Is Asp.net identity hashing Secured?

Question

I have referred the following sites for the Rijndael and Asp.net hashing implementations in the following url.

1. Rijndael - How to generate Rijndael KEY and IV using a passphrase?
2. Asp.net hashing - ASP.NET Identity default Password Hasher, how does it work and is it secure?

In both the implementation, The following is used to get the random bytes for the password. RijnDael

Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);

Asp.net Identity hashing

Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(providedPassword, salt, HasingIterationsCount)

After the above code, RijnDael applies the encryption for the returned bytes. But asp.net identity copy the result as it is with the salt byte array and return the hashed keys.

Here I had a confusion. RijnDael and Asp.net identity hashing uses the same Rfc2898DeriveBytes .

When RijnDael can decrypt the encrypted keys (which is done with the help of Rfc2898DeriveBytes), why can we do to decrypt the Asp.net Identity hashed keys?

Is there any possibility to do that? Is Asp.net identity secured?

Answer 1

Yes, ASP.NET's password hashing method is secure.

In the example you provided, the user is using an encryption technique known as Advanced Encryption Standard (AES, also known as Rijndael). This is why the secret can be decrypted.

The user only uses the Rfc2898DeriveBytes class in order to get a key and an initialisation vector .

The class is not used to hash the secret message. The encryption is what hides the message.

ASP.NET uses the Rfc2898DeriveBytes class to hash a password. This procedure cannot be reversed.