2

I have a website that I am trying to port from Asp.NET to Java Servlets and need to port the AspNetUsers table.

I need to know the algorithm that Asp.NET identity uses to hash passwords so I can verify old users' passwords and create new hashes for new users in Java.

I know that Asp.NET uses a SHA-1 algorithm that I can replicate with ApacheCommons DigestUtils class, but I do not know the salt that Asp.NET uses so I can't verify passwords.

I can take an algorithm explanation but exact code would be better.

Improve this question
2
  • this might help Commented Jan 2, 2019 at 21:59
  • see my answer below Commented Jan 2, 2019 at 22:12

1 Answer 1

Reset to default
3

I viewed the page mentioned by Jimenemex above, I found that Identity uses the method Rfc2898DeriveBytes to generate the salt. I can now use this library for Java to generate the hash.

Ported code:

public static String hashPassword(String password) throws InvalidKeyException, NoSuchAlgorithmException, UnsupportedEncodingException {
    byte[] salt;
    byte[] buffer2;
    if (password == null)
        throw new IllegalArgumentException("password");
    Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password,new byte[0x10],0x3e8);
    salt = bytes.getSalt();
    buffer2 = bytes.getBytes(0x20);
    byte[] dst = new byte[0x31];
    System.arraycopy(salt, 0, dst, 1, 0x10);
    System.arraycopy(buffer2, 0, dst, 0x11, 0x20);
    return Base64.encodeBase64String(dst);

}
public static boolean verifyHashedPassword(String hashedPassword, String password) throws InvalidKeyException, NoSuchAlgorithmException, UnsupportedEncodingException {
    byte[] buffer4;
    if (hashedPassword == null)
        return false;
    if (password == null)
        throw new IllegalArgumentException("password");
    byte[] src = Base64.decodeBase64(hashedPassword);
    if ((src.length != 0x31) || (src[0] != 0))
       return false;
    byte[] dst = new byte[0x10];
    System.arraycopy(src, 1, dst, 0, 0x10);
    byte[] buffer3 = new byte[0x20];
    System.arraycopy(src, 0x11, buffer3, 0, 0x20);
    Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password,dst,0x3e8);
    buffer4 = bytes.getBytes(0x20);
    return Arrays.equals(buffer3, buffer4);



}

(RFC2898DeriveBytes class is from the above mentioned library)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

could you please share your implementation, i got stuck at same place.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.