0

Hi I want to replicate the password hashing that is done in asp.net identity such that, the resulting value of password hashed by asp.net identity and the password hashed by Chilkat are same. Is that even possible?

In C# asp.net, we use Rfc2898DeriveBytes that does the pbkdf2 for us. How can I do the same in Chilkat?

    private const int PBKDF2IterCount = 1000; // default for Rfc2898DeriveBytes
    private const int PBKDF2SubkeyLength = 256 / 8; // 256 bits
    private const int SaltSize = 128 / 8; // 128 bits

    //[ComVisible(true)]
    public string HashPassword(string password)
    {
        if (password == null)
        {
            throw new ArgumentNullException("password cannot be null");
        }

        // Produce a version 0 (see comment above) text hash.
        byte[] salt;
        byte[] subkey;
        using (var deriveBytes = new Rfc2898DeriveBytes(password, SaltSize, PBKDF2IterCount))
        {
            salt = deriveBytes.Salt;
            subkey = deriveBytes.GetBytes(PBKDF2SubkeyLength);
        }

        var outputBytes = new byte[1 + SaltSize + PBKDF2SubkeyLength];
        Buffer.BlockCopy(salt, 0, outputBytes, 1, SaltSize);
        Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SaltSize, PBKDF2SubkeyLength);
        return Convert.ToBase64String(outputBytes);
    }

Currently, the parameters I am using at Chilkat are:

 Function EncryptChilkat(sPassword As String) As String

Dim crypt As New ChilkatCrypt2

Dim success As Long

success = crypt.UnlockComponent("ACHIEV.CR1082018_dCrRA3zr4e1M ")

If (success <> 1) Then
    Debug.Print crypt.LastErrorText
    Exit Function
End If

Dim hexKey As String

Dim pw As String
pw = "pwd"
Dim pwCharset As String
pwCharset = "base64"

'  Hash algorithms may be: sha1, md2, md5, etc.
Dim hashAlg As String
hashAlg = "HMCSHA1"

'  The salt should be 8 bytes:
Dim saltHex As String
saltHex = "78578E5A5D63CB06"

Dim iterationCount As Long
iterationCount = 1000

'  Derive a 128-bit key from the password.
Dim outputBitLen As Long
outputBitLen = 128

'  The derived key is returned as a hex or base64 encoded string.
'  (Note: The salt argument must be a string that also uses
'  the same encoding.)
Dim enc As String
enc = "base64"

hexKey = crypt.Pbkdf2(pw, pwCharset, hashAlg, saltHex, iterationCount, outputBitLen, enc)

EncryptChilkat = hexKey
End Function
Samra
  • 1,815
  • 4
  • 35
  • 71

1 Answers1

0

Check the binary values of both the password and the salt on both sides. Also check for trailing nulls, carriage returns, and line feeds.

Additionally, you can see which, if either, algorithm is misbehaving - I have a copy of Jither's .NET PBKDF2 implementation at my github repository including test vectors, and for your Chillkat, you can create what you need from my LibreOffice Calc sheet of PBKDF2 test vectors.

Run these through both implementations; whichever one fails is wrong. If both succeed... then you're not giving both the same parameters.

Anti-weakpasswords
  • 2,604
  • 20
  • 25