2

I am looking to use ServiceStack for an upcoming project, but I want to use bcrypt for hashing passwords. Currently the builtin repositories use SHA256 hashing. Is there any way for me to leverage the existing authentication code and use bcrypt instead?

Blake B
  • 128
  • 5

1 Answers1

1

To clarify here the password hashing in ServiceStack's Auth Provider is only used in Auth Providers that store a UserName / Password, i.e. the Credentials / Basic / Digest Auth providers.

Unfortunately the hashing provider is not easily swappable since its used in a few places in each of the different UserAuthRepo providers, see SaltedHash() in the OrmLiteAuthRepository and the RedisAuthRepository:

If you can come up with a shared interface that works with both the SHA256 SaltedHash that ServiceStack currently uses and something that also works with bcrypt I can re-factor it to make the Hashing provider overridable. i.e. Can a bcrypt hashing provider be made to work with this interface?

public interface IHashProvider {
    void GetHashAndSalt(byte[] Data, out byte[] Hash, out byte[] Salt);
    void GetHashAndSaltString(string Data, out string Hash, out string Salt);
    bool VerifyHash(byte[] Data, byte[] Hash, byte[] Salt);
    bool VerifyHashString(string Data, string Hash, string Salt);
}

Otherwise is there one that will work for both?

mythz
  • 141,670
  • 29
  • 246
  • 390
  • This answers the question. I will see if I can get a bcrypt provider to fit that interface. Might be a little tricky because bcrypt has a workfactor as well. – Blake B Oct 10 '12 at 20:33
  • 1
    Need something similar, though i would advise against BCrypt in .Net (see [Link](http://stackoverflow.com/a/6228051/135936). I have an implementation using Pbkdf2 with HMAC signing. For this and other reasons had to implement my own UserAuthRepository. As for work factor, site secret key etc, i have a settings class which gets injected into my crypto service. If you get further along with the interface, i'd be happy to share my implementation once i shore up tests. – JBland Nov 11 '12 at 15:54