0

Background: I have a ASP.NET Core 3.1 application that is running in an AWS FARGATE container (on Linux).

What I need to do: I need to hash passwords using a built-in .NET Core solution. I'd prefer to use a solution where I don't have to manage key rotation; but will do so if there's no other option.

I'd like to use the Microsoft.AspNetCore.Identity.PasswordHasher<TUser> to hash the passwords. However, I have no idea if this uses some sort of key rotation mechanism (e.g. DPAPI) to generate the hashes. According to ASP.NET Core Data Protection, the default implementation handles key generation and rotation - i.e. keys are stored in the LOCAL CryptoRing and rotated by default every 90 days. Therefore:

  1. keys are not transferable
  2. keys to decrypt are only good for 90 days

If I need to handle key rotation, I think (not sure) that the cloud-based solution is to generate a crypto key and add to Azure. But, I need to know if I even need to do this if I'm only using Microsoft.AspNetCore.Identity.PasswordHasher<TUser> to hash the passwords and not using any ASP.NET Core Data Protection. TIA

Dave Black
  • 7,305
  • 2
  • 52
  • 41

2 Answers2

1

EDIT: According to Barry Dorans (@blowdart), it does not use ASP.NET Data Protection:

https://github.com/dotnet/aspnetcore/issues/21331#issuecomment-621345491

Dave Black
  • 7,305
  • 2
  • 52
  • 41
0

No, it doesn't. I know this by looking at the code, available at https://github.com/dotnet/aspnetcore/blob/master/src/Identity/Extensions.Core/src/PasswordHasher.cs.

Ricardo Peres
  • 13,724
  • 5
  • 57
  • 74
  • I'd looked at the code as well and saw it used `System.Security.Cryptography.RandomNumberGenerator`. However, I didn't know if that was part of the Data Protection API (like `RNGCryptoServiceProvider` is). – Dave Black Apr 29 '20 at 17:29
  • No, it’s not, this is a .NET BCL class – Ricardo Peres Apr 29 '20 at 17:30
  • Just so I know, how are you able to tell the difference between whether or not a class is part of the Data Protection API or just a BCL class? They are both in the same namespace and `RNGCryptoServiceProvider` derives from `RandomNumberGenerator` - unless I'm incorrect in saying that `RNGCryptoServiceProvider` is part of Data Protection) – Dave Black Apr 29 '20 at 17:44
  • Read about the Data Protection API, to start: https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/introduction?view=aspnetcore-3.1 – Ricardo Peres Apr 29 '20 at 17:45
  • Yes, I did actually RTFM, and if you look closely you will see that `PasswordHasher` (and key derivation) are actually mentioned under the Data Protection API; which would seem to imply that they are part of it - https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/consumer-apis/password-hashing?view=aspnetcore-3.1 – Dave Black Apr 29 '20 at 18:04
  • PasswordHasher comes with Identity – Ricardo Peres Apr 29 '20 at 18:05
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/212806/discussion-between-dave-black-and-ricardo-peres). – Dave Black Apr 29 '20 at 18:06