C# Sha-1 VS. PHP Sha-1...Different Results

C# SHA-1 vs. PHP SHA-1...Different Results?

Use ASCIIEncoding instead of UnicodeEncoding. PHP uses ASCII charset for hash calculations.

SHA1: different results for PHP and C#

Just get rid of mb_convert_encoding(), if the string is already UTF-8 it will mess things up.
When I run the code without that function I get the correct result: https://eval.in/620412

PHP equivalent of C# SHA1 Unicode hashing

You won't like my answer, but here it is.

First of all the problem is not with PHP, PHP is simple and it is working correctly. You have got a serious bug in your C# code. It needs fixing one way or the other as soon as possible.

This cannot be changed as it would imply asking all users their passwords (which is not viable).

Unfortunately this is what must happen. You can do it without causing mass panic though. I assume your DB has some kind of way of knowing whether the password has been reset by administrators; if not then you need to add such column (preferably of type timestamp). Next time the user logs in, they must provide their password, because you have reset all of them, so take that password and rehash it properly and store the new hash in the database. It would be wise to use a new column for the new hash, or least have a way of identifying the corrected hashes. The column should be at least VARCHAR(60), but best would be to have it VARCHAR(255), which should accommodate all popular hashes.

Of course, SHA1 is not a suitable hashing method for passwords, even if using salts. Since you need to rehash all passwords anyway a good idea would be to switch to bcrypt or a similar secure hashing function.

Because your original application introduced this bug, you require some workarounds. Supporting the buggy behaviour in the new application does not seem like a good idea, so I would advise not to look for workarounds in PHP. You could of course try to mangle the passwords in the same way as you suggested in the question, but that is just going to drag the same bug into the new application without fixing it at all.

Before you start doing anything, you should analyse how many of your passwords are damaged in the database. The correct SHA1 hash length should be 40 characters. If you can find the number of passwords which are less than 40, you are going to know which and how many passwords need to be fixed.

Fixing the passwords is going to be difficult, but definitely worth it.

A note on character encoding:

PHP uses UTF-8 encoding most of the time. It is the most common encoding used on the web, and I would recommend to use that for your strings. When it comes to hashing it doesn't matter, in which encoding the string is, because hashes are calculated on bytes. This is the reason why you are casting your C# string to bytes in UTF-16 with Encoding.Unicode.GetBytes(data).

sha1 function giving a different result to equivalent .net code

This will do it. Inspired by this post and a question I ran across 2 days ago and can't find.

public string HashItThePHPWay(string hashMe)
        {
            var sha = new SHA1CryptoServiceProvider();
            string b64 = ByteArrayToString(Encoding.ASCII.GetBytes(hashMe));
            var b64Bytes = Encoding.ASCII.GetBytes(b64);
            var result = sha.ComputeHash(b64Bytes);
            return BitConverter.ToString(result).Replace("-", "").ToLower();
        }

    public static string ByteArrayToString(byte[] ba)
    {
        StringBuilder hex = new StringBuilder(ba.Length * 2);
        foreach (byte b in ba)
        {
            hex.AppendFormat("{0:x2}", b);
        }
        return hex.ToString().ToLower();
    }

HMC SHA1 hash - C# producing different hash output than PHP

Modified your code a bit.

string accessid = "member-1681fca809";
string secretekey = "63f22236ab43b69462b3272b110e3c78";
int Expire = 1357039353;

string stringTosign = accessid + "\n" + Expire;
byte[] secret = UTF8Encoding.UTF8.GetBytes(secretekey);

HMACSHA1 myhmacsha1 = new HMACSHA1(secret);
byte[] byteArray = Encoding.ASCII.GetBytes(stringTosign);
MemoryStream stream = new MemoryStream(byteArray);
byte[] hashValue = myhmacsha1.ComputeHash(stream);
string k = Convert.ToBase64String(hashValue);

Console.WriteLine(Expire);
Console.WriteLine(k);

The only difference will be the last character since you are using url_encode which will convert the "=" character.

PHP SHA1 gives different result than expected

Get rid of all the non alpha-numeric special characters - this one is even not ASCII as far as I can tell: ¤. So it might mess things up if you run sha1 under string encoded in different encodings.

(This answer is copy pasted from the comments and added as an answer because of the asker's request as it seem to fix the problem)


Related Topics

Select Distinct Using Linq

Formatting Text in a Textblock

Inlining CSS in C#

A Method for Making Http Requests on Unity iOS

Text Difference Algorithm

How to Work with Time Zones in ASP.NET

How to Configure Swashbuckle to Ignore Property on Model

Biginteger to Hex/Decimal/Octal/Binary Strings

How to Sort a List of Objects by a Specific Field in C#

How to Exit a Wpf Application Programmatically

What Does Synchronizationcontext Do

How to Multi-Target a .Net Core Class Library with Csproj

How to Reference Embedded Images from CSS

How to Add a Custom View to a Xib File Defined View in Monotouch

How Would You Code an Efficient Circular Buffer in Java or C#

Webexception How to Get Whole Response with a Body

How to Iterate Over the Properties of an Anonymous Object in C#

How to Add a .Dll Reference to a Project in Visual Studio


Leave a reply



Submit