0

I am developing an authentication in .Net Core. I have api to create a user with login and password.

I hashed the password, but I don't find any way to compare the hashed password, with the new input of the user.

I used the hash method given by microsoft :

https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/consumer-apis/password-hashing?view=aspnetcore-3.1

    // generate a 128-bit salt using a secure PRNG
        byte[] salt = new byte[128 / 8];
        using (var rng = RandomNumberGenerator.Create())
        {
            rng.GetBytes(salt);
        }

    /// hashed will be stored in the DataBase as password
        string hashed = Convert.ToBase64String(KeyDerivation.Pbkdf2(
            password: password,
            salt: salt,
            prf: KeyDerivationPrf.HMACSHA1,
            iterationCount: 10000,
            numBytesRequested: 256 / 8));

When the user do a login, he send a login and a password. I have no idea how to compare this password, with the hashed password from the database ?

If I hash the password again, it will be a different hash, so that doesn't help

Any suggestion ? I am surprised that I don't find answers about this :(

Thanks !

jps
  • 20,041
  • 15
  • 75
  • 79
NoteStylet
  • 315
  • 1
  • 3
  • 21
  • 1
    "If I hash the password again, it will be a different hash" - well that's the problem. You need to hash is *exactly* how you did the first time. Something is obviously different here. – Broots Waymb Jun 15 '20 at 19:32
  • does https://stackoverflow.com/questions/2138429/hash-and-salt-passwords-in-c-sharp help? – jps Jun 15 '20 at 19:37
  • 3
    You need to **store the salt and the hash**. Then, when the password is provided, you recompute the hash using the stored salt and you compare the result to the stored hash. It's that simple. – Wiktor Zychla Jun 15 '20 at 19:38
  • Thanks ! that was the solution. I stored the salt on the database for every account. – NoteStylet Jun 15 '20 at 21:07

1 Answers1

3

UserInout : plaintext ==> Send to authentication service,

create account: generate salt, hash given plaintext-password with salt, store in account infos

authenticate: read hash from account info in your database, hash the given plaintext password with the read salt and compare that hash with the hash in your database. That is the simplest way of authentication.

Be sure to always use the individual hash that was created for each account, otherwise the hash will always be different and authentication will fail.

TinoZ
  • 560
  • 1
  • 5
  • 17
  • That was the solution. I stored the salt on the database for every account. – NoteStylet Jun 15 '20 at 21:08
  • *Be sure to always use the same hash for every account* - Not sure what you mean here. – jps Jun 16 '20 at 08:25
  • @jps you have to save every individual salt for each account. For example acc1 hast salt "2ae" and acc2 hast "jnfs" as salt. You have to store each salt per account for further hashing – TinoZ Jun 16 '20 at 08:34
  • yes, I understand what you write about saving salts, but that's not what you have said in the quoted sentence. – jps Jun 16 '20 at 08:43
  • refined my answer – TinoZ Jun 16 '20 at 08:49