What algorithm Asp.net Identity uses to encrypt the password?

Asked 15/7, 2014 at 5:14 Answered 11/5, 2021 at 10:31

asp.net-mvc algorithm encryption asp.net-identity-2

What kind of algorithm does Asp.Net Identity framework use to encrypt the password? I have a scenario where android, iPhone, web and desktop use the same database. This password should be encrypted, so in ASP.NET MVC I have used Identity framework to encrypt the password. Now I need the algorithm to work for all platforms.

Any help will be appreciated.

Thanks in advance.

Rutter answered 15/7, 2014 at 5:14 Comment(6)

MD5 for Hashing and SHA1 for Encryption. – Lituus 15/7, 2014 at 5:18

This question is too broad, ASP.NET as a framework contains implementations of a lot of crypto algorithms, but the usage of the specific cipher, mac of KDF is defined on the level of the specific product. – Monatomic 15/7, 2014 at 6:2

@OlegEstekhin msdn.microsoft.com/en-us/library/… FYIP For SHA1 encryption. – Lituus 15/7, 2014 at 6:3

@ArijitMukherjee this link both not relevant for the question and also it points to something which is not simply "SHA1" and which is absolutely not an encryption algorithm. – Monatomic 15/7, 2014 at 6:24

@OlegEstekhin While it might be too broad for ASP.NET, the question is specifically about ASP.NET Identity. – Clamant 15/7, 2014 at 6:32

The way password is hashed on the server should not be a concern for all your clients. So whatever hashing is used by Identity framework, should be good enough for your clients. – Telegraphese 15/7, 2014 at 12:26

ASP.NET Identity uses Password-Based Key Derivation Function 2 (PBKDF2) as implemented by Rfc2898DeriveBytes. It is a hashing algorithm.

Note that encryption and hashing are different.

public static string HashPassword(string password)
{
    byte[] salt;
    byte[] bytes;
    if (password == null)
    {
        throw new ArgumentNullException("password");
    }
    using (Rfc2898DeriveBytes rfc2898DeriveByte = new Rfc2898DeriveBytes(password, 16, 1000))
    {
        salt = rfc2898DeriveByte.Salt;
        bytes = rfc2898DeriveByte.GetBytes(32);
    }
    byte[] numArray = new byte[49];
    Buffer.BlockCopy(salt, 0, numArray, 1, 16);
    Buffer.BlockCopy(bytes, 0, numArray, 17, 32);
    return Convert.ToBase64String(numArray);
}

Clamant answered 15/7, 2014 at 5:45 Comment(6)

Encryption technique is indeed SHA1 check the msdn reference you have provided. – Lituus 15/7, 2014 at 6:2

As far as I understand, the use of SHA1 is only one part of the process, which is to use a pseudo-random number generator based on HMACSHA1. – Clamant 15/7, 2014 at 6:8

yes that's what OP asked for which encryption technique and not the Hashing using teh Salt etc. – Lituus 15/7, 2014 at 6:15

Possibly. Knowing that the hashing algorithm used is SHA1 couldn't possibly be very helpful to anyone though. You need to know how the password is hashed. SHA1 is just an implementation detail of Rfc2898DeriveBytes. – Clamant 15/7, 2014 at 6:20

Also, SHA1 is a hashing algorithm, not an encryption technique. – Clamant 15/7, 2014 at 6:26

Please check and answer for the following question. #40013339 – Disfeature 13/10, 2016 at 6:44

This depends on the selected compatibility mode.

Implementation details can be found in their Github repo

At this moment they support:

version 2

PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations
Format: { 0x00, salt, subkey }

version 3

PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations.
Format: { 0x01, prf (UInt32), iter count (UInt32), salt length (UInt32), salt, subkey } (All UInt32s are stored big-endian.)

Jacks answered 11/5, 2021 at 10:31 Comment(0)

Recommended topics

Hot tags