Same string, different SHA1 hash values obtained from VB.net and PHP

Question

I have some problems with the SHA1 hash value of a string. I'm trying to send a file from a client written in VB.net to a server written in PHP. My problem is that when I pass the same string to VB.net and PHP, the SHA1 value calculated by VB.net is completely different from the value calculated by PHP.

For example, I want to encode a string in Base64 and then calculate the SHA1 Hash of the Base64 string. When the computer executes this task from the vb.net version and from the PHP version I get two different SHA1 values, even if apparently the Base64 encoded string is the same:

VB.net: 2E97A53B09C482A831540B532845BCAC79BFACCF PHP: 350A2080264E2724D4BCBC521C35264D264A1DAF

I'm surely missing something, could you point me in the right direction and tell me what I'm doing wrong here?

Thank you very much

Here's the VB.net Code:

Dim cInput As String
Dim cBase64 As String
Dim objSHA1 As New SHA1CryptoServiceProvider()
Dim abBytesToHash() As Byte
Dim cHash As String


cInput = "the quick brown fox jumps over the lazy dog"
cBase64 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(cInput))

abBytesToHash = System.Text.Encoding.ASCII.GetBytes(cBase64)

abBytesToHash = objSHA1.ComputeHash(abBytesToHash)
cHash = BitConverter.ToString(objSHA1.ComputeHash(abBytesToHash))
cHash = Replace(cHash, "-", "")

MsgBox("BASE64: " + cBase64 + vbNewLine + "SHA1: " + cHash)

' Result is:
' BASE64: dGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZw==
' SHA1: 2E97A53B09C482A831540B532845BCAC79BFACCF

And here's the PHP Code:

$cInput = "the quick brown fox jumps over the lazy dog";
$cBase64 = base64_encode($cInput);

echo("BASE64: " . $cBase64 . "<br />" . "SHA1: " . strtoupper(sha1($cBase64)));

// Result is:
// BASE64: dGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZw==
// SHA1: 350A2080264E2724D4BCBC521C35264D264A1DAF

Answer 1

Well, the problem is that you're double hashing in .NET and only single hashing in PHP. Here's what you're doing in .NET translated into PHP:

$cInput = "the quick brown fox jumps over the lazy dog";
$cBase64 = base64_encode($cInput);

$sha = sha1($cBase64, true); // The true param returns the raw bytes instead of hex
$chash = sha1($sha);

So you're double hashing it. To fix it, you just need to change your algorithm to:

cInput = "the quick brown fox jumps over the lazy dog"
cBase64 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(cInput))

abBytesToHash = System.Text.Encoding.ASCII.GetBytes(cBase64)

cHash = BitConverter.ToString(objSHA1.ComputeHash(abBytesToHash))
cHash = Replace(cHash, "-", "")

Note that all I did was remove the abBytesToHash = objSHA1.ComputeHash(abBytesToHash) line...

Alternatively, you could change the PHP to do this:

$cInput = "the quick brown fox jumps over the lazy dog";
$cBase64 = base64_encode($cInput);

echo "BASE64: " . $cBase64 . "<br />";
echo "SHA1: " . strtoupper(sha1(sha1($cBase64, true)));