Please Help - Encryption Problems

[Jamie Sutherland]

Hi,
I have a problem in that I have 2 applications writing to the same Database.
One App is web based and the other is windows/forms based.
Both have the same job in that they can reset a users password in the
database. Both are using SHA1 encryption however they both ghive different
results when the programs are run.
If I run the windows exe file and set the password to password the exe
encrypts as follows: 5BAA61E4C9B93F3F68225B6CF8331B7EE68FD8

If I run the web based version with the word password I get the following:
5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8

Notice the web version has extra in it.
Please help..... Below is the code I have been using for both versions:

Web Version:
Dim PwdAs String = "password"
Dim hashedPwd As String =
FormsAuthentication.HashPasswordForStoringInConfig File(Pwd, "SHA1")
Return hashedPwd


Windows Exe Version:
Dim PwdAs String = Trim("password")
Dim Data As Byte()
Data = System.Text.Encoding.ASCII.GetBytes(Pwd)
Dim shaM As New SHA1Managed
Dim resultHash As Byte() = shaM.ComputeHash(Data)
Dim hashedpwd = ""
Dim b As Byte
For Each b In resultHash
hashedpwd += Hex(b)
Next
Return hashedpwd


Thanks
Jamie

[Joe Kaplan \(MVP - ADSI\)]

It is probably an encoding problem. Forms auth uses UTF8 encoding and you
are using ASCII. I suggest you try switching to UTF8 first.

Joe K.

"Jamie Sutherland" <jamie.sutherland@nhcscotland.no.spam.com> wrote in
message news:eH30GnTKEHA.3380@TK2MSFTNGP09.phx.gbl...

> Hi,
> I have a problem in that I have 2 applications writing to the same

Database.

> One App is web based and the other is windows/forms based.
> Both have the same job in that they can reset a users password in the
> database. Both are using SHA1 encryption however they both ghive different
> results when the programs are run.
> If I run the windows exe file and set the password to password the exe
> encrypts as follows: 5BAA61E4C9B93F3F68225B6CF8331B7EE68FD8
>
> If I run the web based version with the word password I get the following:
> 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
>
> Notice the web version has extra in it.
> Please help..... Below is the code I have been using for both versions:
>
> Web Version:
> Dim PwdAs String = "password"
> Dim hashedPwd As String =
> FormsAuthentication.HashPasswordForStoringInConfig File(Pwd, "SHA1")
> Return hashedPwd
>
>
> Windows Exe Version:
> Dim PwdAs String = Trim("password")
> Dim Data As Byte()
> Data = System.Text.Encoding.ASCII.GetBytes(Pwd)
> Dim shaM As New SHA1Managed
> Dim resultHash As Byte() = shaM.ComputeHash(Data)
> Dim hashedpwd = ""
> Dim b As Byte
> For Each b In resultHash
> hashedpwd += Hex(b)
> Next
> Return hashedpwd
>
>
> Thanks
> Jamie
>
>

[Hernan de Lahitte]

I agree with Joe suggestion.
FormsAuthentication.HashPasswordForStoringInConfig File method actually
encode in UTF8 and not in ASCII as you do in the WinForms scenario. BTW, I
suggest to use the same methods for both clients
(HashPasswordForStoringInConfigFile should be well suited in this case).
However, if you are hashing passwords for storing in a DB, I recommend you
to add a salt value for dictionary attacks mitigation. Check out this code
from
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp:[/url]

Creating a Salt Value
The following code shows how to generate a salt value by using random number
generation functionality provided by the RNGCryptoServiceProvider class
within the System.Security.Cryptography namespace.

public static string CreateSalt(int size)
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
return Convert.ToBase64String(buff);
}Creating a Hash Value (with Salt)
The following code fragment shows how to generate a hash value from a
supplied password and salt value.

public static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = string.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfig File(
saltAndPwd, "SHA1");
return hashedPwd;
}


--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://weblogs.asp.net/hernandl[/url]


This posting is provided "AS IS" with no warranties, and confers no rights.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23jvEnWUKEHA.3924@tk2msftngp13.phx.gbl...

> It is probably an encoding problem. Forms auth uses UTF8 encoding and you
> are using ASCII. I suggest you try switching to UTF8 first.
>
> Joe K.
>
> "Jamie Sutherland" <jamie.sutherland@nhcscotland.no.spam.com> wrote in
> message news:eH30GnTKEHA.3380@TK2MSFTNGP09.phx.gbl...

> > Hi,
> > I have a problem in that I have 2 applications writing to the same

> Database.

> > One App is web based and the other is windows/forms based.
> > Both have the same job in that they can reset a users password in the
> > database. Both are using SHA1 encryption however they both ghive

different

> > results when the programs are run.
> > If I run the windows exe file and set the password to password the exe
> > encrypts as follows: 5BAA61E4C9B93F3F68225B6CF8331B7EE68FD8
> >
> > If I run the web based version with the word password I get the

following:

> > 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
> >
> > Notice the web version has extra in it.
> > Please help..... Below is the code I have been using for both versions:
> >
> > Web Version:
> > Dim PwdAs String = "password"
> > Dim hashedPwd As String =
> > FormsAuthentication.HashPasswordForStoringInConfig File(Pwd, "SHA1")
> > Return hashedPwd
> >
> >
> > Windows Exe Version:
> > Dim PwdAs String = Trim("password")
> > Dim Data As Byte()
> > Data = System.Text.Encoding.ASCII.GetBytes(Pwd)
> > Dim shaM As New SHA1Managed
> > Dim resultHash As Byte() = shaM.ComputeHash(Data)
> > Dim hashedpwd = ""
> > Dim b As Byte
> > For Each b In resultHash
> > hashedpwd += Hex(b)
> > Next
> > Return hashedpwd
> >
> >
> > Thanks
> > Jamie
> >
> >

>
>

[Joe Kaplan \(MVP - ADSI\)]

I also agree with Hernan in that adding random salt is very important to
prevent dictionary attacks. There have been some excellent articles written
on this topic recently.

Joe K.

"Hernan de Lahitte" <hernan@lagash.com> wrote in message
news:%23cXrhBVKEHA.3704@TK2MSFTNGP11.phx.gbl...

> I agree with Joe suggestion.
> FormsAuthentication.HashPasswordForStoringInConfig File method actually
> encode in UTF8 and not in ASCII as you do in the WinForms scenario. BTW, I
> suggest to use the same methods for both clients
> (HashPasswordForStoringInConfigFile should be well suited in this case).
> However, if you are hashing passwords for storing in a DB, I recommend you
> to add a salt value for dictionary attacks mitigation. Check out this code
> from
>

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp:[/url]

>
> Creating a Salt Value
> The following code shows how to generate a salt value by using random

number

> generation functionality provided by the RNGCryptoServiceProvider class
> within the System.Security.Cryptography namespace.
>
> public static string CreateSalt(int size)
> {
> RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
> byte[] buff = new byte[size];
> rng.GetBytes(buff);
> return Convert.ToBase64String(buff);
> }Creating a Hash Value (with Salt)
> The following code fragment shows how to generate a hash value from a
> supplied password and salt value.
>
> public static string CreatePasswordHash(string pwd, string salt)
> {
> string saltAndPwd = string.Concat(pwd, salt);
> string hashedPwd =
> FormsAuthentication.HashPasswordForStoringInConfig File(
> saltAndPwd, "SHA1");
> return hashedPwd;
> }
>
>
> --
> Hernan de Lahitte
> Lagash Systems S.A.
> [url]http://weblogs.asp.net/hernandl[/url]
>
>
> This posting is provided "AS IS" with no warranties, and confers no

rights.

>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:%23jvEnWUKEHA.3924@tk2msftngp13.phx.gbl...

> > It is probably an encoding problem. Forms auth uses UTF8 encoding and

you

> > are using ASCII. I suggest you try switching to UTF8 first.
> >
> > Joe K.
> >
> > "Jamie Sutherland" <jamie.sutherland@nhcscotland.no.spam.com> wrote in
> > message news:eH30GnTKEHA.3380@TK2MSFTNGP09.phx.gbl...

> > > Hi,
> > > I have a problem in that I have 2 applications writing to the same

> > Database.

> > > One App is web based and the other is windows/forms based.
> > > Both have the same job in that they can reset a users password in the
> > > database. Both are using SHA1 encryption however they both ghive

> different

> > > results when the programs are run.
> > > If I run the windows exe file and set the password to password the exe
> > > encrypts as follows: 5BAA61E4C9B93F3F68225B6CF8331B7EE68FD8
> > >
> > > If I run the web based version with the word password I get the

> following:

> > > 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
> > >
> > > Notice the web version has extra in it.
> > > Please help..... Below is the code I have been using for both

versions:

> > >
> > > Web Version:
> > > Dim PwdAs String = "password"
> > > Dim hashedPwd As String =
> > > FormsAuthentication.HashPasswordForStoringInConfig File(Pwd, "SHA1")
> > > Return hashedPwd
> > >
> > >
> > > Windows Exe Version:
> > > Dim PwdAs String = Trim("password")
> > > Dim Data As Byte()
> > > Data = System.Text.Encoding.ASCII.GetBytes(Pwd)
> > > Dim shaM As New SHA1Managed
> > > Dim resultHash As Byte() = shaM.ComputeHash(Data)
> > > Dim hashedpwd = ""
> > > Dim b As Byte
> > > For Each b In resultHash
> > > hashedpwd += Hex(b)
> > > Next
> > > Return hashedpwd
> > >
> > >
> > > Thanks
> > > Jamie
> > >
> > >

> >
> >

>
>

[Jamie Sutherland]

Thanks Guys,
You have been so much help. FYI. I am using salt but i though to remove the
code save space etc....Have any of you people had any experiance of writting
a VLE (virtual Learning Enviroment) (teaching Online) if so what could thing
could you recommend?

Again Many Thanks, I will try on Monday.


Jamie


"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:Ow%23D0HWKEHA.3704@TK2MSFTNGP11.phx.gbl...

> I also agree with Hernan in that adding random salt is very important to
> prevent dictionary attacks. There have been some excellent articles

written

> on this topic recently.
>
> Joe K.
>
> "Hernan de Lahitte" <hernan@lagash.com> wrote in message
> news:%23cXrhBVKEHA.3704@TK2MSFTNGP11.phx.gbl...

> > I agree with Joe suggestion.
> > FormsAuthentication.HashPasswordForStoringInConfig File method actually
> > encode in UTF8 and not in ASCII as you do in the WinForms scenario. BTW,

I

> > suggest to use the same methods for both clients
> > (HashPasswordForStoringInConfigFile should be well suited in this case).
> > However, if you are hashing passwords for storing in a DB, I recommend

you

> > to add a salt value for dictionary attacks mitigation. Check out this

code

> > from
> >

>

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp:[/url]

> >
> > Creating a Salt Value
> > The following code shows how to generate a salt value by using random

> number

> > generation functionality provided by the RNGCryptoServiceProvider class
> > within the System.Security.Cryptography namespace.
> >
> > public static string CreateSalt(int size)
> > {
> > RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
> > byte[] buff = new byte[size];
> > rng.GetBytes(buff);
> > return Convert.ToBase64String(buff);
> > }Creating a Hash Value (with Salt)
> > The following code fragment shows how to generate a hash value from a
> > supplied password and salt value.
> >
> > public static string CreatePasswordHash(string pwd, string salt)
> > {
> > string saltAndPwd = string.Concat(pwd, salt);
> > string hashedPwd =
> > FormsAuthentication.HashPasswordForStoringInConfig File(
> > saltAndPwd, "SHA1");
> > return hashedPwd;
> > }
> >
> >
> > --
> > Hernan de Lahitte
> > Lagash Systems S.A.
> > [url]http://weblogs.asp.net/hernandl[/url]
> >
> >
> > This posting is provided "AS IS" with no warranties, and confers no

> rights.

> >
> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>

wrote

> > in message news:%23jvEnWUKEHA.3924@tk2msftngp13.phx.gbl...

> > > It is probably an encoding problem. Forms auth uses UTF8 encoding and

> you

> > > are using ASCII. I suggest you try switching to UTF8 first.
> > >
> > > Joe K.
> > >
> > > "Jamie Sutherland" <jamie.sutherland@nhcscotland.no.spam.com> wrote in
> > > message news:eH30GnTKEHA.3380@TK2MSFTNGP09.phx.gbl...
> > > > Hi,
> > > > I have a problem in that I have 2 applications writing to the same
> > > Database.
> > > > One App is web based and the other is windows/forms based.
> > > > Both have the same job in that they can reset a users password in

the

> > > > database. Both are using SHA1 encryption however they both ghive

> > different

> > > > results when the programs are run.
> > > > If I run the windows exe file and set the password to password the

exe

> > > > encrypts as follows: 5BAA61E4C9B93F3F68225B6CF8331B7EE68FD8
> > > >
> > > > If I run the web based version with the word password I get the

> > following:

> > > > 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
> > > >
> > > > Notice the web version has extra in it.
> > > > Please help..... Below is the code I have been using for both

> versions:

> > > >
> > > > Web Version:
> > > > Dim PwdAs String = "password"
> > > > Dim hashedPwd As String =
> > > > FormsAuthentication.HashPasswordForStoringInConfig File(Pwd, "SHA1")
> > > > Return hashedPwd
> > > >
> > > >
> > > > Windows Exe Version:
> > > > Dim PwdAs String = Trim("password")
> > > > Dim Data As Byte()
> > > > Data = System.Text.Encoding.ASCII.GetBytes(Pwd)
> > > > Dim shaM As New SHA1Managed
> > > > Dim resultHash As Byte() = shaM.ComputeHash(Data)
> > > > Dim hashedpwd = ""
> > > > Dim b As Byte
> > > > For Each b In resultHash
> > > > hashedpwd += Hex(b)
> > > > Next
> > > > Return hashedpwd
> > > >
> > > >
> > > > Thanks
> > > > Jamie
> > > >
> > > >
> > >
> > >

> >
> >

>
>