Search code examples
vb.netencryptionsha1

vb.net, how do I validate a SHA1 hashed password?


I inherited a program that I need to support and I was told that the passwords were stored in a MSSQL database using a SHA1 hash. When I try to read the data from the database all I get is "System.Byte[]".

The program asks the user for a password and I am able to create a SHA1 hash using the following:

Public Function GetSHA1HashData(data As String) As String

        Dim cBase64 As String
        Dim objSHA1 As New SHA1CryptoServiceProvider()
        Dim abBytesToHash() As Byte
        Dim cHash As String

        cBase64 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(data))
        abBytesToHash = System.Text.Encoding.ASCII.GetBytes(cBase64)
        cHash = BitConverter.ToString(objSHA1.ComputeHash(abBytesToHash))
        cHash = Replace(cHash, "-", "")

        Return cHash

End Function

So my question is, how do I compare the newly created hash with the value I am pulling out of the database to see if they are the same? What do I need to do with "System.Byte[]" to turn it into something I can read?

Thanks.


Solution

  • You are able to create a SHA-1 hash using your function, but it is questionable if the person that filled the database with the values did use the same function. Currently you are base 64 encoding the data, which is already a string, only to retrieve the character encoding. It is more likely that the person simply directly got the character encoding - I'm guessing UTF-8 here - and calculated the SHA-1 value.

    Public Function GetSHA1HashData(data As String) As Byte()
        Dim objSHA1 As New SHA1CryptoServiceProvider()
        return objSHA1.ComputeHash(System.Text.Encoding.UTF8.GetBytes(data));
    End Function
    

    Ok, so now you would have a byte array from the database and one calculated from the users password. You can directly compare these byte arrays. Fortunately you can rely on StackOverflow and Jon Skeet to already have an answer on how to do this.