Jeandre Pentz Jeandre Pentz - 1 month ago 22
C# Question

Telerik Sitefinity Password Hash function

I have a table with login credentials for a Telerik Sitefinity system. I want to use the same login credentials, but with a different application that doesn't have Sitefinity libraries. I'm struggling with the password encoding, which is set to Hash (Default is SHA1 algorithm).

I tried using the following code to encode passwords, but it doesn't match up with what Sitefinity generated.

public string EncodePassword(string pass, string salt)
{
byte[] bytes = Encoding.Unicode.GetBytes(pass);
byte[] src = Convert.FromBase64String(salt);
byte[] dst = new byte[src.Length + bytes.Length];
Buffer.BlockCopy(src, 0, dst, 0, src.Length);
Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
byte[] inArray = algorithm.ComputeHash(dst);
return Convert.ToBase64String(inArray);
}


EXAMPLE:

PASSWORD: password111

SALT: 94EBE09530D9F5FAE3D002A4BF262D2F (as saved in the SF user table)

Hash with function above: 8IjcFO4ad8BdkD40NJcgD0iGloU=

Hash in table generated by SF:A24GuU8OasJ2bicvT/E4ZiKfAT8=

I have searched online if SF generates the encoded password differently, but can't find any results. How can I use the login credentials created by SF without SF libraries?

Answer

You right, Sitefinity is using SHA1 algorithm, but you need to use additional ValidationKey from configuration settings.

Here the working example of code for you:

private static bool CheckValidPassword(string password)
{
    //from sf_users column [salt]
    var userSalt = "420540B274162AA093FDAC86894F3172";

    //from sf_users column [passwd]
    var userPassword = "a99j8I0em8DOP1IAJO/O7umQ+H0=";

    //from App_Data\Sitefinity\Configuration\SecurityConfig.config attribute "validationKey"
    var validationKey = "862391D1B281951D5D92837F4DB9714E0A5630F96483FF39E4307AE733424C557354AE85FF1C00D73AEB48DF3421DD159F6BFA165FF8E812341611BDE60E0D4A";

    return userPassword == ComputeHash(password + userSalt, validationKey);
}

internal static string ComputeHash(string data, string key)
{
    byte[] hashKey = HexToBytes(key);
    HMACSHA1 hmacshA1 = new HMACSHA1();
    hmacshA1.Key = hashKey;
    var hash = hmacshA1.ComputeHash(Encoding.Unicode.GetBytes(data));
    return Convert.ToBase64String(hash);
}

public static byte[] HexToBytes(string hexString)
{
    byte[] numArray = new byte[hexString.Length / 2];
    for (int index = 0; index < numArray.Length; ++index)
        numArray[index] = Convert.ToByte(hexString.Substring(index * 2, 2), 16);
    return numArray;
}