3

I am writing a login system that will log in against a DotNetNuke application's database. I have access to the database and can read the PasswordSalt in the aspnet_Membership table. Hence I will have as inputs:

  1. user's password (submitted by form)
  2. user's salt (I can look up)

and I must produce as output the hashed Password. The PasswordFormat=2, which is "Encrypted". However, I have not been able to find details of the encryption algorithm being used, so that I can rewrite it in my own application. So far, my research has led be to this page:

http://msdn.microsoft.com/en-us/library/aa478949.aspx

and also this SO post, which has the following formula in one of the comments:

Convert.ToBase64String((new Rfc2898DeriveBytes(YourPWD, YourSALT)).GetBytes(20))

However, this formula does not appear to work on my test data, which has the following inputs and outputs:

  1. password: 888888
  2. salt: ahEvjCX3FM04S5cSi1qdHA==
  3. hashed password: y3rxLUDYdj1/+IGC94/tvW6M3pQTCi/9bq1cNOUgYlM=

You can see my test here: http://ideone.com/EClO2

using System;
using System.Security.Cryptography;
 
public class Test
{
        public static void Main()
        {
                Console.WriteLine(Convert.ToBase64String((new Rfc2898DeriveBytes("888888", System.Convert.FromBase64String("ahEvjCX3FM04S5cSi1qdHA=="))).GetBytes(20)));
        }
}

Thanks for any help!

UPDATE

Answered here: ASP.NET MembershipProvider -- How exactly does it do encryption?

Community
  • 1
  • 1
Jonah
  • 15,225
  • 21
  • 83
  • 152
  • `Encryption` is not `Hashing`, you will need to generate a encrypted version (maybe try triple DES) – V4Vendetta Sep 14 '12 at 06:08
  • Can you be more specific. I tried applying triple DES to both "pw + hash" and "hash + pw", and base64 encoding the result, and it did not match. I need to know exactly what DNN is doing internally. – Jonah Sep 14 '12 at 06:18
  • I meant Triple DES is type of encryption try that instead of `Base64` – V4Vendetta Sep 14 '12 at 06:33
  • Base64 is just an encoding. Salts and hashes are usually encoded that way so they are more readable. In any case, if you have a specific idea, please post the code you'd like me try. Thanks. – Jonah Sep 14 '12 at 06:39
  • From what I've read, DNN uses the [`SqlMembershipProvider class`](http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.aspx). You can use that to decrypt the password. I would recommend actually hashing it. [Read this](http://mitchelsellers.com/blogs/2010/12/31/keeping-user-passwords-secure-in-dotnetnuke.aspx) – NullUserException Sep 14 '12 at 15:38
  • This was answered [in this post][1] [1]: http://stackoverflow.com/questions/12433726/asp-net-membershipprovider-how-exactly-does-it-do-encryption – Jonah Sep 22 '12 at 02:41

1 Answers1

0

Looking at the source code, they have a class called AspNetMembershipProvider which has a method called UserLogin. UserLogin calls a private method called ValidateUser which in turn uses the ASP.NET Membership provider so it actually calls this method Membership.ValidateUser internally.

So if you call the same method with the username and password, the membership provider will take care of the password hashing and return a boolean value indicating whether the password matches.

Trevor Pilley
  • 15,778
  • 5
  • 43
  • 59
  • Thanks for the reply. So is the salt not used at all in this process? I actually need to get the hashed value, not just the boolean of if it matches or not. The new application I'm writing is in ruby, so I need to be able to duplicate whatever logic ValidateUser is doing -- where can I find the source for that? – Jonah Sep 14 '12 at 20:12
  • 1
    I've done more research and discovered that the actual encryption/decryption is handled by [MembershipProvider.EncryptPassword and DecryptPassword](http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.encryptpassword.aspx). So really I just need to find the source code of those methods, but I haven't been able to do so yet.... – Jonah Sep 15 '12 at 01:04
  • @Jonah where is deCrypt method? – Volatil3 Mar 02 '14 at 10:59
  • @Jonah, did you get this to work? I have the same task with something else and I'm out of options, perhaps your solution will work with me. – Dan Chase Jul 27 '16 at 19:04
  • @DanChase, No, I never did, but that's not to say it won't. Ended up not needing it for other reasons. – Jonah Jul 27 '16 at 19:05