2

I am not sure if I can decrypt passwords with c#, that i stored in a mysql database. I encrypted these passwords in php using PASSWORD_BCRYPT. And if it is possible how can I do it? Sorry but i'm a beginner and I didn't find any help on the internet. This is the piece of code I used to encrypt my passwords.

$passwort = $con->real_escape_string($_POST['passwort']);
$hash = password_hash($passwort, PASSWORD_BCRYPT);

After reading the comments I tried doing so in c# but it always says wrong password

string email = textBox1.Text;
        string password = textBox2.Text;
        string passwordHash = BCrypt.Net.BCrypt.HashPassword(password);
        MessageBox.Show(passwordHash);
        MySqlConnection conn = new MySqlConnection("datasource=127.0.0.1;port=3306;username=root;password=CIAO6CIAO6;database=kontoprogramm");
        int i = 0;
        conn.Open();
        MySqlCommand cmd = new MySqlCommand("select KLPPassword from tklassenlehrpersonen where KLPEmail = '" + email + "' and KLPPassword = '" + passwordHash + "'", conn);
        cmd.ExecuteNonQuery();
        DataTable dt = new DataTable();
        MySqlDataAdapter da = new MySqlDataAdapter(cmd);
        da.Fill(dt);
        i = Convert.ToInt32(dt.Rows.Count.ToString());
        if (i == 0)
        {
            MessageBox.Show("Falsche Email oder Kennwort!");
        }
        else
        {
            MessageBox.Show("Angemeldet!");
        }

Can somebody please help me?

Cicciopasticcio
  • 195
  • 1
  • 2
  • 8
  • 1
    You typically don't decrypt passwords. If you want to see if a password is correct you'd encrypt the password you're checking and if the encrypted password matches the stored encrypted password then it's good. – Slugsie Jun 01 '19 at 17:58
  • ah thank you. And then is it possible to encrypt the password in c# with the same hash algorithm of the PASSWORD_BCRYPT function of php, so I can compare them? – Cicciopasticcio Jun 01 '19 at 18:13
  • 1
    BCRYPT is not an encryption method, it is a [hashing function](https://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification), thus there is no way to *decrypt* it. – Dharman Jun 01 '19 at 18:23
  • The call to the method `real_escape_string` is incorrect. If you were trying to use it to prevent SQL injection then you should use prepared statements instead. – Dharman Jun 01 '19 at 18:25
  • @Dharman Ok thanks. Also how can I compare the hash string that I have in the database, created with the BCRYPT function in php, with the password that the user enters in my c# programm? – Cicciopasticcio Jun 01 '19 at 18:52
  • https://cmatskas.com/a-simple-net-password-hashing-implementation-using-bcrypt/ – Chris White Jun 01 '19 at 20:33

2 Answers2

0

First of all, you cannot decrypt, only if you effort to troubleshooting and hack the password decryption, for example, using Brute Force technique etc, because finally result from PHP by password_hash function is generates a hashed password, hash result. By the hash primary concept, cannot be reversible, but been comparable.

You may compare password hashs using PHP function password_verify (comparing stored hash from database with the inputed password from your C# Application). If your requirement is really decrypt, it's need to change the focus of your post, re-think to troubleshooting and hack the password decryption, for example, using Brute Force technique etc.

Now, let's go to solution: you have two ways:

a) Create an PHP WebService parameterized with the "Clear Text" as input parameter, and get the output result as a encrypted text password; the core of Web Service (in PHP) uses the password_hash with PASSWORD_BCRYPT option, to encrypt. After, your C# code consumes the encrypted data and compare this output hash with stored hash from Database; however, this alternative needs to invest many efforts in security at WebServer and WebService layers. For example, your C# code consuming this PHP Web Service as code bellow:

WebClient webclient = new WebClient();
webclient.DownloadStringCompleted += new DownloadStringCompletedEventHandler(webclient_DownloadStringCompleted);
webclient.DownloadStringAsync(new Uri("http://ws.phpurl.com/?password=stackoverflow@12345"));

void webclient_DownloadStringCompleted(object sender, DownloadStringCompletedEventArgs e)
{
    string phpWsEncryptedPass = e.Result;
    string databaseEncryptedPass = //TO DO: query Database
                                   //using WHERE statement,
                                   //parsing 'phpWsEncryptedPass' as parameter;
}

b) OR, download the binaries of the respective PHP version for Windows that you work'on, understand these DLLs methods using a DLL Reflector application (for example dotPeek) and use C# Interop features to import the DLL thta have the password_hash and password_verify to consume this in your C# code; you need to make efforts to open the DLL, to get the correctly methods declaration. Note: this way is suggest because the Core of PHP writted in C/C++ and a C# code can be consume the DLL of PHP for Windows binaries, this code bellow has an example to do this:

    [DllImport(@"C:\ProgramFiles\PHP\php_mbstring.dll", CharSet = CharSet.Unicode)]
    internal static extern IntPtr password_hash(string clearTextpassword, int option)

    [DllImport(@"C:\ProgramFiles\PHP\php_mbstring.dll", CharSet = CharSet.Unicode)]
    internal static extern bool password_verify(string clearTextpassword, string hash)

That's all.

Antonio Leonardo
  • 1,805
  • 1
  • 8
  • 18
0

You cannot search for a hash in the database, because of the salt, instead search by username only and take the stored hash for verification. This answer shows how to do it in PHP, though the principle is the same.

And don't escape the user input before calling password_hash() this calls for trouble.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87