12

What kind of algorithm does Asp.Net Identity framework use to encrypt the password? I have a scenario where android, iPhone, web and desktop use the same database. This password should be encrypted, so in ASP.NET MVC I have used Identity framework to encrypt the password. Now I need the algorithm to work for all platforms.

Any help will be appreciated.

Thanks in advance.

Rey
  • 3,663
  • 3
  • 32
  • 55
Shivraj
  • 163
  • 1
  • 2
  • 7
  • 1
    MD5 for Hashing and SHA1 for Encryption. – Arijit Mukherjee Jul 15 '14 at 05:18
  • This question is too broad, ASP.NET as a framework contains implementations of a lot of crypto algorithms, but the usage of the specific cipher, mac of KDF is defined on the level of the specific product. – Oleg Estekhin Jul 15 '14 at 06:02
  • @OlegEstekhin http://msdn.microsoft.com/en-us/library/system.security.cryptography.hmacsha1(v=vs.110).aspx FYIP For SHA1 encryption. – Arijit Mukherjee Jul 15 '14 at 06:03
  • 3
    @ArijitMukherjee this link both not relevant for the question and also it points to something which is not simply "SHA1" and which is absolutely not an encryption algorithm. – Oleg Estekhin Jul 15 '14 at 06:24
  • 2
    @OlegEstekhin While it might be too broad for ASP.NET, the question is specifically about [ASP.NET Identity](http://aspnetidentity.codeplex.com/). – Rowan Freeman Jul 15 '14 at 06:32
  • The way password is hashed on the server should not be a concern for all your clients. So whatever hashing is used by Identity framework, should be good enough for your clients. – trailmax Jul 15 '14 at 12:26

2 Answers2

20

ASP.NET Identity uses Password-Based Key Derivation Function 2 (PBKDF2) as implemented by Rfc2898DeriveBytes. It is a hashing algorithm.

Note that encryption and hashing are different.

public static string HashPassword(string password)
{
    byte[] salt;
    byte[] bytes;
    if (password == null)
    {
        throw new ArgumentNullException("password");
    }
    using (Rfc2898DeriveBytes rfc2898DeriveByte = new Rfc2898DeriveBytes(password, 16, 1000))
    {
        salt = rfc2898DeriveByte.Salt;
        bytes = rfc2898DeriveByte.GetBytes(32);
    }
    byte[] numArray = new byte[49];
    Buffer.BlockCopy(salt, 0, numArray, 1, 16);
    Buffer.BlockCopy(bytes, 0, numArray, 17, 32);
    return Convert.ToBase64String(numArray);
}
Community
  • 1
  • 1
Rowan Freeman
  • 15,724
  • 11
  • 69
  • 100
  • Encryption technique is indeed SHA1 check the msdn reference you have provided. – Arijit Mukherjee Jul 15 '14 at 06:02
  • As far as I understand, the use of SHA1 is only one part of the process, which is to use *a pseudo-random number generator based on HMACSHA1*. – Rowan Freeman Jul 15 '14 at 06:08
  • yes that's what OP asked for which encryption technique and not the Hashing using teh Salt etc. – Arijit Mukherjee Jul 15 '14 at 06:15
  • Possibly. Knowing that the hashing algorithm used is SHA1 couldn't possibly be very helpful to anyone though. You need to know how the password is hashed. SHA1 is just an implementation detail of `Rfc2898DeriveBytes`. – Rowan Freeman Jul 15 '14 at 06:20
  • 7
    Also, SHA1 **is** a hashing algorithm, **not** an encryption technique. – Rowan Freeman Jul 15 '14 at 06:26
  • Please check and answer for the following question. http://stackoverflow.com/questions/40012839/is-asp-net-identity-hashing-secured – Jeeva J Oct 13 '16 at 06:44
1

This depends on the selected compatibility mode.

Implementation details can be found in their Github repo

At this moment they support:

version 2

  • PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations
  • Format: { 0x00, salt, subkey }

version 3

  • PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations.
  • Format: { 0x01, prf (UInt32), iter count (UInt32), salt length (UInt32), salt, subkey } (All UInt32s are stored big-endian.)
verbedr
  • 1,784
  • 1
  • 15
  • 18