«

Folks,

I am struggling with the following problem. When I encode a string
using FormsAuthentication or SHA1CryptoServiceProvider, I don't get
the same encoding.

In fact I have a SHA1 ASP implementation for one of our legacy
application but I have done the migration using the following code:

private string Hash(string toHash)
{
string hashed = "";

SHA1 sha1 = new SHA1CryptoServiceProvider();
byte[] hash = sha1.ComputeHash(System.Text.Encoding.UTF8.GetByte s(toHash));

foreach(byte b in hash)
hashed += Convert.ToString(b, 16).ToUpper();

return hashed;
}

I then noticed that some values were not encoded the same way. So I
tried using FormsAuthentication.HashPasswordForStoringInConfig File(value,
"SHA1"). Guess what the it encodes the values the same way the ASP
SHA1 does.

Basically this means that the code above with
SHA1CryptoServiceProvider is just wrong. I have tried using all the
encoding available when getting the bytes out of the string but I
cannot get the same encoding.

A value for which it does not work: ArntzHans

Result with SHA1CryptoServiceProvider:
1C4F53FA399F44D81BF4F8540B5127FB44EDA2

Result with FormsAuthentication:
1C4F53FA399F440D81BF4F8540B5127FB404EDA2
* *

Note that the 2 '0' characters outlined on the 2nd result are missing
from the first encoding.

I have read a few threads from users having the same problem, but no
concrete solution to the problem

Wish someone can help me solving this out

Thx
Julien

Your problem is in the Hexa encoding loop. The ToString( b, 16) method gives
you a one char lenght for hexa values of one digit. I suggest you to use
this function for hexa encoding.

BitConverter.ToString( hash ).Replace( "-", string.Empty ).ToUpper()

--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

"Super Julius" <> wrote in message
news: om...
> Folks,
>
> I am struggling with the following problem. When I encode a string
> using FormsAuthentication or SHA1CryptoServiceProvider, I don't get
> the same encoding.
>
> In fact I have a SHA1 ASP implementation for one of our legacy
> application but I have done the migration using the following code:
>
> private string Hash(string toHash)
> {
> string hashed = "";
>
> SHA1 sha1 = new SHA1CryptoServiceProvider();
> byte[] hash =
sha1.ComputeHash(System.Text.Encoding.UTF8.GetByte s(toHash));
>
> foreach(byte b in hash)
> hashed += Convert.ToString(b, 16).ToUpper();
>
> return hashed;
> }
>
> I then noticed that some values were not encoded the same way. So I
> tried using FormsAuthentication.HashPasswordForStoringInConfig File(value,
> "SHA1"). Guess what the it encodes the values the same way the ASP
> SHA1 does.
>
> Basically this means that the code above with
> SHA1CryptoServiceProvider is just wrong. I have tried using all the
> encoding available when getting the bytes out of the string but I
> cannot get the same encoding.
>
> A value for which it does not work: ArntzHans
>
> Result with SHA1CryptoServiceProvider:
> 1C4F53FA399F44D81BF4F8540B5127FB44EDA2
>
> Result with FormsAuthentication:
> 1C4F53FA399F440D81BF4F8540B5127FB404EDA2
> * *
>
> Note that the 2 '0' characters outlined on the 2nd result are missing
> from the first encoding.
>
> I have read a few threads from users having the same problem, but no
> concrete solution to the problem
>
> Wish someone can help me solving this out
>
> Thx
> Julien

Thanks Hernan for your answer.

You pointed right the issue. The problem was my convert to hex value
with Convert.ToString(b, 16).

I have not tested your solution as I fixed the issue just before your
post by using String.Format

Anyway I guess this can be relevant to other folks...

Here is the new code with

private string Hash(string toHash)
{
string hashed = "";

SHA1 sha1 = new SHA1CryptoServiceProvider();
byte[] hash =
sha1.ComputeHash(System.Text.Encoding.UTF8.GetByte s(toHash));

foreach(byte b in hash)
hashed += String.Format("{0,2:X2}", b);

return hashed;
}

Cheers
Julius

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!