0

I'm building a website and their current login system is in C#. I'm building the site in PHP and would like to keep the passwords the same for their customers. In order to do that, I need to make their hashing function the same as mine. I'm having a bit of trouble since I don't know much about C#.

Here are the C# functions that I've found that are useful to setting the password when I decompiled the code:

string salt = ui.UserGUID.ToString();
if (!string.IsNullOrEmpty(UserInfoProvider.UserSaltColumn))
  salt = ui.GetStringValue(UserInfoProvider.UserSaltColumn, string.Empty);
ui.SetValue("UserPassword", (object) UserInfoProvider.GetPasswordHash(userPassword, stringValue, salt));

The GetPasswordHash function will return this:

return SecurityHelper.GetSHA2Hash(password + salt + UserInfoProvider.PasswordSalt);

The GetSHA2Hash function is where I think my problems are. Here's the one-liner of the function:

return ValidationHelper.GetStringFromHash(new SHA256Managed().ComputeHash(Encoding.Default.GetBytes(inputData)));

And finally, here's the GetStringFromHash function:

StringBuilder stringBuilder = new StringBuilder();
  foreach (byte hashByte in hashBytes)
    stringBuilder.Append(string.Format("{0:x2}", (object) hashByte));
  return stringBuilder.ToString();

In the first code, stringValue is sha256 which pulls the second like of code. The salt is stored in the database so I know what that value is, and I know a non-encrypted password to test. In the second piece of code, the "salt" variable is null so it's only hashing the password and the salt in the database.

I have tried several different pieces of PHP code to try to get the passwords to match, but nothing so far. Here's a few of the things I've tried:

$hash = hash('sha256', ord("Password" . "The Salt"));
$hash = hash('sha256', "Password" . "The Salt");
$hash = (hash('sha256', mb_convert_encoding("Password" . "The Salt","UTF-8"), true));

I know the last piece of code is formatting the string into hexadecimal, but I am at a loss right now. I'm hoping it's a simple fix. I spent the better part of yesterday tracking down all the functions and trying to get it to work before bringing it here.

Thanks in advance.

Solved. Apparently, the GUID was being lowercased in the first line: 

string salt = ui.UserGUID.ToString();

and that was causing the issues to be wrong. I created an online fiddle and when I was getting the same output as PHP, I knew there was something was was being changed. Looked into it a little more and then we found the problem. Here's the final PHP in case it helps future people:

$hash = hash('sha256', "Password" . strtolower("The Salt"));
Devyn
  • 219
  • 1
  • 2
  • 15
  • Bit of a shot in the dark, but it looks like you're hashing different strings. In C#, you have `password + salt + UserInfoProvider.PasswordSalt`, whereas in PHP you just have `"Password" . "The Salt"`. Do you perhaps have two salts in the first example, a global one and also a user specific one? – iainn Jun 14 '16 at 14:56
  • `Encoding.Default.GetBytes` try to use UTF8 instead. Also, you're concatenating twice the salt: `salt + UserInfoProvider.PasswordSalt`. – Gusman Jun 14 '16 at 14:56
  • The question lack [MCVE] (which should include both C# and PHP code + sample data). Also this question asked so many times already - i.e. http://stackoverflow.com/questions/7249998/why-isnt-my-php-sha256-hash-equivalent-to-c-sharp-sha256managed-hash ... – Alexei Levenkov Jun 14 '16 at 14:59
  • iann - The "salt" value is null. I stated that after the C# code. Gusman - I'll try UTF8. Same as above though. Alexei - I've already seen that and tried the answers there after modifying them. I wouldn't have asked If I knew the answer. I've done my research. – Devyn Jun 14 '16 at 15:01
  • You should really be using an HMAC, not just concatenation a salt the password. But you should also be using an iteration method that requires about 100 ms per password such as bcrypt, password-hash or PBKDF2 as examples–if you want security. Hashing is incredible fast these days, 1,000,000 SHA-256 hashes per seconds is easily done on a single laptop. – zaph Jun 14 '16 at 15:04
  • No this is not duplicate question. Because he get each byte hash by mask `{0:x2}` this mask is x2 each byte in string. We have 3-step securite, 1.step is salt, 2.step is converting string 3. step encode. For php you need repeat this steps. – Naumov Jun 14 '16 at 15:04
  • zaph - I know, I know. I need to verify they are logging in with the right password before I can update it. Naumov - What is the hexadecimal string being encoded to? – Devyn Jun 14 '16 at 15:09
  • You can show hash, password and salt, for repiat. – Naumov Jun 14 '16 at 15:14

0 Answers0