How to compute hash like MD5(str1+ MD5(str2+ str3))

Question

I need to encrypt credentials in order to connect to a remote server. From the documentation I found, that the password needs to be hashed like shown below.

MD5(session + MD5(username+ password))

However I wasn't able to get the same hashed password from C#, as sent from the WebClient to the server.

I tried several combination, none of those gave me the same result. Here is my last approach.

string EncryptPassword(string UserName, string Password, string SessionId)
        {
            // Password is MD5(sessionId + MD5(login + password))
            // Source: https://www.godo.dev/tutorials/csharp-md5/
            using (MD5 md5 = MD5.Create())
            {

                string credentials = $"{UserName}{Password}";
                // Hash credentials first
                md5.ComputeHash(Encoding.UTF8.GetBytes(credentials));
                var inputBuffer = Encoding.UTF8.GetBytes(SessionId).ToList();
                inputBuffer.AddRange(md5.Hash);
                //var inputBuffer = Encoding.UTF8.GetBytes(SessionId + credentialBuilder.ToString());

                md5.ComputeHash(inputBuffer.ToArray());

                //md5.TransformBlock(inputBuffer, 0, inputBuffer.Length, inputBuffer, 0);
                //md5.TransformFinalBlock(new byte[0], 0, 0);

                // Get hash result after compute it  
                byte[] hashedCredentials = md5
                    .Hash;

                StringBuilder strBuilder = new StringBuilder();
                for (int i = 0; i < hashedCredentials.Length; i++)
                {
                    //change it into 2 hexadecimal digits  
                    //for each byte  
                    strBuilder.Append(hashedCredentials[i].ToString("x2"));
                }
                return strBuilder.ToString();
            }
        }

I tried with following test credentials: username:

login: TestUser
password: TestPassword
session: uu2cO7b7drhxHKItfRpcJ4#qk@230#$R

Valid result: 4dfb147da0d2338cb57e05d1b4b21d07 <= this is how it should like with the infos above.

My result: eb55ef7e70c160ad2dd8fe831a1cf708

Answer 1

Your result requires you to use the textual (hexadecimal) hash result of UserNamePassword, whereas you're using the byte result.

If you replace:

inputBuffer.AddRange(md5.Hash);

with:

string hexHash = BitConverter.ToString(md5.Hash).Replace("-", string.Empty).ToLowerInvariant();
inputBuffer.AddRange(Encoding.UTF8.GetBytes(hexHash));

Try it online

PS On the off chance that you're using .NET Core or .NET 5, Microsoft recommend against using SecureString for new development. Source

PPS If you're in control of both ends of this transaction (creating and verifying the hash), I'd suggest changing how you handle the username and password part, as the following will result in the same hash in the first step:

Username: bob     Password: bythechickenshed
Username: bobby   Password: thechickenshed