4

I have an older site running on Classic ASP. I want to start hashing the password seeing as they are stored plain text on the server right now. I've used a BCrypt hash with PHP on a separate site and was hoping to find something similar for Classic ASP.

Side Question: I have a library that runs using PHP on the Classic ASP site. Could I run a PHP solution to hash the password or would that be ill advised?

patrickSmith
  • 244
  • 1
  • 3
  • 12
  • Similar [question](http://stackoverflow.com/q/16555937/692942) might help and [another](http://stackoverflow.com/q/253673/692942). – user692942 Feb 11 '14 at 21:15
  • 1
    What is your current storage solution, i.e SQL Server? – user692942 Feb 11 '14 at 21:20
  • I'm currently using SQL Server 2008. – patrickSmith Feb 11 '14 at 21:26
  • As an answer to your side question, don't walk that path. You first question, it is possible to MIX VBScript and JScript inside classic ASP (weird but true). If you can't find a VBScript implementation, I'm very sure you'll find a Javascript implementation. – Paul Feb 11 '14 at 23:59
  • @Paul There is already a function for the site that runs using PHP. It translates our site using GTranslate. Seeing as I has this PHP running already I still shouldn't attempt a solution using PHP? – patrickSmith Feb 12 '14 at 17:43

4 Answers4

3

After reading the OP question I conclude that the OP wants a hashing algorithm (example given: bcrypt).

Well, if you are looking for a hash in classic ASP it's a bit like a desert, not so many lbiraries.

This link however implements a sha1 hash, http://forums.aspfree.com/code-bank-54/asp-classic-sha1-hash-82166.html it has the code (read all comments as well), now you have a portable cross-code implementable hash function.

<%
    Dim strPassWord, strHash, salt
    salt = "6XBMkpz39m8RFCpwt1Cofzbg1TTIN7yTGzMlayIfy9yBOPgX2zhfXM9X5mqv8HT6"
    strPassWord = "secret"
    strHash = hex_sha1(strPassWord & salt)

    Response.Write("<p><b>strPassWord:</b> " & strPassWord & "</p>")
    Response.Write("<p><b>strHash:</b> " & strHash & "</p>")
%>

Expanding to C#, Javascript, Python, ... and so on. So somewhere in the future - when you decide to leave classic ASP behind - you'll find that you are still able to use the stored hashed passwords.

Aidan Hakimian
  • 190
  • 1
  • 14
Paul
  • 1,068
  • 11
  • 29
  • 1
    How would I add salt to that hash? – patrickSmith Feb 12 '14 at 19:59
  • I've updated the answer, the salt was generated with keepass it has a generator function, so replace this salt with one of you own. – Paul Feb 12 '14 at 20:17
  • @Paul Did I miss something? – patrickSmith Feb 12 '14 at 20:55
  • @patrickSmith Sorry, another question got deleted, I think it could have been handled differently, that's all. Got my point across, deleting noise. – Aaron Bertrand Feb 12 '14 at 20:59
  • 1
    @patrickSmith Bcrypt is not PHP specific, and it *is* what you want, (assuming there's a VBScript implementation out there, or you can install a COM component that can call out to from ASP) not SHA-1, which is vulnerable to brute-force attacks. Additionally, what is shown here is not a salt, but a pepper. A salt is globally unique for each user. – Xander Apr 28 '14 at 22:06
  • To reiterate, bcrypt is NOT specific to PHP *and* it's a great choice for a hash function. See [this answer](http://security.stackexchange.com/a/6415/8464) to the question [[cryptography - Do any security experts recommend bcrypt for password storage?](http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage) at the Information Security Stack Exchange site for a great overview of the security of bcrypt. – Kenny Evitt Jun 09 '14 at 13:59
3

The blog post in Kenny's answer has a good solution that leverages .NET's SHA512Managed class, unfortunately it has some bugs. Here it is with the bugs zapped and the code tidied up.

Function Hash(stringToHash, salt)

    const SITE_WIDE_SALT = "THIS IS A SITE WIDE SALT, BUT COULD BE A GUID"

    dim objUnicode : set objUnicode = CreateObject("System.Text.UnicodeEncoding")
    dim objSHA512 : set objSHA512 = Server.CreateObject("System.Security.Cryptography.SHA512Managed")

    dim saltedString : saltedString = SITE_WIDE_SALT & stringToHash & salt
    dim arrByte : arrByte = objUnicode.GetBytes_4(saltedString)
    dim strHash : strHash = objSHA512.ComputeHash_2((arrByte))

    Hash = ToBase64String(strHash)

    set objUnicode = nothing
    set objSHA512 = nothing
End Function


' Helper method for function SHA512Hash
Function ToBase64String(rabyt)

    'Ref: http://stackoverflow.com/questions/1118947/converting-binary-file-to-base64-string
    dim xml : set xml = CreateObject("MSXML2.DOMDocument.3.0")
    xml.loadXml "<Root></Root>"
    xml.documentElement.dataType = "bin.base64"
    xml.documentElement.nodeTypedValue = rabyt

    ToBase64String = Replace(xml.documentElement.Text, vbLf, "")

    set xml = nothing
End Function

To use it, simply call the Hash function with an individual salt.

dim hashedPassword
hashedPassword = Hash(password, "some random salt value")
Keith
  • 20,636
  • 11
  • 84
  • 125
2

I plan on implementing this soon, but for now my plan is to use BCrypt.Net in Classic ASP.

This blog post provides an example of using a hashing function implemented in .NET in Classic ASP code.

Basically, using BCrypt.Net, you should be able to create a 'COM-visible' wrapper interface for the relevant BCrypt.Net class methods and then be able to write Classic ASP code like the following:

Dim objBCrypt
Set objBCrypt = CreateObject("BCryptComInterface")

Dim strHash
Set strHash = objBCrypt.HashPassword(the_password_to_be_hashed)

Note that the BCrypt class BCrypt.Net.BCrypt has three overloaded methods with the name HashPassword; I'm assuming that the method HashPassword in the COM interface corresponds to the .NET method that only accepts a single parameter. [The other methods would be accessed as HashPassword_2 and HashPassword_3. See this answer to the SO question .net - Overloads in COM interop (CCW) - IDispatch names include suffix (_2, _3, etc) for more details.]

If I learn more when I get around to implementing this myself, I'll update this answer.

Community
  • 1
  • 1
Kenny Evitt
  • 9,291
  • 5
  • 65
  • 93
  • 2
    I'm pretty sure BCrypt has no COM visible types so you'd have to write a COM wrapper to use it in ASP. – Keith Aug 31 '15 at 15:35
2

I created a COM DLL that allows you to use Bcrypt in Classic ASP:

https://github.com/as08/ClassicASP.Bcrypt

I also created similar COM DLL's for Argon2 and PBKDF2:

https://github.com/as08/ClassicASP.Argon2

https://github.com/as08/ClassicASP.PBKDF2

Installation instructions and code examples are available on GitHub

Adam
  • 836
  • 2
  • 8
  • 13