Login/Register
Replicate PHPBB password hashing in ASP.net c#
Asked Answered
Solved c#asp.nethashphpbb
B

3

7

I'm using phpbb 3.0.8 at the moment. It has 3,000 users and around 60,000 posts. I'm changing the forum to a different one, written in classic ASP (I know people are going to disapprove of this but I have good reasons).

My site is written in ASP.net. The classic ASP forum has an API to connect to it. I've set all this up, and it works fine. I have written my own login form.

I want to copy all the user accounts over. The current forum has the table:

Username | Password |  Hash  |  Salt

I've overidden the classic ASP hashing technique to now use the ASP.net Security.SHA1 hash. The password is stored as SHA1(rawpassword + salt).

My plan is to store new fields along side the current ones:

UserID | Password |  Hash  |  Salt  |  PHPBBHash

When the user logs in, if the PHPBB hashh field is set, it hashes the password with the PHPBB hash. Then, if login is sucessful, it deletes the PHPBBHash field, and creates the current systems hash values. This way, it's a smooth transition over from PHPBB to the new forum, and no one loses their accounts.

My problem is, given a PHPBB hash, a username, and password, in ASP.net c# how can I verify the PHPBB hash? How does it calculate it?

My concern is also that the classic ASP hash function claimed to be SHA1, but it produced different results to Securiy.SHA1.

Edit

I've put a bounty on this if anyone can give me a definitive solution, I appreciate the answer linking to the resources but I'm still struggling to understand it.

Test Case

Raw password:

blingblangblaow222

In PHPBB3 database:

username: Tom
username_clean: tom
user_password: $H$9ojo08A3LuhnkXR27p.WK7dJmOdazh0
user_passchg: 1301433947
user_form_salt: 637f480dfdab84ef

Using the example code from Vishalgiris answer, we do this:

phpBB.phpBBCryptoServiceProvider cPhpBB = new phpBB.phpBBCryptoServiceProvider();
string remoteHash = "$H$9ojo08A3LuhnkXR27p.WK7dJmOdazh0";
bool result = cPhpBB.phpbbCheckHash("blingblangblaow222", remoteHash);
Response.Write("<BR><BR><BR>" + result);

This actually returns true. Super! But does anyone know why this works? I'm baffled, it doesn't seem to take salt into account at all.

Brickle answered 21/3, 2011 at 10:40 Comment(8)
Here's another question about this, which links to this code, but the other question poster says it doesn't work and there's no solution yet.Undermost
They say they use this: openwall.com/phpass which has some C classes I'll have to look further into that doc.Brickle
Hmm I could install PHP and have an XMLHTTP request to the PHP page which does the hash for me, starts getting a tad messy with classic ASP, ASP.net and PHP all on one site though!Brickle
Please also note the 'P' vs 'H' thing from my answer here: #5289344Turgent
@Tom: Could you provide some examples of some passwords and their associated hashes (preferably from a test installation of PHPBB with bogus user names and passwords - we don't want to get anyone in trouble)?Congratulate
@Adam yes, I'll try get them on tonightBrickle
@Tom: You mentioned that it doesn't appear to take salt into account. To be specific, it doesn't take user_form_salt into account. In actuality, the 8 characters after the first 4 characters are the salt used in the hash (based on the source code I linked to). It roughly goes like this: 3-character magic string ($H$), 1 character representing the exponent of the number of times to hash (base 2, 9 - 2^9), an 8-character salt, followed by a 16-character hash.Congratulate
@tom if you have a question about the bounty, ask on meta.Plymouth
T
3

Seems like your answer is here at phpBB community, however as you already know, it is salted hash so you need to use the function provided in the link to check your password, because the hash will change whenever generated.

Please ignore if you already tried the code provided in the link.

Hope it helps...

One more option would be to create seperate php page/service, to do password hashing or hash validation. to create has use "phpbb_hash" function and to check use "phpbb_check_hash" and these functions can be exposed to ASP or ASP.NET via a page or service.

Tlaxcala answered 27/3, 2011 at 23:2 Comment(0)
C
6

It appears that PHPBB verifies passwords via the phpbb_check_hash function in the functions.php source file. It looks like it typically relies on _hash_crypt_private to do the real work. The function is 57 lines long (including plenty of whitespace), so it should be relatively straight-forward to convert it to C#.

Congratulate answered 21/3, 2011 at 12:45 Comment(0)
T
3

Seems like your answer is here at phpBB community, however as you already know, it is salted hash so you need to use the function provided in the link to check your password, because the hash will change whenever generated.

Please ignore if you already tried the code provided in the link.

Hope it helps...

One more option would be to create seperate php page/service, to do password hashing or hash validation. to create has use "phpbb_hash" function and to check use "phpbb_check_hash" and these functions can be exposed to ASP or ASP.NET via a page or service.

Tlaxcala answered 27/3, 2011 at 23:2 Comment(0)
C
2

You can also tweak the current Phpbb system so that it stores a SHA1 hash of the password entered during login. If you run with this tweak a while, you will have most active users covered and that saves you the trouble of implementing the complex algorithm. The not so active users can just request a new password when they can’t login, or you could all give them a new password and mail it to them (you can select them on the last login date stored in the Phpbb database).

Depending on your needs, you might also want to cover the auto login facility of Phpbb. Users that use this feature might not even know their passwords and thus they will have trouble logging into your new system if it does not support auto login.

Contumelious answered 24/3, 2011 at 21:58 Comment(2)
Thanks for the answer, it's useful but I'm looking for a solution that covers 100% of users and will be seamless for all of them.Brickle
What you could do is check the size of your PHPBB password hashes. If they are just 32 characters long, they are just regular MD5 hashes, but if they are 34 characters long they are hashes generated by the _hash_crypt_private algrorithm. If you don’t want to rewrite this code, you could also install PHP on your server and execute this function via server.execute. You would only need to create a simple PHP program that will handle input/output on the command line that makes calls to the _hash_crypt_private function.Contumelious

© 2022 - 2024 — McMap. All rights reserved.