Geek Answers Handbook

How to check ASP.NET password hash in node.js

First of all, I read this Password Hashing using SHA256 and .NET / Node.js , and that didn't help me.

I need to check the password hashes created in ASP.NET in node.js. I was told that passwords are generated using this algorithm: What is the default hash algorithm that uses ASP.NET membership? .

I have an example of a password and salt hash (the first line is the password, and the second line is the salt):

"Password": "jj/rf7OxXM263rPgvLan4M6Is7o=", "PasswordSalt": "/Eju9rmaJp03e3+z1v5s+A==",

I know that the hash algorithm is SHA1 , and I know that this hash is generated for input test123 . However, I cannot reproduce the hash algorithm to get the same hash for this input. What I tried:

 Password = "jj/rf7OxXM263rPgvLan4M6Is7o=" PasswordSalt = "/Eju9rmaJp03e3+z1v5s+A==" crypto = require("crypto") sha1 = crypto.createHash("sha1") PasswordSalt = new Buffer(PasswordSalt, 'base64').toString('utf8') sha1.update(PasswordSalt+"test123", "utf8") result = sha1.digest("base64") console.log(Password) console.log(result)

Result:

 jj/rf7OxXM263rPgvLan4M6Is7o= xIjxRod4+HVYzlHZ9xomGGGY6d8=

I managed to get a working C # algorithm:

 using System.IO; using System; using System.Text; using System.Security.Cryptography; class Program { static string EncodePassword(string pass, string salt) { byte[] bytes = Encoding.Unicode.GetBytes(pass); byte[] src = Convert.FromBase64String(salt); byte[] dst = new byte[src.Length + bytes.Length]; Buffer.BlockCopy(src, 0, dst, 0, src.Length); Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length); HashAlgorithm algorithm = HashAlgorithm.Create("SHA1"); byte[] inArray = algorithm.ComputeHash(dst); return Convert.ToBase64String(inArray); } static void Main() { string pass = "test123"; string salt = "/Eju9rmaJp03e3+z1v5s+A=="; string hash = Program.EncodePassword(pass,salt); Console.WriteLine(hash); // outputs jj/rf7OxXM263rPgvLan4M6Is7o= } }

So now it is a matter of porting this algorithm to node.js. The problem is that C # somehow magically works with bytes, and I don't know how to do this in node. Consider the following code (it does not use salt - it simply creates base64 sha1 from the password:

 crypto = require("crypto") pass = 'test123' sha1 = crypto.createHash("sha1") buf = new Buffer( pass, 'utf8') sha1.update(buf) result = sha1.digest("base64") console.log(result) // outputs cojt0Pw//L6ToM8G41aOKFIWh7w=

And in C #

  using System.Text; using System.Security.Cryptography; string pass = "test123"; byte[] bytes = Encoding.Unicode.GetBytes(pass); HashAlgorithm algorithm = HashAlgorithm.Create("SHA1"); byte[] inArray = algorithm.ComputeHash(bytes); string hash = Convert.ToBase64String(inArray); Console.WriteLine(hash); // outputs Oc/baVMs/zM28IqDqsQlJPQc1uk=

I need code in node.js that will return the same value as the code in C #. Any ideas?

+5
algorithm hash
source share
3 answers

Finally I found the correct answer: https://gist.github.com/PalmerEk/1191651 (with a slight change from 'ucs2' to 'utf16le'):

 function dotnet_membership_password_hash(pass, salt) { var bytes = new Buffer(pass || '', 'utf16le'); var src = new Buffer(salt || '', 'base64'); var dst = new Buffer(src.length + bytes.length); src.copy(dst, 0, 0, src.length); bytes.copy(dst, src.length, 0, bytes.length); return crypto.createHash('sha1').update(dst).digest('base64'); }
+7
source share

There is a nodejs module that does all the magic for you. In my case, the stackoverflow function did not work, but this module works:

https://www.npmjs.com/package/aspnet-identity-pw

  var passwordHasher = require('aspnet-identity-pw'); var hashedPassword = passwordHasher.hashPassword('SomePassword'); var isValid = passwordHasher.validatePassword('SomePassword', hashedPassword);
+3
source share

Changing the buffer encoding to utf16le works for both of the examples here.

This is confirmed by the following fooobar.com/questions/105335 / ....

This is further described in the relevant .Net Framework documentation.

+1
source share

More articles:


All Articles