Peculiar Problem in Hash system of Password and sql

Question

0.00/5 (No votes)

See more:

Hi All,

I am using hash system for storing password.
The problem is peculiar because it only happens if the first alphabet of the userid (used for authentication) is small 'n'.

2 numbers gets changed while saving in sql. (no. (2) and (3))

Below are the related hash sequences i recovered while debugging:
the case used is user: neetu and password: 123456

VB

Public Function fnHashedValue(ByVal value, ByVal authentication)
       'To Convert string into hash for storing and comparision
       Dim sSourceData As String = value + authentication

       'Create a byte array from source data.
       Dim tmpSource() As Byte = ASCIIEncoding.ASCII.GetBytes(sSourceData)

       'Compute hash based on source data.
       Dim tmpHash() As Byte = New SHA1CryptoServiceProvider().ComputeHash(tmpSource)

       Return tmpHash

   End Function

VB

tmpNewHash      ? tmpSavedHash
{Length=20}     {Length=20}
    (0): 54         (0): 54
    (1): 236            (1): 236
    (2): 128            (2): 253
    (3): 223            (3): 255
    (4): 250            (4): 250
    (5): 49         (5): 49
    (6): 33         (6): 33
    (7): 163            (7): 163
    (8): 231            (8): 231
    (9): 207            (9): 207
    (10): 11            (10): 11
    (11): 187           (11): 187
    (12): 221           (12): 221
    (13): 23            (13): 23
    (14): 28            (14): 28
    (15): 193           (15): 193
    (16): 87            (16): 87
    (17): 10            (17): 10
    (18): 103           (18): 103
    (19): 1         (19): 1

Posted 3-Sep-14 18:58pm

atul sharma 5126

Add a Solution

2 solutions

Solution 1

To start with, never use SHA-1 or MD5 for security purposes; both algorithms have been found broken. Use some algorithm from the SHA-2 family (even better SHA-3, as far as I know, is not yet introduced on .NET FCL).

Please see: http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm%28v=vs.110%29.aspx[^].

You need the class SHA256, SHA384 or SHA512.

See also:
http://en.wikipedia.org/wiki/SHA-1[^],
http://en.wikipedia.org/wiki/Sha-2[^],
http://en.wikipedia.org/wiki/Sha-3[^].

I used SHA-2 extensively and never had any problems with it. Please try.

Now, better never use ASCII on any input strings. .NET is based on Unicode which is not covered by ASCII. The user can always enter Unicode password with characters beyond the ASCII domain. Better use UTF-8.

—SA

Posted 3-Sep-14 19:42pm

Sergey Alexandrovich Kryukov

Updated 3-Sep-14 19:44pm

v3

Comments

Sergey Alexandrovich Kryukov 4-Sep-14 2:01am

Sorry, I don't understand...
—SA

atul sharma 5126 4-Sep-14 9:26am

thanks for reply!
I have changed the function to use unicode. and also pasted here is the code i am using for checking the password entered. please check.. as same problem again occuring with every user..

Public Function fnHashedValue(ByVal value, ByVal authentication)
'To Convert string into hash for storing and comparision
Dim sSourceData As String = value + authentication

'Create a byte array from source data.
'Dim tmpSource() As Byte = ASCIIEncoding.ASCII.GetBytes(sSourceData)
Dim tmpSource() As Byte = UnicodeEncoding.Unicode.GetBytes(sSourceData)

'Compute hash based on source data.
Dim tmpHash() As Byte = New SHA1CryptoServiceProvider().ComputeHash(tmpSource)
Return tmpHash

End Function

'To Convert password recoved as string from database to byte for comparision
Dim sha1 As Encoding = Encoding.Unicode
Dim tmpSavedHash() As Byte = sha1.GetBytes(DT.Rows(0).Item(0))

'To convert entered password into hash for comparision
Dim tmpNewHash() As Byte = fnHashedValue(txtPassword.Text, txtUser.Text)
Dim bEqual As Boolean = False
If tmpNewHash.Length = tmpSavedHash.Length Then
Dim i As Integer
Do While (i < tmpNewHash.Length) AndAlso (tmpNewHash(i) = tmpSavedHash(i))
i += 1
Loop
If i = tmpNewHash.Length Then
bEqual = True
End If
End If

atul sharma 5126 4-Sep-14 9:55am

Hey SA,

I have modified the code as you suggested with UTF8 and SHA512.

Pls confirm if the following is the right code of conversion of saved password to byte:

Dim tmpSavedHash() As Byte = UTF8Encoding.UTF8.GetBytes(DT.Rows(0).Item(0))

Sergey Alexandrovich Kryukov 4-Sep-14 10:16am

Assuming that the argument of GetBytes is correct string, this is correct.
Did you managed to get identical hash from identical data? Is your problem solved?
—SA

atul sharma 5126 4-Sep-14 10:58am

I did manage to get identical hash from identical data.
But the problem is not solved because the byte converted from the hashed password taken from database is different then the one created by the function.

Sergey Alexandrovich Kryukov 4-Sep-14 17:37pm

Wait a second... There is no such thing as "byte converted to the hashed password". Hashed data is always byte[], and it is never converted to anything, because this is theoretically useless. Are you sure you understand how cryptographic hash is used for passwords? :-)
—SA

atul sharma 5126 6-Sep-14 5:11am

:-) That's an expected question to a newcomer from an expert. I really appreciate your help. Thanks!

Sergey Alexandrovich Kryukov 6-Sep-14 10:56am

Do you have a solution or you need some help? The point is: the hash function of the same data should be the same; and you compare only the hash with the hash; the data cannot be restored from its hash. Is that what you observe?
Will you accept the answer formally (green "Accept" button)?
—SA

atul sharma 5126 6-Sep-14 14:17pm

I have not found the solution yet.
The process and issue is as follows:

1. I have a public function to convert the password with userid as salt to Hash.
2. At login time I call the hashed field from sql into a datatable DT
3. Entered userid and password by user are converted into Hash using same function as in 1st step.
4.I compare their lengths which match
5. But when i compare their values the 2nd and 3rd value does not match and hence password considered incorrect.

the parameter while saving:
daUser.InsertCommand.Parameters.Add(New SqlParameter("@USERP", fnHashedValue(txtPassword.Text, txtUser.Text)))

the function:
Public Function fnHashedValue(ByVal value, ByVal authentication)

Dim sSourceData As String = value + authentication

Dim tmpSource() As Byte = UTF8Encoding.UTF8.GetBytes(sSourceData)

Dim tmpHash() As Byte = New SHA512CryptoServiceProvider().ComputeHash(tmpSource)

Return tmpHash

End Function

to get saved hash for comparision:
Dim tmpSavedHash() As Byte = UTF8Encoding.UTF8.GetBytes(DT.Rows(0).Item(0))

Sergey Alexandrovich Kryukov 7-Sep-14 11:18am

Is it still a problem if you have first 'n' of user ID?
—SA

atul sharma 5126 7-Sep-14 11:20am

After converting to higher crypto standards the problem with all userids

Sergey Alexandrovich Kryukov 7-Sep-14 11:54am

The problem is reduced to one: you have two results of hash functions to compare. If the data is the same hash should be the same, if data differs, hash should be different. Do you observe it? If you do, this is all you need.
—SA

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

atul sharma 5126 · Accepted Answer · 2014-09-16T18:39:00

Resolved!

The issue was related to conversion to string. I used the following function for conversion now.

VB

Private Function ByteArrayToString(ByVal arrInput() As Byte) As String
       Dim i As Integer
       Dim sOutput As New StringBuilder(arrInput.Length)
       For i = 0 To arrInput.Length - 1
           sOutput.Append(arrInput(i).ToString("X2"))
       Next
       Return sOutput.ToString()
   End Function