Okay, so this might get a little long but any help on this one would be much appreciated!

Our current web app uses the Framework 1.1 and the following code to hash out our passwords for authentication.

using System.Security.Cryptography;
using System.Text;
public static string HashPassword(Guid salt, string password)
{
   SHA1 hash = SHA1.Create(); 
    ASCIIEncoding encoder = new ASCIIEncoding(); 
   byte[] combined = encoder.GetBytes(salt + password); 
   hash.ComputeHash(combined); 
   return encoder.GetString(hash.Hash);
}

I have since converted our app to the Framework 2.0 without touching any of the above code.  However, I can not log in!  It seems that the computed hash is different in 2.0 than 1.1.  After doing some research I have found articles talking about setting up the <machinekey></machinekey> config in a web.config, but of course our 1.1 app used the default of "AutoGenerate"...although I am still confused on this one;  we used this configuration on our dev boxes and on production...so if the validationkey needed to be the same on all boxes why did it not break in 1.1 between boxes?  

Here are the two results of hashing the word "dog" in the different frameworks.  Displayed are the first few char values.
SHA1 hash of "dog" in 1.1: 100 21 18 82 79 71 52 * * * * * * * * * * * * *
SHA1 hash of "dog" in 2.0: 63 63 18 82 79 71 63 * * * * * * * * * * * * *

So what I'm thinking is 1 of 3 things: 
   1.  The "AutoGenerate" is calculated differently in 1.1 than 2.0 and im going to have to build a 1.1 authentication service to authenticate user on our converted 2.0 app.
   2.  There is some way for me to get the auto generated validation key out from the 1.1 app, put it into the web.config of the 2.0 app and go on living a happy fullfilled life.
   3.  The <machinekey> has nothing to do with this issue, its something else completly.
   4.  (Yeah, i know i said "1 of 3") I'm dumb, have no idea what I'm talking about and should go live in the woods where a person like myself would feel more "comfortable".

*wishing for #2*

Anyways,  has anyone else run into this issue, or got a great idea for me?

Thanks,
Joe

P.S. I know I can't spell

Well, you can rest easy about the machine key, because the machine key has nothing to do with it.  Any SHA-1 implementation on any system anywhere should compute the same hash for the same input. 

My first question is, are you sure that the salt is the same in both instances?  That would be my first suspect. 

If it is, then it has to be in the encoding.  For future referece, the standard encodings for ciphertext are Base64 and hex-strings.  You're going to run into a world of trouble sooner or later with ASCII or UTF-8 encodings (for example) because they don't necessarily translate to a literal copy of the bytes that make up the ciphertext.   This is the other suspect that I'd immediately have as to the cause of the different hash values.  Though the hash may be the same, it might be being encoded differently.

I always use this to hash

string strHash = FormsAuthentication.HashPasswordForStoringInConfigFile(string to hash, "sha1");

Try that, It works for me in both 1.1 and 2.0, and a lot less code that what you have.

So a  couple of hair pulling days have gone by but I have a workaround!

Thanks to Xanderno & Amrinder for your posts and to everyone else I've bugged about this.

Jon Skeet posted some information about ASCIIEncoding that led to my epiphany.  This information is probably posted elsewhere on the net but I found Jon's article first so I'm giving him the credit.

It seems that ASCIIEncoding in the 1.1 Framework was implemented in a "special" way.  The American Standard Code for Information Interchange contains 33 non-printing control characters and 95 printable characters, in other words 128 chars ranging in value from 0-127 or for you hex buffs 0x00-0x7F.  No more no less.  Anything greater that 0x7F is outside the standard.  The Framework 2.0 stance on ASCII Encoding a value above 0x7F is to replace the non-standard value with 0x3F (63~"question mark")....okay neato.  The Framework 1.1 (probably 1.0 as well) stance on ASCII Encoding a value above 0x7F is to drop the most significant bit, the 8th bit.

"This means, for instance, that Unicode character 0xb5 ("micro sign") after encoding and decoding would become Unicode 0x35 ("digit five"), rather than some character showing that it was the result of encoding a character not contained within ASCII."

Awsome!!!!

So, all I had to do was to get the Framework 2.0 to work/act like the Framework 1.1 when it came to my specific case of ASCIIEncoding.  Just a simple case of some bit masking and I'm "good to go".

For those of you who haven't done this before...here it is:
using System.Security.Cryptography;
using System.Text;
public static string HashPassword(Guid salt, string password)
{
   SHA1 hash = SHA1.Create();
   ASCIIEncoding encoder = new ASCIIEncoding();
   byte[] combined = encoder.GetBytes(salt + password);
   hash.ComputeHash(combined);
   byte[] fixedByteArray = new byte[hash.Hash.Length];
   for (int i = 0; i < hash.Hash.Length; i++)
   {
       fixedByteArray[i] = (byte)((int)hash.Hash[i] & 127);
   }
   hashedPassword = encoder.GetString(fixedByteArray);
}

Thats it folks!
Hope this helps anyone who might find themselves in the same/similar position.  I know I won't be doing this again!

~Joe

I just ran into the same problem. Thanks for the save!

HashPasswordForStoringInConfigFile uses Encoding.UTF8.GetBytes. System.Web.Configuration.MachineKeySection.HashAndBase64EncodeString (marked internal) uses Encoding.Unicode.GetBytes. Go figure.    public static string HashPasswordForStoringInConfigFile(string password, string passwordFormat) { HashAlgorithm algorithm1; if (password == null) { throw new ArgumentNullException("password"); } if (passwordFormat == null) { throw new ArgumentNullException("passwordFormat"); } if (StringUtil.EqualsIgnoreCase(passwordFormat, "sha1")) { algorithm1 = SHA1.Create(); } else { if (!StringUtil.EqualsIgnoreCase(passwordFormat, "md5")) { throw new ArgumentException(SR.GetString("InvalidArgumentValue", new object[] { "passwordFormat" })); } algorithm1 = MD5.Create(); } return MachineKeySection.ByteArrayToHexString(algorithm1.ComputeHash(Encoding.UTF8.GetBytes(password)), 0); }

i am using 1.1 and used same syntax taht you have used. but i am getting error while trying to inser password in database. some password is inserted such as "ranjan" or "iaza1234" but try to insert otherthan these i got error "Syntax error ' 5r6d4g2d58e6s5d2x6s' "

plz help me