0

I need to take this C# code and make the same hash in android: 

string result = "2-" + Convert.ToBase64String(new SHA1CryptoServiceProvider().ComputeHash(Encoding.Unicode.GetBytes(password)));

I am trying to get this done for hours and still its hashing different codes. Thanks for your answers.

Michal Borovský
  • 19
  • 3
  • What did you try? Did you have a look at the raw bytes? What happens if you compute the hash for a given byte sequence? Does it differ? – stefan Jan 02 '17 at 13:38
  • When you are talking about hash in android, you mean java? If yes, follow @stefan 's advice and check the resulting byte arrays for equality and let us know how they look. Generally the SHA algorythm is system-unspecific, which means you can exclude the theory that they were computed in different ways (at least if you use the standard libraries functions). – Trickzter Jan 02 '17 at 13:47
  • Yes, I mean java and unfortunately I don't have access to the full C# code only this part, I tried many solutions for hashing in java – Michal Borovský Jan 02 '17 at 14:15
  • Hashing a password without using a random salt is a security anti-pattern. – Codo Jan 02 '17 at 14:16
  • [This answer](http://stackoverflow.com/a/9071224/4499267) claims to be specific for an android app, it may help you – Phate01 Jan 02 '17 at 14:18
  • @MichalBorovský you don't need more than this code. Compare the byte result of "new SHA1CryptoServiceProvider().ComputeHash(Encoding.Unicode.GetBytes(password))" to the byte result of your java hash operation. – Trickzter Jan 02 '17 at 14:32
  • @Phate01 I am trying to hash password: qwkld67U. C# is returning this-BePLL+2eth1YOoIcbA5sfzD8Yuw= and that method 0d490626ef755afce7b816e8efbe1a723ecd8335. I need that it will be the same – Michal Borovský Jan 02 '17 at 14:34
  • @Trickzter I am hashing password in android app and connecting on webservice using ksoap2, so password is compared there not on client. – Michal Borovský Jan 02 '17 at 14:36
  • @Codo well, actually I don't care, it's not my decision how to hash it. – Michal Borovský Jan 02 '17 at 14:38

1 Answers1

0

Here we go:

try {
    String password = "qwkld67U";
    MessageDigest sha1 = MessageDigest.getInstance("SHA-1");
    sha1.update(password.getBytes("UTF-16LE"));
    String result = "2-" + Base64.encodeToString(sha1.digest(), Base64.DEFAULT);
    Log.i("SHA1", result);
} catch (Exception e) {
    throw new RuntimeException(e);
}

The output is:

I/SHA1: 2-BePLL+2eth1YOoIcbA5sfzD8Yuw=

Most people get the string encoding wrong. Encoding.Unicode in .NET is a UTF-16 encoding without byte order mark. The Java equivalent is UTF-16LE (and not just UTF-16, which has a byte order mark at the start).

And regarding the security anti-pattern. I know you don't care. But it's probably even worse than I suspected in my comment (hashing without salt). If you transmit the hashed password to a server and compare it there against the hashed password, it completely defeats the purpose of hashing the password in the first place. It's far better to transmit the clear text password over an encrypted connection than to transmit the hashed password. Let those in charge of the security design know.

Codo
  • 75,595
  • 17
  • 168
  • 206
  • Sorry for spam but, the reason for why I don't care is that the product I am working on is not mine, I can tell him that its against security design, but its up to him to decide how it will be done. – Michal Borovský Jan 02 '17 at 15:02