Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SHA1CryptoServiceProvider changed in .NET 4

Tags:

cryptography

.net-4.0

sha1

I am currently trying to upgrade a project of mine from .NET 3.5 to .NET 4.0

Everything was going really well, all code compiled, all tests passed.
Then I hit a problem deploying to my staging environment.
Suddenly my logins were no longer working.

It seems my SHA1 hashed passwords are being hashed differently in .NET 4.

I am using the SHA1CryptoServiceProvider:

SHA1CryptoServiceProvidercryptoTransformSHA1 = new SHA1CryptoServiceProvider();

To test I created a new Visual Studio project with 2 console applications.
The first targeted at .NET Framework 3.5 and the second at 4.0.
I ran exactly the same hashing code in both and different results were produced.

Why is this happening and how can I fix this?
I obviously cannot go update all of my users passwords considering I do not know what they are.

Any help would be greatly appreciated.

CODE SAMPLE

public static class SHA1Hash
{

    public static string Hash(string stringToHash)
    {
        return (Hash(stringToHash, Encoding.Default));
    }

    public static string Hash(string stringToHash, Encoding enc)
    {
        byte[] buffer = enc.GetBytes(stringToHash + stringToHash.Reverse());
        var cryptoTransformSHA1 = new SHA1CryptoServiceProvider();
        string hash = BitConverter.ToString(cryptoTransformSHA1.ComputeHash(buffer));
        return hash;
    }
}
like image 877
WebDude Avatar asked Nov 06 '22 12:11

WebDude

1 Answers

One of the comments led me onto finding the bug in my code.
When creating my byte array to be hashed, I was trying to append the string with a reversed version of itself.

E.g. given "password" to hash I would actually hash "passworddrowssap"

However my code has a slight bug in it:

byte[] buffer = enc.GetBytes(stringToHash + stringToHash.Reverse());

.Reverse() is a Linq extension method that can reverse a string.
However it doesn't return a string, it returns:

IEnumerable<Char>

Calling .ToString() on this type actually returns:

System.Linq.Enumerable+d__99`1[System.Char]

Doing the same thing in .NET 4.0 returns

System.Linq.Enumerable+d__a0`1[System.Char]

Hence my passwords were being hashed differently.
What I should have done to create by byte array was:

byte[] buffer = enc.GetBytes(stringToHash + new String(stringToHash.Reverse().ToArray()));
like image 192
WebDude Avatar answered Nov 18 '22 12:11

WebDude
Sign in to Comment

Related questions

What is the use of the responderID in the OCSP response?
TripleDESCryptoServiceProvider - vulnerable to Denial of Service?
Decrypt .Net cookie in nodejs
How to secure secret string in Android app?
Can security for this username/password generator script be improved? [closed]
Is this is a good way to generate a secure random string in JavaScript?
Openssl encrypted in PHP needs to be decrypted in Ruby
Create RSA Token in nodejs
Using RSA for modulo-multiplication leads to error on Java Card
How to safely store API credentials in a SQL Server database?
Cannot find the requested object. when create X509certificate2
How to find ASN.1 components of EC key python-cryptography
AES/CBC/PKCS5Padding in iOS objective c result differs from Android
Can't authenticate using Socketcluster V2 for Coinigy Exchange websocket ticker api
Storing private/secret keys in an Ionic application
android.security.KeyStoreException: Unknown error On a rare number of devices
AES GCM encrypt in nodejs and decrypt in browser?
Converting a byte array to a X.509 certificate
Building an 'Activation Key' Generator in JAVA
'Malformed Reference Element' when adding a reference based on an Id attribute with SignedXml class

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!