Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: VB ASP.NET

I use a 3rd party application for the bulk of our operation. This application allows me to create customer username/passwords for online access via a prebuilt website built by this 3rd party vendor. I want to build a new site for the customers to use because the site that was included with our application is terrible. However, I do not know how to hash the password to match the hash used in this application. I have been doing a lot of digging and I am pretty sure the vendor uses user defined functions to hash the passwords. However, there are multiple different functions that I believe are used in tandem with each other (Not positive, but they are all in the user defined functions in the database). Is there anyone familiar with the functions copyrighted by Gleb Ufimtsev,  and called ugAddMod32, ugBitsSet, ugInverse, ugLeftShift, ugRightShift, ugRotateLeft, ugSha1part_ft, ugsha1part_kt, ugSha1part_WordofStr, ugSha1str.

I want to be able to hash the password from these functions and compare the asp hash to the hash stored in the database. 

I tried to shorten this as much as possible.  I am using vs2005, .aspx, with .vb file. 

I can include the funtions if needed. 

I tried using vs2005 built in functions to hash using sha1 and md5 but neither hash to the same output as what is in my database. 

I have also tried many sites to match passwords and hash with well know hash functions, over 100 ways, and none match.  This leads me to believe that this is a custom hash algorithm like the functions i have mentioned.

Thank You

Posted 25-Nov-09 5:59am
Edited 25-Nov-09 6:04am
v2
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

The ASP.NET Membership class will create and verify hashed passwords. Using salts is required to increase the security of the site as the same password (a lot of people will use 'password') will not have the same hash if it has a different salt value.
Hashes are created using a secure key using cryptographic algorithms such as SHA1 and md5. Each web-server ( or web farm ) will have a (hopefully) unique key, so unless you can get the old site's key and know which algorithm they use, you will not be able to create or verify the passwords stored on the old site.
 
If you must use compatible passwords, I suggest you create a better front-end and then pass the required information to the old site.
  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

If I ever use a hash, I also salt the string, by adding a known string at the end before I hash it.  This decreases the odds of someone working out what I am doing.  Is the third party dll .NET ? If it is, use reflection to work out what it does.  I bet it uses a built in algorithm and salts the hash.

  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 565
1 Maciej Los 319
2 Richard MacCutchan 220
3 BillWoodruff 164
4 Mathew Soji 160
0 OriginalGriff 8,654
1 Sergey Alexandrovich Kryukov 7,407
2 DamithSL 5,639
3 Maciej Los 5,229
4 Manas Bhardwaj 4,986


Advertise | Privacy | Mobile
Web04 | 2.8.1411023.1 | Last Updated 13 Dec 2009
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100