at is another implementation of encryption that PHP offers which is mcrypt.  I believe you can implement SHA1 through mcrypt as well.

 

Here are some links which may be of use:

http://php.net/manual/en/function.utf8-encode.php

http://php.net/manual/en/book.mcrypt.php