Last post Dec 08, 2020 02:32 PM by Pi.Thanh
May 28, 2020 02:12 AM|Abbas Naderi|LINK
So here's my problem: In an old ASP.NET 4.5 system, we have used MembershipProvider's EncrypytPassword and DecrypytPassword extensively. Not
for actual passwords, they are hashed. It obviously uses DecryptionKey in Machinekey section of my web.config. It's working fine. Encrypted info are stored in DB and can
be decrypted, no problems.
Now we need to read them from DB and decrypt them in a .NET core app. Obviously I do not have access to ASP.NET MembershipProvider for decryption. So I thought It should
be very straight forward: I have the decryptionkey (a hex string stored in our web.config), I know the algorithm is AES (Again, from machinekey section) and I should be able to decrypt them myself.
But no matter what i do, it does not work. I played with padding, IV, cipher mode, key size. Nothing works.
I even decompiled System.Web.dll and read the code for EncryptOrDecryptData method which is responsible for this. Seems impossible to figure out what is going on.
How do you think I can replicate their decryption method? Knowing that the only thing that was mentioned in web.config was this:
machineKey decryption="AES" decryptionKey="D8E7396EEA4.........." (48 hex characters).
FYI, I can use only this in any .NET console app to decrypt the data, because I can add a reference to System.Web.dll and use DecryptPassword method. So it means I should be able to achieve this in .NET Core as
well by just having the decryption key. But how?
May 28, 2020 07:24 AM|PatriceSc|LINK
And the exact provider you are using is? Also it seems to have changed between 2.x and 4.x, you were not using https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.membershippasswordcompatibilitymode?view=netframework-4.8 ?
Also you could likely see the code at referencesource.microsoft.com or in a github repo.
May 28, 2020 10:37 AM|Abbas Naderi|LINK
What do you mean by exact provider? The encryption method is AES, and the DecryptionKey is coming from machineKeys section in web.config.
That is what ASP.NET web Forms uses for form based authentication, for encrypting sensitive data (Tokens, ViewState). There are 2 utility methods in System.Web.Security.MemebershipProvider called EncryptPassword and DecryptPassword which we have used to
encrypt some important data and store them in our DB. Some encrypted 10 years ago, with .NET 3.5. I can still decrypt them with DecryptPassword with the same DecryptionKey although we have now upgraded to .NET 4.8.
Password compatibility is not an issue here. The methods are called EncryptPassword and DecryptPassword but they just use AES to encrypt and decrypt just any text.
My problem is that the same algorithm with the same key is not returning the same result in .NET core.
BTW, thanks for the source code suggestion but as i said, i already have it. Very complicated to understand. So i thought maybe someone with similar experience could help.
May 29, 2020 08:38 AM|Brando ZWZ|LINK
Hi Abbas Naderi,
Could you please share the details codes about the EncryptPassword and DecryptPassword you have used now?
Dec 07, 2020 04:43 AM|Pi.Thanh|LINK
hi Abbas Nedari,
Are you resloved this issue? I am got same issue with you :(
Dec 07, 2020 08:53 AM|PatriceSc|LINK
I would likely start by encrypting "Hello world" or whatever to see what I get and would try to reimplement decryption outside of ASP.NET membership using referencesource.microsoft.com as a guide (from a quick look they seems to use a random iv with is stored
at the beginning of the encrypted value).
Once done it shoud be easy to port that to ASP.NET Core.
Dec 08, 2020 02:32 PM|Pi.Thanh|LINK
After a day of researching at
https://referencesource.microsoft.com/ , I could encrypt / decrypt the password without having to use membership.