4
When we create a user using Asp.net Identity, it generates a Hash, even there is a column in the database named Passwordhash
My question is, what kind of Hash is generated ? What encryption does Asp.net Identity use ?
1 answer
7
Uses a Function of Key Derivation, as specified by RFC 2898. The process is quite intricate and ensures a secure password.
Coding:
public static string HashPassword(string password)
{
byte[] salt;
byte[] buffer2;
if (password == null)
{
throw new ArgumentNullException("password");
}
using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, 0x10, 0x3e8))
{
salt = bytes.Salt;
buffer2 = bytes.GetBytes(0x20);
}
byte[] dst = new byte[0x31];
Buffer.BlockCopy(salt, 0, dst, 1, 0x10);
Buffer.BlockCopy(buffer2, 0, dst, 0x11, 0x20);
return Convert.ToBase64String(dst);
}
Hash check:
public static bool VerifyHashedPassword(string hashedPassword, string password)
{
byte[] buffer4;
if (hashedPassword == null)
{
return false;
}
if (password == null)
{
throw new ArgumentNullException("password");
}
byte[] src = Convert.FromBase64String(hashedPassword);
if ((src.Length != 0x31) || (src[0] != 0))
{
return false;
}
byte[] dst = new byte[0x10];
Buffer.BlockCopy(src, 1, dst, 0, 0x10);
byte[] buffer3 = new byte[0x20];
Buffer.BlockCopy(src, 0x11, buffer3, 0, 0x20);
using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, dst, 0x3e8))
{
buffer4 = bytes.GetBytes(0x20);
}
return ByteArraysEqual(buffer3, buffer4);
}
The algorithm still uses a seed (salt) that ensures that the hash generation will not happen twice the same way. When creating the user, salt is saved along with the password for the verification process.
Browser other questions tagged asp.net-mvc-5 asp.net-identity
You are not signed in. Login or sign up in order to post.
Even with this hash generation, would it be necessary or necessary to encrypt the user’s password ? That is, encrypts the password and generates the hash with the encrypted password
– Rod
Hash generation is part of password encryption.
– Leonel Sanches da Silva