Is Asp.net identity hashing secured?

Question

Is Asp.net identity hashing secured?

I referenced the following sites for hashing implementations of Rijndael and Asp.net at the following URL.

Rijndael - How to create Rijndael KEY and IV using a passphrase?
Asp.net hashing - ASP.NET Identity by default Password Hasher, how does it work and is safe?

As in the implementation, the following is used to obtain random bytes for the password. Rijndael

Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);

Hashing Asp.net Identifiers

 Rfc2898DeriveBytes bytes = new Rfc2898DeriveBytes(providedPassword, salt, HasingIterationsCount)

After the above code, RijnDael applies encryption to the returned bytes. But asp.net identifier copies the result in the same way as with an array of cellular bytes, and returns hashed keys.

Here I had a confusion. RijnDael and Asp.net identifier hashes use the same Rfc2898DeriveBytes .

When RijnDael can decrypt encrypted keys (which is done using Rfc2898DeriveBytes), why can we make it possible to decrypt hashed keys of Asp.net Identity?

Is there any way to do this? Is Asp.net ID Safe?

0

c # asp.net encryption hash rijndael

Jeeva jsb Oct 13 '16 at 5:19

source share

1 answer

Rowan freeman · Accepted Answer · 2016-10-13T13:36:40+0000

Yes, the ASP.NET password hash method is safe.

In your example, the user uses an encryption method known as Advanced Encryption Standard (AES, also known as Rijndael). That is why the secret can be decrypted.

The user uses only the Rfc2898DeriveBytes class to get the key and initialization vector .

The class is not used to hash a secret message. Encryption is what hides the message.

ASP.NET uses the Rfc2898DeriveBytes class to hashed a password. This procedure cannot be undone.

Is Asp.net identity hashing secured?

More articles: