Comments on: PHP MD5 not the same as .NET MD5 http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/ OKCOOL make cool digital applications. We help companies balance brand and technology. From mashups to mobile shennanigans to social networks. Tue, 16 Mar 2010 08:21:15 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: Amrox http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/comment-page-1/#comment-1187 Amrox Sun, 14 Dec 2008 18:51:26 +0000 http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/#comment-1187 I think UTF7 is not the answer!!! I am using Arabic (I think the problem will be there for other languages) I am trying to build a login based on VBulletin its working for English but Arabic its not working I tried all types of encoding: (its with Arabic Windows encoding "windows-1256"") The following code comparing the DB password and the hashed password they should match: //"y)@" is the salt string password = "كودلاب"; foreach (EncodingInfo enc1 in Encoding.GetEncodings()) foreach (EncodingInfo enc2 in Encoding.GetEncodings()) //foreach (EncodingInfo enc3 in list3) if (Md5Hash(Md5Hash(password, enc1.GetEncoding()) + "y)@", enc2.GetEncoding()) == "acfae8024d61fe3697203fbf0fc6e6ed") MessageBox.Show(enc1.Name + " - " + enc2.Name); Can anybody help I think UTF7 is not the answer!!!
I am using Arabic (I think the problem will be there for other languages)
I am trying to build a login based on VBulletin its working for English but Arabic its not working I tried all types of encoding:
(its with Arabic Windows encoding “windows-1256″”)
The following code comparing the DB password and the hashed password they should match:
//”y)@” is the salt

string password = “كودلاب”;
foreach (EncodingInfo enc1 in Encoding.GetEncodings())
foreach (EncodingInfo enc2 in Encoding.GetEncodings())
//foreach (EncodingInfo enc3 in list3)
if (Md5Hash(Md5Hash(password, enc1.GetEncoding()) + “y)@”, enc2.GetEncoding()) == “acfae8024d61fe3697203fbf0fc6e6ed”)
MessageBox.Show(enc1.Name + ” – ” + enc2.Name);

Can anybody help

]]> By: MD5 in PHP works exactly as it should (don’t believe the hype!) | Thomas David Wright http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/comment-page-1/#comment-577 MD5 in PHP works exactly as it should (don’t believe the hype!) | Thomas David Wright Mon, 04 Aug 2008 13:16:00 +0000 http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/#comment-577 [...] don’t pay any heed whatsoever to the whisperings that abound the wonderful interweb. Hmmm… Maybe ‘abound’ isn’t the right [...] [...] don’t pay any heed whatsoever to the whisperings that abound the wonderful interweb. Hmmm… Maybe ‘abound’ isn’t the right [...]

]]> By: Tom http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/comment-page-1/#comment-566 Tom Fri, 18 Jul 2008 12:31:54 +0000 http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/#comment-566 Thanks for everyone's comments. I understand the problem much better now. I've experienced problems as suggested with UTF7 but have used the UTF8 encoding and at the moment it seems to be working. Thanks for everyone’s comments. I understand the problem much better now. I’ve experienced problems as suggested with UTF7 but have used the UTF8 encoding and at the moment it seems to be working.

]]> By: RyanTheGreat http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/comment-page-1/#comment-534 RyanTheGreat Wed, 11 Jun 2008 02:39:08 +0000 http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/#comment-534 I'm not a .NET programmer, but I may be able to address a few of the comments here. Starting with the article itself, I don't believe that UTF-7 is the actual answer to your problems, but rather, a means of consistency for the data encoding before encryption. When computing a hash from a string, the data encoding is only important as to the extent of consistency in characters. What I mean by this is, if a string is being transmitted encoded as UTF-8 encrypted by md5 and compared against a ISO-8859-1 encoded string with the same characters it may or may not be equal due to the encoding, converting the strings in this example to UTF-7 is just a means of ensuring they are represented equivalently. As for the comment by victorantos, the reason your output is not equivalent to php's md5 without even knowing any .NET C# syntax is clear from the function call. HMAC-md5 (or any other HMAC-hash function) provides an additional functionality above the basic md5 hashing algorithm. The HMAC- algorithms are frequently used in API's in which the transmitting parties share a secret key K and hash the data along with XORing K against 2 sets of data to explain simply. The basic explanation is that is the wrong function to use, you must use the appropriate md5 function for your language. Finally, to address the comment of Dennis Bottaro, this is because of the use of UTF-7 encoding in this example to hash the data. UTF-7 is actually poor choice for encoding data before hashing due to the representation of most non-alphanumeric characters as you have suggested above. This, compared to non-UTF-7 encoded data in the php md5() function will obviously yield different results due to the representation of the non-alphanumeric data. To reiterate from before, the way to fix this is to make sure the encoding does not change, and also, make sure you are using the appropriate function within your languages function set. -Ryan I’m not a .NET programmer, but I may be able to address a few of the comments here. Starting with the article itself, I don’t believe that UTF-7 is the actual answer to your problems, but rather, a means of consistency for the data encoding before encryption. When computing a hash from a string, the data encoding is only important as to the extent of consistency in characters. What I mean by this is, if a string is being transmitted encoded as UTF-8 encrypted by md5 and compared against a ISO-8859-1 encoded string with the same characters it may or may not be equal due to the encoding, converting the strings in this example to UTF-7 is just a means of ensuring they are represented equivalently.

As for the comment by victorantos, the reason your output is not equivalent to php’s md5 without even knowing any .NET C# syntax is clear from the function call. HMAC-md5 (or any other HMAC-hash function) provides an additional functionality above the basic md5 hashing algorithm. The HMAC- algorithms are frequently used in API’s in which the transmitting parties share a secret key K and hash the data along with XORing K against 2 sets of data to explain simply. The basic explanation is that is the wrong function to use, you must use the appropriate md5 function for your language.

Finally, to address the comment of Dennis Bottaro, this is because of the use of UTF-7 encoding in this example to hash the data. UTF-7 is actually poor choice for encoding data before hashing due to the representation of most non-alphanumeric characters as you have suggested above. This, compared to non-UTF-7 encoded data in the php md5() function will obviously yield different results due to the representation of the non-alphanumeric data. To reiterate from before, the way to fix this is to make sure the encoding does not change, and also, make sure you are using the appropriate function within your languages function set.

-Ryan

]]> By: Dennis Bottaro http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/comment-page-1/#comment-524 Dennis Bottaro Tue, 27 May 2008 17:46:09 +0000 http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/#comment-524 This works perfectly when the incoming data is only alphanumeric. I have run into trouble when the incoming has characters other than a-z,A-Z,1-0. For example with this string "t0ph@t" php's MD5 comes up with "aec0cbe6302f25d8cce350e324704a52" while the version here comes up with "0ad1d3db5ba9b96f248816794b579fb1" I have not tested changing the encoding, but wondered if anyone else ran across this same problem. If I come up with a resolution, I will post it back here. This works perfectly when the incoming data is only alphanumeric. I have run into trouble when the incoming has characters other than a-z,A-Z,1-0. For example with this string “t0ph@t” php’s MD5 comes up with “aec0cbe6302f25d8cce350e324704a52″ while the version here comes up with “0ad1d3db5ba9b96f248816794b579fb1″

I have not tested changing the encoding, but wondered if anyone else ran across this same problem. If I come up with a resolution, I will post it back here.

]]> By: Lee Kelleher http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/comment-page-1/#comment-509 Lee Kelleher Thu, 22 May 2008 20:57:18 +0000 http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/#comment-509 Hidden away under an un-intuitive namespace is... System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile("hashMe", "MD5") The outputted MD5 is in uppercase, so just add a .ToLower(). Hidden away under an un-intuitive namespace is…

System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(“hashMe”, “MD5″)

The outputted MD5 is in uppercase, so just add a .ToLower().

]]> By: Morten K. Poulsen http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/comment-page-1/#comment-480 Morten K. Poulsen Thu, 24 Apr 2008 16:58:49 +0000 http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/#comment-480 The MD5 algorithm digests blocks of 512 bits (64 bytes). It does not interpret the data in any way. So if you have a string of characters, you must represent them in the same way (US-ASCII, UTF-8, ISO-8859-15, ...) on each system, before hashing them. Otherwise you are hashing different byte sequences, and will - naturally - get different hash results. Best regards, Morten K. Poulsen The MD5 algorithm digests blocks of 512 bits (64 bytes). It does not interpret the data in any way. So if you have a string of characters, you must represent them in the same way (US-ASCII, UTF-8, ISO-8859-15, …) on each system, before hashing them. Otherwise you are hashing different byte sequences, and will – naturally – get different hash results.

Best regards,
Morten K. Poulsen

]]> By: victorantos http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/comment-page-1/#comment-478 victorantos Thu, 24 Apr 2008 14:24:42 +0000 http://ok-cool.com/posts/read/125-php-md5-not-the-same-as-net-md5/#comment-478 That's what I'm looking for, I was using <i>System.Security.Cryptography.HMACMD5 h = new System.Security.Cryptography.HMACMD5(); h.ComputeHash(data2);</i> <b> but it doesn't match with php generated hash</b> That’s what I’m looking for, I was using
System.Security.Cryptography.HMACMD5 h = new System.Security.Cryptography.HMACMD5(); h.ComputeHash(data2);

but it doesn’t match with php generated hash

]]>