0

Hi to all the old familiar faces, have not been here for a while...

I have read up on tons of samples and answers (and even more on how cryptography works) but none answers my scenario. I am creating a new user from desktop app in VB.Net. User need to use Android for a small part to update a valuation where a PC is not available (Web app is not an option unfortunately)

I have no problem in desktop app, all works fine. I am using a PHP page to handle the login and other data related actions in Android, also no problem. I did however had to change password to normal strings etc to read the passwords. I need to let PHP read the saved salted string (different salt for each password - all randomly generated, no salt the same for more than 1 user) linked to that particular password.

I have played around with the code for some time now to try and use the same kind of function in PHP but I am totally lost on how to convert the .net part to be used in PHP.

My .net code looks like this -

Imports System.Security.Cryptography
Imports System.Text

Module modSecurity

Public Function GetSaltedHash(pw As String, salt As String) As String
    Dim tmp As String = pw & salt

    ' or SHA512Managed
    Using hash As HashAlgorithm = New SHA256Managed()
        ' convert pw+salt to bytes:
        Dim saltyPW = Encoding.UTF8.GetBytes(tmp)
        ' hash the pw+salt bytes:
        Dim hBytes = hash.ComputeHash(saltyPW)
        ' return a B64 string so it can be saved as text 
        Return Convert.ToBase64String(hBytes)
    End Using

End Function

Public Function CreateNewSalt(size As Integer) As String
    ' use the crypto random number generator to create
    ' a new random salt 
    Using rng As New RNGCryptoServiceProvider
        ' dont allow very small salt
        Dim data(If(size < 7, 7, size)) As Byte
        ' fill the array
        rng.GetBytes(data)
        ' convert to B64 for saving as text
        Return Convert.ToBase64String(data)
    End Using
End Function

Within my form I will create the hashed password and salt as follow -

strPasswordNew = txtPassword.Text

        Dim NewPWD As String = strPasswordNew ''Actual password
        strSaltPWD = CreateNewSalt(SaltSize) ''Salt pwd
        Dim SaltPWDHash As String = GetSaltedHash(NewPWD, strSaltPWD) ''New   pwd now hashed

The password and the salt is saved to database under their own fields - salt and pwd.

Any pointers will be highly appreciated please.

3
Contributors
3
Replies
37
Views
6 Months
Discussion Span
Last Post by AndreRet
1

Hi,

the recommended way to hash passwords in PHP is through password_hash(), see the examples in the documentation page:

The example #3 seems similar to your request. If you will use PHP 7, then you can enable strict mode and you can write something like this:

<?php declare(strict_types=1);

function GetSaltedHash(string $pw, string $salt) : string
{
    $tmpPw   = mb_convert_encoding($pw, 'UTF-8');
    $tmpSalt = mb_convert_encoding($salt, 'UTF-8');

    $options = ['cost' => 11
              , 'salt' => $tmpSalt];

    $hBytes = password_hash($tmpPw, PASSWORD_BCRYPT, $options);

    return base64_encode($hBytes);
}

function CreateNewSalt(int $size) : string
{
    # default size
    if($size < 22)
        $size = 22;

    return base64_encode(random_bytes($size));
}

$pass = 'hello';
$size = 30;
$salt = CreateNewSalt($size);
$hash = GetSaltedHash($pass, base64_decode($salt));
$decd = base64_decode($hash);

print 'base64 encoded: ' . $hash . PHP_EOL;
print 'base64 decoded: ' . $decd . PHP_EOL;
print PHP_EOL;

if(TRUE === password_verify($pass, $decd))
    print 'The password is valid';

else
    print 'Validation failed';

print PHP_EOL;

See also:

Edited by cereal: Fixing the example.

1

Hey there!!!!!! Welcome back!! I hope you'll stick around and stay awhile. You were missed.

I have a question for you though cereal. Isn't it optimal to let password_hash() create its own strong salt?

Votes + Comments
I will most definitaly Dani, thank you for the welcome.
0

@Cereal, Thanks a million, I will test this over the weekend as I wrecked my brain on this for 2 weeks now. The other alternative would be to change my .Net code which I am not too comfortable with.

@Dani, Thank you for the warm welcome. I will be spending time again.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.