I have a .net application which uses asp.net identity 2 in order to authenticate users. The users login using username/password and upon successful login an access token (JWT) and a refresh token is produced.
The default implementation of asp.net 2 for hashing the passwords can be found here. It uses a key derivation function with random salt to produce the hash. The salt is included as part of the output of the kdf. Thus the final produced password hash consists of a first empty byte, then 16 bytes of the salt and then 32 bytes of the hashed password. From the above references we can see that the algorithm used is HMAC-SHA1 with 1000 iterations and the raw password of the user as key for the HMAC (see here).
I am thinking on migrating to Firebase Authentication and I want to migrate my existing users there. Based on Firebase documentation when migrating HMAC_SHA1 hashed passwords we must include the password hash, the salt and the hmac key. Also, we cannot provide the number of iterations used by the sha1 hashing algorithm (see here).
So, the question is: How can we know the key of the hmac since it is the raw password of the user? This is the default implementation of asp.net identity 2. Since we can never know it this means that we cannot migrate our users to firebase authentication?
Also, even if we knew the key, how could we provide the 1000 iterations of the sha1 algorithm in the payload towards Firebase? This can be done only when the hashing algorithm is sha1 without hmac see here.
