Manual Password Verification ASP.NET

Question

I have an existing site that I want to upgrade to MVC 5. I’d like to take advantage of the new ASP.NET Identity. There doesn’t seem to be a direct way of migrating my existing users i.e. copying passwords and salts to the new database scheme. A previous question I had about this suggested capturing the passwords as users log in and migrating them to the new authentication system one at a time.

For this to work I need to manually authentic the users of the old system. After some googling it seems the following code should work:

public static string EncodePassword(string pass, string salt)
{
    byte[] bytes = Encoding.Unicode.GetBytes(pass);
    byte[] src = Convert.FromBase64String(salt);
    byte[] dst = new byte[src.Length + bytes.Length];
    Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
    HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
    byte[] inArray = algorithm.ComputeHash(dst);
    return Convert.ToBase64String(inArray);
}

But I am having no luck. Here is a password, password hash, and salt from the old membership table:

Password: password
Hash: A1sWiqXLSFx892gfZli5Mn85hZqjW1Vg6BAQ12S7B40=
Salt: Hou1PWslN7MQ+PjFLlW5Xg==
Format: 1

And from web.config:

<membership defaultProvider="DefaultMembershipProvider">
  <providers>
    <clear />
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="Ultra" />
    <add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="Ultra" />
  </providers>
</membership>

Can someone explain what algorithm I should use to manually check this password?

Answer 1

I was able to use an algorithm based on this post https://stackoverflow.com/a/19184807/1626624

Here’s the algorithm for hashing passwords.

    public static string EncodePassword(string pass, string salt)
    {
        var passBytes = Encoding.Unicode.GetBytes(pass);
        var saltBytes = Convert.FromBase64String(salt);
        var keyedHashAlgorithm = (KeyedHashAlgorithm)HashAlgorithm.Create("HMACSHA256");
        var keyBytes = new byte[keyedHashAlgorithm.Key.Length];
        var num1 = 0;

        while (true)
        {
            if (num1 >= keyBytes.Length)
            {
                break;
            }

            var num2 = Math.Min(saltBytes.Length, keyBytes.Length - num1);

            Buffer.BlockCopy(saltBytes, 0, keyBytes, num1, num2);
            num1 = num1 + num2;
        }

        keyedHashAlgorithm.Key = keyBytes;

        return Convert.ToBase64String(keyedHashAlgorithm.ComputeHash(passBytes));
    }

Answer 2

MembershipUser user = Membership.Provider.GetUser(Txtboxemail.Text, false); if (Membership.ValidateUser(Txtboxemail.Text, pass.Text)){}

May be you are in need of this

Answer 3

Try using the tutorial Migrating an Existing Website from SQL Membership to ASP.NET Identity. It has even details on password hashing.