?
Solved

Using SHA1CryptoServiceProvider in ASP.NET using Visual Basic

Posted on 2008-11-03
5
Medium Priority
?
886 Views
Last Modified: 2008-11-05
I have a client that is planning to send me information in a Hashed format.'

My question is how do I interpret this information and change it into relevant information at my end.
Attached is the Code that they are using to create the Hash code.

Basically I need to extract the EmployeeID and Email address at my end.

Help!
private string ConstructUrl (int employeeId, string email) 
{
  string url = null;
  string dataToHash = employeeId.ToString() + email;
  byte [] byteData = Encoding.UTF8.GetBytes (dataToHash);
  
  SHA1 s = new SHA1CryptoServiceProvider ();
  
  byte [] hashedResult = s.ComputeHash (byteData);
  
  StringBuilder hashedData = new StringBuilder();
  
  foreach (byte b in hashedResult)
  {
    hashedData.Append(b);
  }
  
  StringBuilder urlBuilder = new StringBuilder ();
 
  urlBuilder.Append ("http://www.xxxxxx.com/rhubarb.aspx?");
  urlBuilder.AppendFormat ("h={0}", hashedData.ToString());
  urlBuilder.AppendFormat ("&id={0}", employeeId.ToString());
  urlBuilder.AppendFormat ("&email={0}", email);
  
  url = urlBuilder.ToString();
  return url;
}

Open in new window

0
Comment
Question by:lawso
  • 3
  • 2
5 Comments
 
LVL 7

Expert Comment

by:moseack
ID: 22874073
Hashed data in general, and SHA1 in particular are irreversible, and are used only for validation.
http://en.wikipedia.org/wiki/Cryptographic_hash_function
It seems like they are sending you the data in plain text, and the hashed value only for validation (pay attention to first two lines and last three)


int employeeId = Int.Parse(Request["id"]);
string email = Request["email"];
 
// Copy & Paste for sending code
string url = null;
string dataToHash = employeeId.ToString() + email;
byte [] byteData = Encoding.UTF8.GetBytes (dataToHash);
 
SHA1 s = new SHA1CryptoServiceProvider ();
 
byte [] hashedResult = s.ComputeHash (byteData);
 
StringBuilder hashedData = new StringBuilder();
 
foreach (byte b in hashedResult)
{
	hashedData.Append(b);
}
// End Copy & Paste
 
 
string sentHash = Request["h"];
if (sentHash != hashedData.ToString())
	throw new Exception("Forgery!!!!");

Open in new window

0
 

Author Comment

by:lawso
ID: 22881501
Thanks moseak.
I suppose my question is then how do I extract the email and id which is the part that I need.
Sorry new to this type of security
0
 
LVL 7

Accepted Solution

by:
moseack earned 2000 total points
ID: 22883522
In the first two line of the code I posted. The email is in the "email" variable, and employee ID in the "employeeId" variable.

The middle part calculates the hash on your side.

The last three lines will throw an exception if the Hashes don't match.

0
 

Author Comment

by:lawso
ID: 22883582
Ahh I see...
So if I capture the request variables the Hash is just a check.?
Don't suppose you know how to translate your code to VB?
0
 
LVL 7

Expert Comment

by:moseack
ID: 22884492

Dim employeeId = Int32.Parse(Request("id"))
Dim email = Request("email")
 
' Copy & Paste from sending code
Dim dataToHash = employeeId.ToString() + email
Dim byteData As Byte() = Encoding.UTF8.GetBytes(dataToHash)
 
Dim s = New SHA1CryptoServiceProvider()
Dim hashedResult = s.ComputeHash(byteData)
Dim hashedData = New StringBuilder()
 
For Each b In hashedResult
	hashedData.Append(b)
Next
' End Copy & Paste
 
Dim sentHash = Request("h")
If sentHash <> hashedData.ToString() Then Throw New Exception("Forgery!!!!")

Open in new window

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lots of people ask this question on how to extend the “MembershipProvider” to make use of custom authentication like using existing database or make use of some other way of authentication. Many blogs show you how to extend the membership provider c…
IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Loops Section Overview
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question