Bug 1530 - Different behavior in MembershipProvider.EncryptPassword(byte[]) btw. Microsoft implementation and Mono
Summary: Different behavior in MembershipProvider.EncryptPassword(byte[]) btw. Microso...
Status: NEW
Alias: None
Product: Class Libraries
Classification: Mono
Component: System.Web (show other bugs)
Version: 2.10.x
Hardware: All All
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
Depends on:
Reported: 2011-10-17 07:32 UTC by jakob.mayring
Modified: 2011-10-17 07:32 UTC (History)
1 user (show)

See Also:
Is this bug a regression?: ---
Last known good build:

Test Program (1.51 KB, application/x-gzip)
2011-10-17 07:32 UTC, jakob.mayring

Description jakob.mayring 2011-10-17 07:32:03 UTC
Created attachment 708 [details]
Test Program

In the Microsoft implementation, MembershipProvider.EncryptPassword(byte[]) generates for one password always the same cipher. Mono instead produces different ciphers for each call.

The problem is the IV Property of the SymetricAlgorithm, we think Microsoft is setting this Property to a byte[] of 0's and truncates this first block from the resulting cipher (the MS result is BlockSize bytes smaller than the Mono result)

A possible solution could be setting the IV explicitly to 0's in MembershipHelper.GetAlgorithm(), truncating the IV of the cipher in MembershipHelper.EncryptPassword(byte[]) and prepending the IV to the byte[] passed to MachineKeySectionUtils.Decrypt(...) in the MembershipHelper.DecryptPassword(byte[])

We tried this with AES and compared the result to the MS implementation.

OS: Linux, debian wheeze/sid, Mono Version: 2.10.5-1 from experimental
Linux jm-mobile 3.0.0-2-amd64 #1 SMP Fri Oct 7 20:48:45 UTC 2011 x86_64 GNU/Linux
Compile: mcs /r:System,System.Web,System.Configuration Program.cs
Membership Provider results:
Test password: asdf1234)
Encrypt password: wLUY3yg9N0T8IrQ1LhvBLE2jdyq/JBqoFpsJmo/V70Bc/GTVTYOvKYxOUSuBujDo (48)
Encrypt password: OHAxP6zXEUgRyupnRuc+0doncQdbDFU23pvxsyIPp+IZkMOqbavJ3RznZ4TJ0EcG (48)

OS: Windows 7 x64, latest .net runtime
Membership Provider results:
Test password: asdf1234)
Encrypt password: JUPZh98a/eYK5w75R3ftwIgM/219NrcHr4CpOKb5KvU= (32)
Encrypt password: JUPZh98a/eYK5w75R3ftwIgM/219NrcHr4CpOKb5KvU= (32)

This could be the reason why the MysqlMembershipProvider is not working with encrypted password

Note You need to log in before you can comment on or make changes to this bug.