PHP equivalent passwords hashing of the following .NET code

Question

I don't really want to dump some code and expect answers but this is a pretty lengthy function that hashes a password in order to later compare it to the database-stored value.

I have seen posts where people wasted time trying to recreate what they could achieve with the md5() function in PHP.

For that reason, I'm wondering if someone with any encryption knowledge knows of a PHP equivalent to achieve the following effect in PHP:

    internal static string GenerateEncryptedPassword(string password, string salt, int iterationCount)
    {
        byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
        byte[] saltBytes = Encoding.UTF8.GetBytes(salt);
        byte[] iterationCountBytes = BitConverter.GetBytes(iterationCount);
        int derivedLength = passwordBytes.Length + saltBytes.Length;
        byte[] passwordSaltBytes = new byte[derivedLength];
        byte[] pbkdf2Bytes;
        string encryptedString;

        for (int i = 0; i < passwordBytes.Length; i++)
        {
            passwordSaltBytes[i] = passwordBytes[i];
        }

        for (int i = 0; i < saltBytes.Length; i++)
        {
            passwordSaltBytes[passwordBytes.Length + i] = saltBytes[i];
        }

        using (Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(password, passwordSaltBytes, iterationCount))
        {
            pbkdf2Bytes = pbkdf2.GetBytes(derivedLength + iterationCountBytes.Length);
        }

        using (SHA512 sha512 = new SHA512Managed())
        {
            byte[] hashBytes = sha512.ComputeHash(pbkdf2Bytes);
            byte[] hashSaltBytes = new byte[hashBytes.Length + saltBytes.Length];

            for (int i = 0; i < hashBytes.Length; i++)
            {
                hashSaltBytes[i] = hashBytes[i];
            }

            for (int i = 0; i < saltBytes.Length; i++)
            {
                hashSaltBytes[hashBytes.Length + i] = saltBytes[i];
            }

            encryptedString = Convert.ToBase64String(hashSaltBytes);
        }

        return encryptedString;
    }

If it changes anything, I'm using Laravel...

Thank you for any guidance

I hate encryption :D

$user = \App\User::all();
$salt = strtolower($user[2]->Salt);
$password = 'P@$$W0rd';
$dbPassword = $user[2]->Password;
$iterations = 10000;

echo openssl_pbkdf2($password, $salt, 44, $iterations, 'sha512');

delboy1978uk · Answer 1 · 2017-06-08T08:56:14.003

0

Read the PHP manual for password_hash and password_verify. I recommend using BCrypt as the algorithm.

http://php.net/manual/en/function.password-hash.php

http://php.net/manual/en/function.password-verify.php

It's not difficult at all! Good luck! :-)

Also, SHA-512 isn't all that secure. Read here: SHA1 vs md5 vs SHA256: which to use for a PHP login?

edited Jun 08 '17 at 08:56

answered Jun 08 '17 at 08:43

delboy1978uk

12,118
2
21
39

Thing is, I have to recreate what my co-worker has already done, and so I cannot use anything else. It must output the same hash. I certainly tried a couple of things before posting here, but I'll take a look again, thank you. – Anaconda Jun 08 '17 at 08:50
You can try password_hash() using SHA512 too, check the options for it! – delboy1978uk Jun 08 '17 at 08:54
Again, I've looked at the options and I've obviously ran a good dozen combinations and overloads, that's why I resorted to pasting that code in here in hopes that someone perhaps knows a way to do it conveniently quickly in PHP.. – Anaconda Jun 08 '17 at 08:59

quinz · Answer 2 · 2017-06-08T09:16:38.150

0

I haven't used PHP for years so not sure if there are new ways to do things, but you can produce SHA-512 hashes with OpenSSL: http://php.net/manual/en/function.openssl-digest.php

openssl_digest(pbkdf2Bytes, 'sha512');

To generate salt, it is highly recommended to use secure (unpredictable) randoms. For PHP, see this: PHP random string generator

EDIT: You can also produce pbkfd2 directly with OpenSSL: http://php.net/manual/en/function.openssl-pbkdf2.php

Just note the optional parameter in the end of the function signature where you define the digest algorithm.

openssl_pbkdf2(password, saltBytes, keyLength, iterationCount, 'sha512')

edited Jun 08 '17 at 09:16

answered Jun 08 '17 at 08:54

quinz

1,282
4
21
33

Thanks for your comment. Does this support salts? – Anaconda Jun 08 '17 at 08:58
I made an edit to answer to your question :) Generally speaking you can hash any data you want. In your code snippet you have concatenated salt + password, which is fine. – quinz Jun 08 '17 at 09:04
Thanks for your assistance. :) – Anaconda Jun 08 '17 at 09:16
No problem. Hope you get it sorted out. – quinz Jun 08 '17 at 10:44
Thanks - my head is still exploding over this lol. Can't figure anything out, completely blocked. – Anaconda Jun 08 '17 at 10:45
That implementation seems to be giving me random characters '�Έ��#�̀P6��H]Љ6S �lr ��Y�`�' o.O - if I base64_encode it, it looks fine, but it doesn't match the correct hash – Anaconda Jun 08 '17 at 10:51
Could you add your php code as an update to the original post? – quinz Jun 08 '17 at 10:54
done, it's the same line you posted with some prior db querying. – Anaconda Jun 08 '17 at 10:58

PHP equivalent passwords hashing of the following .NET code

2 Answers2