I need to encrypt credentials in order to connect to a remote server. From the documentation I found, that the password needs to be hashed like shown below.
MD5(session + MD5(username+ password))
However I wasn't able to get the same hashed password from C#, as sent from the WebClient to the server.
I tried several combination, none of those gave me the same result. Here is my last approach.
string EncryptPassword(string UserName, string Password, string SessionId)
{
// Password is MD5(sessionId + MD5(login + password))
// Source: https://www.godo.dev/tutorials/csharp-md5/
using (MD5 md5 = MD5.Create())
{
string credentials = $"{UserName}{Password}";
// Hash credentials first
md5.ComputeHash(Encoding.UTF8.GetBytes(credentials));
var inputBuffer = Encoding.UTF8.GetBytes(SessionId).ToList();
inputBuffer.AddRange(md5.Hash);
//var inputBuffer = Encoding.UTF8.GetBytes(SessionId + credentialBuilder.ToString());
md5.ComputeHash(inputBuffer.ToArray());
//md5.TransformBlock(inputBuffer, 0, inputBuffer.Length, inputBuffer, 0);
//md5.TransformFinalBlock(new byte[0], 0, 0);
// Get hash result after compute it
byte[] hashedCredentials = md5
.Hash;
StringBuilder strBuilder = new StringBuilder();
for (int i = 0; i < hashedCredentials.Length; i++)
{
//change it into 2 hexadecimal digits
//for each byte
strBuilder.Append(hashedCredentials[i].ToString("x2"));
}
return strBuilder.ToString();
}
}
I tried with following test credentials: username:
login: TestUser
password: TestPassword
session: uu2cO7b7drhxHKItfRpcJ4#qk@230#$R
Valid result: 4dfb147da0d2338cb57e05d1b4b21d07
<= this is how it should like with the infos above.
My result: eb55ef7e70c160ad2dd8fe831a1cf708
Your result requires you to use the textual (hexadecimal) hash result of UserNamePassword, whereas you're using the byte result.
If you replace:
inputBuffer.AddRange(md5.Hash);
with:
string hexHash = BitConverter.ToString(md5.Hash).Replace("-", string.Empty).ToLowerInvariant();
inputBuffer.AddRange(Encoding.UTF8.GetBytes(hexHash));
PS On the off chance that you're using .NET Core or .NET 5, Microsoft recommend against using SecureString
for new development. Source
PPS If you're in control of both ends of this transaction (creating and verifying the hash), I'd suggest changing how you handle the username and password part, as the following will result in the same hash in the first step:
Username: bob Password: bythechickenshed
Username: bobby Password: thechickenshed
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.