1

I have a .net application which uses asp.net identity 2 in order to authenticate users. The users login using username/password and upon successful login an access token (JWT) and a refresh token is produced.

The default implementation of asp.net 2 for hashing the passwords can be found here. It uses a key derivation function with random salt to produce the hash. The salt is included as part of the output of the kdf. Thus the final produced password hash consists of a first empty byte, then 16 bytes of the salt and then 32 bytes of the hashed password. From the above references we can see that the algorithm used is HMAC-SHA1 with 1000 iterations and the raw password of the user as key for the HMAC (see here).

I am thinking on migrating to Firebase Authentication and I want to migrate my existing users there. Based on Firebase documentation when migrating HMAC_SHA1 hashed passwords we must include the password hash, the salt and the hmac key. Also, we cannot provide the number of iterations used by the sha1 hashing algorithm (see here).

So, the question is: How can we know the key of the hmac since it is the raw password of the user? This is the default implementation of asp.net identity 2. Since we can never know it this means that we cannot migrate our users to firebase authentication?

Also, even if we knew the key, how could we provide the 1000 iterations of the sha1 algorithm in the payload towards Firebase? This can be done only when the hashing algorithm is sha1 without hmac see here.

Improve this question
1
  • did you ever find a solution to this? im looking for a way to import thousands of users from .net 6 identity database, but i have no way of providing the hash-key. Commented Aug 23, 2024 at 1:44

1 Answer 1

Reset to default
1

I can help on the firebase part of the question. The SDK does not seem to provide all the functionality supported by the Firebase CLI.

If you take a look here:

https://firebase.google.com/docs/cli/auth

firebase auth:import ACCOUNT_FILE    \
  --hash-algo=HASH_ALGORITHM         \
  --hash-key=KEY                     \
  --salt-separator=SALT_SEPARATOR    \
  --rounds=ROUNDS                    \
  --hash-input-order=HASH_INPUT_ORDER

I think you can define everything you need. For hash-algo you need to use HMAC_SHA1 For hash-key you need to use the key used to hash the passwords in base64 format For rounds use 1000 for the iterations you specified For hash-input-order you need to use SALT_FIRST

Now for where you can get the key, maybe someone else can chip in.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.