I'm trying to write password hashing code and encountered a problem with hashing methods, then created this test code to see what exactly is happening.
The method first generates a password salt and hash as byte arrays using HMACSHA512, then converts both values to strings, then converts them back to byte arrays.
string password = "xxx";
byte[] pswSalt;
byte[] pswHash;
using (HMACSHA512 hmac = new HMACSHA512())
{
pswSalt = hmac.Key;
pswHash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(password));
}
var saltAsString = Encoding.UTF8.GetString(pswSalt);
var hashAsString = Encoding.UTF8.GetString(pswHash);
var pswSaltFromString = Encoding.UTF8.GetBytes(saltAsString);
var pswHashFromString = Encoding.UTF8.GetBytes(hashAsString);
To my surprise, the final byte arrays are different than the original ones. Why is that? And how do I correct this?
Arbitrary byte sequences cannot be converted to Unicode and back. Some byte sequences are not valid as Unicode, and some may be normalised to different sequences.
Base64 can be used if it is really necessary to use strings to represent bytes.
Note that you can store byte arrays in a database, so you don't need a string for that purpose, e.g., in MySQL you might use the
VARBINARYdatabase type.