Today I moved my web application to .net 4.0 and Forms Auth just stopped working. After several hours of digging into my SqlMembershipProvider (simplified version of built-in SqlMembershipProvider), I found that HMACSHA256 hash is not consistent. This is the encryption method:
internal string EncodePassword(string pass, int passwordFormat, string salt)
{
if (passwordFormat == 0) // MembershipPasswordFormat.Clear
return pass;
byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bAll = new byte[bSalt.Length + bIn.Length];
byte[] bRet = null;
Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
if (passwordFormat == 1)
{ // MembershipPasswordFormat.Hashed
HashAlgorithm s = HashAlgorithm.Create( Membership.HashAlgorithmType );
bRet = s.ComputeHash(bAll);
} else
{
bRet = EncryptPassword( bAll );
}
return Convert.ToBase64String(bRet);
}
Passing the same password and salt twice returns different results!!! It was working perfectly in .NET 3.5
Anyone aware of any breaking changes, or is it a known bug?
UPDATE: When I specify SHA512 as hashing algorithm, everything works fine, so I do believe it's a bug in implementation of HMACSHA256 hashing algorithm in .NET 4.0
Thanks! Andrey
I believe there have been some security related changes in .net 4.0 have a look at this ...
http://www.asp.net/(S(ywiyuluxr3qb2dfva1z5lgeg))/learn/whitepapers/aspnet4/breaking-changes
The first obvious thing that sticks out is this ...
Default Hashing Algorithm Is Now HMACSHA256
ASP.NET uses both encryption and hashing algorithms to help secure data such as forms authentication cookies and view state. By default, ASP.NET 4 now uses the HMACSHA256 algorithm for hash operations on cookies and view state. Earlier versions of ASP.NET used the older HMACSHA1 algorithm.
Your applications might be affected if you run mixed ASP.NET 2.0/ASP.NET 4 environments where data such as forms authentication cookies must work across.NET Framework versions. To configure an ASP.NET 4 Web application to use the older HMACSHA1 algorithm, add the following setting in the Web.config file:
<machineKey validation="SHA1" />
Have you explicitly set your hashing algorithm or just let asp.net decide ... if it's using a different default now it may be just grabbing any old hashing algorithm at random as the defined one is no longer supported.
Having said that, M$ may have retired the one you are using, so that may be the cause, bugger .... i just realised i need to test my CMS ... this hadn't occurred to me.
Thanks for the heads up, hopefully my thoughts will help us both !!!