So here's my problem: In an old ASP.NET 4.5 system, we have usedMembershipProvider'sEncrypytPasswordandDecrypytPasswordextensively. Not
for actual passwords, they are hashed. It obviously usesDecryptionKeyinMachinekeysection of my web.config. It's working fine. Encrypted info are stored in DB and can
be decrypted, no problems.
Now we need to read them from DB and decrypt them in a.NET coreapp. Obviously I do not have access to ASP.NETMembershipProviderfor decryption. So I thought It should
be very straight forward: I have the decryptionkey (a hex string stored in our web.config), I know the algorithm is AES (Again, from machinekey section) and I should be able to decrypt them myself.
But no matter what i do, it does not work. I played with padding, IV, cipher mode, key size. Nothing works.
I even decompiledSystem.Web.dlland read the code forEncryptOrDecryptDatamethod which is responsible for this. Seems impossible to figure out what is going on.
How do you think I can replicate their decryption method? Knowing that the only thing that was mentioned in web.config was this:
FYI, I can use only this in any .NET console app to decrypt the data, because I can add a reference to System.Web.dll and useDecryptPasswordmethod. So it means I should be able to achieve this in .NET Core as
well by just having the decryption key. But how?
What do you mean by exact provider? The encryption method is AES, and the DecryptionKey is coming from machineKeys section in web.config.
That is what ASP.NET web Forms uses for form based authentication, for encrypting sensitive data (Tokens, ViewState). There are 2 utility methods in System.Web.Security.MemebershipProvider called EncryptPassword and DecryptPassword which we have used to
encrypt some important data and store them in our DB. Some encrypted 10 years ago, with .NET 3.5. I can still decrypt them with DecryptPassword with the same DecryptionKey although we have now upgraded to .NET 4.8.
Password compatibility is not an issue here. The methods are called EncryptPassword and DecryptPassword but they just use AES to encrypt and decrypt just any text.
My problem is that the same algorithm with the same key is not returning the same result in .NET core.
BTW, thanks for the source code suggestion but as i said, i already have it. Very complicated to understand. So i thought maybe someone with similar experience could help.
Could you please share the details codes about the EncryptPassword and DecryptPassword you have used now?
Best Regards,
Brando
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
I would likely start by encrypting "Hello world" or whatever to see what I get and would try to reimplement decryption outside of ASP.NET membership using referencesource.microsoft.com as a guide (from a quick look they seems to use a random iv with is stored
at the beginning of the encrypted value).
Once done it shoud be easy to port that to ASP.NET Core.
None
0 Points
2 Posts
Implement Asp.NET membership provider's decryption in .NET Core
May 28, 2020 02:12 AM|Abbas Naderi|LINK
So here's my problem: In an old ASP.NET 4.5 system, we have used MembershipProvider's EncrypytPassword and DecrypytPassword extensively. Not for actual passwords, they are hashed. It obviously uses DecryptionKey in Machinekey section of my web.config. It's working fine. Encrypted info are stored in DB and can be decrypted, no problems.
Now we need to read them from DB and decrypt them in a .NET core app. Obviously I do not have access to ASP.NET MembershipProvider for decryption. So I thought It should be very straight forward: I have the decryptionkey (a hex string stored in our web.config), I know the algorithm is AES (Again, from machinekey section) and I should be able to decrypt them myself.
But no matter what i do, it does not work. I played with padding, IV, cipher mode, key size. Nothing works.
I even decompiled System.Web.dll and read the code for EncryptOrDecryptData method which is responsible for this. Seems impossible to figure out what is going on.
How do you think I can replicate their decryption method? Knowing that the only thing that was mentioned in web.config was this:
FYI, I can use only this in any .NET console app to decrypt the data, because I can add a reference to System.Web.dll and use DecryptPassword method. So it means I should be able to achieve this in .NET Core as well by just having the decryption key. But how?
All-Star
48510 Points
18071 Posts
Re: Implement Asp.NET membership provider's decryption in .NET Core
May 28, 2020 07:24 AM|PatriceSc|LINK
Hi,
And the exact provider you are using is? Also it seems to have changed between 2.x and 4.x, you were not using https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.membershippasswordcompatibilitymode?view=netframework-4.8 ?
Also you could likely see the code at referencesource.microsoft.com or in a github repo.
None
0 Points
2 Posts
Re: Implement Asp.NET membership provider's decryption in .NET Core
May 28, 2020 10:37 AM|Abbas Naderi|LINK
What do you mean by exact provider? The encryption method is AES, and the DecryptionKey is coming from machineKeys section in web.config.
That is what ASP.NET web Forms uses for form based authentication, for encrypting sensitive data (Tokens, ViewState). There are 2 utility methods in System.Web.Security.MemebershipProvider called EncryptPassword and DecryptPassword which we have used to encrypt some important data and store them in our DB. Some encrypted 10 years ago, with .NET 3.5. I can still decrypt them with DecryptPassword with the same DecryptionKey although we have now upgraded to .NET 4.8.
Password compatibility is not an issue here. The methods are called EncryptPassword and DecryptPassword but they just use AES to encrypt and decrypt just any text.
My problem is that the same algorithm with the same key is not returning the same result in .NET core.
BTW, thanks for the source code suggestion but as i said, i already have it. Very complicated to understand. So i thought maybe someone with similar experience could help.
Star
9831 Points
3120 Posts
Re: Implement Asp.NET membership provider's decryption in .NET Core
May 29, 2020 08:38 AM|Brando ZWZ|LINK
Hi Abbas Naderi,
Could you please share the details codes about the EncryptPassword and DecryptPassword you have used now?
Best Regards,
Brando
None
0 Points
2 Posts
Re: Implement Asp.NET membership provider's decryption in .NET Core
Dec 07, 2020 04:43 AM|Pi.Thanh|LINK
hi Abbas Nedari,
Are you resloved this issue? I am got same issue with you :(
Thanks
All-Star
48510 Points
18071 Posts
Re: Implement Asp.NET membership provider's decryption in .NET Core
Dec 07, 2020 08:53 AM|PatriceSc|LINK
Hi,
I would likely start by encrypting "Hello world" or whatever to see what I get and would try to reimplement decryption outside of ASP.NET membership using referencesource.microsoft.com as a guide (from a quick look they seems to use a random iv with is stored at the beginning of the encrypted value).
Once done it shoud be easy to port that to ASP.NET Core.
None
0 Points
2 Posts
Re: Implement Asp.NET membership provider's decryption in .NET Core
Dec 08, 2020 02:32 PM|Pi.Thanh|LINK
Thanks PatriceSc
After a day of researching at https://referencesource.microsoft.com/ , I could encrypt / decrypt the password without having to use membership.