1

This is the encryption I have when people register on my site:

$salt = generateSalt();
$hashedPassword = crypt($userPass, $salt);

and here is my generateSalt function:

function generateSalt() {
    $salt = uniqid(mt_rand(), true);
    $salt = '$1$' . $salt;
    return $salt;
}

When I encrypt a password with this I get for example:

$1$92999442$AK4yZPjnj6BKc9yj4CXKu1

But when I crypt the same password on C# with this function:

hashedPassword = GenerateMD5(uName, salt);

GenerateMD5 function:

    public String GenerateMD5(String input, String salt)
    {
        Byte[] bytes = System.Text.Encoding.UTF8.GetBytes(input + salt);
        System.Security.Cryptography.MD5Cng md5hashstring = new System.Security.Cryptography.MD5Cng();
        byte[] hash = md5hashstring.ComputeHash(bytes);
        string hex = BitConverter.ToString(hash).Replace("-", string.Empty);
        return hex;
    }

I get a complete different output. With the same password and the same salt I get this output:

9DE11D48C3F7DF1BF89FC76D755A2596

What function should I use in PHP and C# to get the same output?

Machavity
  • 30,841
  • 27
  • 92
  • 100
Gustav P Svensson
  • 467
  • 5
  • 14
  • 1
    I had a similar issue with Delphi and PHP and it was a problem of padding (some \0 at the end of the hash), maybe exploring this possibility will help you solve this problem. Otherwise it can come from a possible default IV which is different from C# to PHP. Good luck ! – Answers_Seeker May 06 '15 at 15:33
  • You use `crypt()` in PHP and MD5 in C#... Of course this will lead into different results ... – Stephen Reindl Oct 09 '16 at 13:28

4 Answers4

3

Because you're using two completely different algorithms. In PHP you're using crypt() which uses DES, and in C# you're using MD5. They're never going to produce the same output. If you want the same output, you should use md5() in PHP instead of crypt()

Also, don't use MD5, it's deprecated. You should be using at least SHA-2 now

Jedediah
  • 1,916
  • 16
  • 32
1

http://php.net/md5

http://blogs.msdn.com/b/csharpfaq/archive/2006/10/09/how-do-i-calculate-a-md5-hash-from-a-string_3f00_.aspx

and adding a random salt to your input is part of them problem. you'll end up with a different input every time, hence a different hash output.

fbas
  • 1,676
  • 3
  • 16
  • 26
1

If I were you I'd consider using password_hash instead. Does all that crypt work for you in a nice, neat package, complete with random salt.

As to why your function doesn't match, you're using MD5 in your C# code. I'm no expert in C# but you should use some sort of bcrypt hashing system. There is an open source bcrypt for C# that might do the trick for you. In theory, since they use the same system, one should be able to validate the other since they all store the salt in the string. Just pluck the salt from the string and plug the password and salt into the other one and they should match.

Machavity
  • 30,841
  • 27
  • 92
  • 100
0

This is so called md5crypt by Poul-Henning Kamp, not to be confused with MD5. Md5crypt for first used to protect FreeBSD passwords from bruteforce, but then became more widespread. It was incorporated into GNU libc crypt() and many programs had interfaces to this system call, including PHP, and some PHP developers made use of it. Md5crypt invokes MD5 no less than 1000 times to make brute-force harder (but nowadays md5crypt is considered outdated by its author!). I have seen implementation of md5crypt for many programming languages, this one is for C#.

OCTAGRAM
  • 618
  • 6
  • 12