Click here to Skip to main content
14,427,367 members
Rate this:
Please Sign up or sign in to vote.
I want to retrieve the password from the password digest from the hosted API in asp.net with c# via webservice while consuming the same during Password Digest Authentication

Password Digest Creation Logic
Password_Digest =  Base64(SHA-1(nonce + created + password ))

Request API is created with Password Digest,nounce and Created Time Stamp in the SOAP Envelope Header Node and exposed to a middle ware via webservice.
I want to retrieve the Password from the Password Digest value in the Soap Envelope Header Tag in the response API which would contain the Password Digest value,Nounce and Created Time Stamp Value.
I need to authenticate from the Request API creation logic as above and then only allow access and provide the response back.

What I have tried:

My Sample Request XML with Password Digest is as below:

<string xmlns="http://tempuri.org/"><soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:t24="https://soa.nbf.ae/T24Service/"> <soapenv:header> <wsse:security soapenv:mustunderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:usernametoken wsu:id="UsernameToken-8" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:username>alex.jr <wsse:password type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Fp2VQAFpZKHBp08DjXf/lX4cm58= <wsse:nonce encodingtype="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">tqTc87Gz7mCUVSslHuuisQ== <wsu:created>2020-01-13T10:46:54.412Z <soapenv:body> <sendtot24request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <request> <company>Test <user_name>alex.jr <message_id>312313 <transaction_id>102 <external_ref_id>0000120
Posted
Updated 12-Jan-20 22:13pm
v2

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

If by
Quote:
"I want to retrieve the password from the password digest"
you mean
Quote:
"I want to get the original password text back"
Then you can't: SHA is not an encryption algorithm, it is a hashing algorithm. The difference is simple: hashing functions cannot be reversed to obtain the original input at all - that's the whole point of using them for password storage (preferably with a salt value to prevent identical passwords having identical hashes).

What you do is generate the hash from the entered password and salt, and compare that with the stored value. If the hashes match, it's correct. If they don't, it's not.
You can't recover passwords with this system - that's the whole idea - so your password store is of no use to anybody even if it is compromised as it can't be used to log in.
   
Comments
ranio 13-Jan-20 4:57am
   
There is no password tag in the request API . From the password digest value i need to get the Password text back on consuming the Request API sample as mentioned above and authenticate .
OriginalGriff 13-Jan-20 4:58am
   
I repeat: "you can't".

Password_Digest = Base64(SHA-1(nonce + created + password ))

SHA is a Hash, not encryption. It cannot be reversed.
Dave Kreskowiak 13-Jan-20 7:25am
   
Think of the security risk that would be if you could retrieve the password of any account that easily. There are very good reasons why you can't do that.

Richard Deeming 15-Jan-20 10:05am
   
For clarity, SHA-1 is a badly broken hashing algorithm. It hasn't been considered secure since at least 2005, and all major browsers dropped support in 2017. :)

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100