ASP.NET Identity - Verify Password Without Framework

0
votes

Background

I am using the

Microsoft.AspNet.Identity;

framework in an MVC website. I implement all the standard features like password retrieval, email confirmations etc. in the site.

My Problem

I want to create a very basic App in Xamarin c#, but I want it to use the database that I have set up with my website, and that - of course - includes verifying passwords.

By my thoughts it should go something like this:

  1. User enters login details on phone.
  2. Phone hashes password and consumes WCF service which takes hash string as input
  3. Returns bool. Depending on hash verification.

I can not use

Microsoft.AspNet.Identity;

on my Xamarin App.

Question

How do I recreate the hash that Asp.Identity uses so I can verify the passwords?

If the case is that I have to consume the WCF with the raw password (Is this safe?) and do the hashing on the service itself - will I be able to use Identity framework? If not then I still have the problem of creating / verifying the hash.

Also if I am way off base with my understanding of these hash functions please feel free to educate me :)

Extra Info

The hash functions I have tried give completely different hashes to that of the Identity framework - and in my testing I have found that creating users with exactly the same passwords gives different hashes. (Due to the salt used?)

1
c#asp.net-mvchashasp.net-identitymd5

1 Answers

1
votes

Okay I have found a solution

Posting for the sake of people with similar problems

Referring to this answer by zespri. Upvoted by the way.

I have decided to consume the WCF with the raw password and username and simply use the function to verify that the answer stated above provides.

EDIT

Just to clarify it is this bit of code (Taken from the above link), that I use to verify the password:

public static bool VerifyHashedPassword(string hashedPassword, string password)
{
byte[] buffer4;
if (hashedPassword == null)
{
    return false;
}
if (password == null)
{
    throw new ArgumentNullException("password");
}
byte[] src = Convert.FromBase64String(hashedPassword);
if ((src.Length != 0x31) || (src[0] != 0))
{
    return false;
}
byte[] dst = new byte[0x10];
Buffer.BlockCopy(src, 1, dst, 0, 0x10);
byte[] buffer3 = new byte[0x20];
Buffer.BlockCopy(src, 0x11, buffer3, 0, 0x20);
using (Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(password, dst, 0x3e8))
{
    buffer4 = bytes.GetBytes(0x20);
}
return ByteArraysEqual(buffer3, buffer4);
}