Auth0 Home Blog Docs

Password validation fails in login script for ASP.NET Identity custom database

password
custom-database
validate
password-hash

#1

Hi,

Hopefully somebody can help me because I’m stuck validating passwords from an ASP.NET Identity custom database from which I need to migrate the accounts. For the login script I used the “ASP.NET Membership Provider (MVC4 – Simple Membership)” template (https://auth0.com/docs/connections/database/custom-db/templates/login#asp-net-membership-provider-mvc4-simple-membership-) because it uses the crypto.pbkdf2 function which is the correct hashing algorithm for ASP.NET Identity.

The validatePassword function in the template looks like this:

function validatePassword(password, originalHash, callback) {
    var iterations = 1000;
    var hashBytes = Buffer.from(originalHash, 'base64');
    var salt = hashBytes.slice(1, 17).toString('binary');
    var hash = hashBytes.slice(17, 49);
    crypto.pbkdf2(password, salt, iterations, hash.length, function(err, hashed) {
      if (err) {
        return callback(err);
      }
      var hashedBase64 = Buffer.from(hashed, 'binary').toString('base64');

      var isValid = fixedTimeComparison(hash.toString('base64'), hashedBase64);
      return callback(null, isValid);

    });
  }

The crypto.pbkdf2 function succeeds but the fixedTimeComparison function returns false. So the created hash (variable hashed) is different from the variable hash or the fixedTimeComparison function is wrong.

I’ve tried supplying different digest values to the crypto.pbkdf2 function but that didn’t help, or I just tried the wrong ones. I also tried the crypto.timingSafeEqual proposed in post How to use pbkdf2:sha256 for password hashing in a custom database? but I get error “crypto.timingSafeEqual is not a function”.

Kind regards,

Leandros