2

I have referred the following sites for the Rijndael and Asp.net hashing implementations in the following url.

  1. Rijndael - How to generate Rijndael KEY and IV using a passphrase?
  2. Asp.net hashing - ASP.NET Identity default Password Hasher, how does it work and is it secure?

In both the implementation, The following is used to get the random bytes for the password. RijnDael

Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);

Asp.net Identity hashing

Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(providedPassword, salt, HasingIterationsCount)

After the above code, RijnDael applies the encryption for the returned bytes. But asp.net identity copy the result as it is with the salt byte array and return the hashed keys.

Here I had a confusion. RijnDael and Asp.net identity hashing uses the same Rfc2898DeriveBytes.

When RijnDael can decrypt the encrypted keys (which is done with the help of Rfc2898DeriveBytes), why can we do to decrypt the Asp.net Identity hashed keys?

Is there any possibility to do that? Is Asp.net identity secured?

Community
  • 1
  • 1
Jeeva J
  • 3,173
  • 10
  • 38
  • 85
  • 1
    1) Every think that was created can be broke - it is life rule . So if you figure out how asp.identity encrypted keys than you will figure out how to decrypt it. 2)If you want to secure your users passwords better than you may create your own algorithm that will encrypt input password and send this hash string to Asp.net to encrypt it one more time. 3)If you just want to check if user input password is the same as it is in database you need to encrypt input and compare this hash with hash that is already in database – DespeiL Oct 13 '16 at 05:29
  • So before hashing the password, encrypt the password then do hashing will be good idea for security? – Jeeva J Oct 13 '16 at 05:54
  • 1
    "When RijnDael can decrypt the encrypted keys". Nope, you can't decrypt the hashed password. Do you confuse hashing and encryption? – Martheen Oct 13 '16 at 05:54
  • Yes you are right @Martheen. Hashing should not be decrypted (Even by me after implementation). In my question I have asked like that the will be asp.net hashing decrypted by the developer (since RijnDael uses same Rfc2898DeriveBytes as asp.net identity hashing)? – Jeeva J Oct 13 '16 at 05:57
  • How could the developer decrypt it? Rijndael only use DeriveBytes for key stretching. ASP.NET identity doesn't call Rijndael, so there's nothing to decrypt – Martheen Oct 13 '16 at 06:46
  • **Do not encrypt passwords**, when the attacker gets the DB he will also get the encryption key. Iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as password_hash, PBKDF2, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. – zaph Oct 13 '16 at 17:03

1 Answers1

2

Yes, ASP.NET's password hashing method is secure.

In the example you provided, the user is using an encryption technique known as Advanced Encryption Standard (AES, also known as Rijndael). This is why the secret can be decrypted.

The user only uses the Rfc2898DeriveBytes class in order to get a key and an initialisation vector.

The class is not used to hash the secret message. The encryption is what hides the message.

ASP.NET uses the Rfc2898DeriveBytes class to hash a password. This procedure cannot be reversed.

Rowan Freeman
  • 15,724
  • 11
  • 69
  • 100