InCorrect output using Rfc2898DeriveBytes for password hashing

Question

InCorrect output using Rfc2898DeriveBytes for password hashing

1.7k Views Asked by Deeptechtons At 04 April 2025 at 14:05

I am certainly sure i am doing something wrong here. Using .net implementation of the algorithm i hash the password to store in database along with the salt used to hash. On validating the same password with the existing hash does not match.Here is my code

New Entry

byte[] SALT = GetRandomKey();
string password = Convert.ToBase64String((new Rfc2898DeriveBytes(txtPassword.Text, SALT)).GetBytes(20));
Session["test"] = password;
Session["salt"] = Convert.ToBase64String(SALT);

Validating

string HASHEDPASSWORD = Session["test"];
string SALT = Session["salt"];
string ouput = Convert.ToBase64String((new Rfc2898DeriveBytes(password, Encoding.Unicode.GetBytes(SALT))).GetBytes(20));
ltrResult.Text = HASHEDPASSWORD.Equals(ouput) ? "EQUAL" : "NOT EQUAL";

Get RandomKey method

byte[] GetRandomKey()
    {
        byte[] secretkey = new Byte[64];
        RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
        rng.GetBytes(secretkey);
        return secretkey;
    }

Original Q&A

There are 3 best solutions below

Rich O'Kelly On 15 November 2011 at 10:23

You use Convert.ToBase64String when adding items, and Encoding.Unicode.GetBytes when retrieving it...

Use Encoding.Unicode.GetString when adding a new entry and your code should work, eg:

private static string GetString(byte[] bytes)
{
    return Encoding.Unicode.GetString(bytes);
}

private static byte[] GetBytes(string value)
{
    return Encoding.Unicode.GetBytes(value);
}

Adding

byte[] salt = GetRandomKey();
byte[] hash = new Rfc2898DeriveBytes(txtPassword.Text, salt)).GetBytes(20);
Session["test"] = GetString(hash);
Session["salt"] = GetString(salt);

Checking

byte[] hash = GetBytes(Session["test"]);
byte[] salt = GetBytes(Session["salt"]);
byte[] output = new Rfc2898DeriveBytes(password, salt).GetBytes(20);
ltrResult.Text = GetString(hash).Equals(GetString(output)) ? "EQUAL" : "NOT EQUAL";

Darin Dimitrov On 15 November 2011 at 10:29

You could store the salt as array of bytes in the session so that you don't get any differences of encoding when converting between strings and bytes:

byte[] SALT = GetRandomKey();
string password = Convert.ToBase64String((new Rfc2898DeriveBytes(txtPassword.Text, SALT)).GetBytes(20));
Session["test"] = password;
Session["salt"] = SALT;

and then to verify that a given password matches the hash you repeat the same procedure:

string HASHEDPASSWORD = Session["test"];
byte[] SALT = Session["salt"] as byte[];
string ouput = Convert.ToBase64String((new Rfc2898DeriveBytes(password, SALT)).GetBytes(20));
ltrResult.Text = HASHEDPASSWORD.Equals(ouput) ? "EQUAL" : "NOT EQUAL";

**Peter O.** · Accepted Answer

Peter O. On 15 November 2011 at 10:25 BEST ANSWER

Or Convert.FromBase64String instead of Encoding.Unicode.GetBytes.

InCorrect output using Rfc2898DeriveBytes for password hashing

New Entry

Validating

Get RandomKey method

There are 3 best solutions below

Related Questions in C#

Related Questions in .NET

Related Questions in HASH

Related Questions in CRYPTOGRAPHY

Related Questions in SYMMETRIC-KEY

Trending Questions

Popular # Hahtags

Popular Questions