Page 1 of 1

Encrypting a password the same in C# and PHP?

Posted: Fri Jul 06, 2018 7:50 pm
by OldRod
I am trying to find a way to encrypt a password in both C# and PHP that produces the same results in each.

That way players could log in to the game (created in Unity) and play or they could log in to a web page (created with PHP) and see their gear, achievements, etc. when they weren't playing.

I was hoping to use PHP_Verify and PHP_Hash in PHP, as they look solid, but I haven't found a way to do the same in C# that produces the same encryption. I found a NuGet package called Cryptsharp, and tried it, but it's not exactly identical for some reason.

Anyone know of a way to do this?

Re: Encrypting a password the same in C# and PHP?

Posted: Fri Jul 06, 2018 8:09 pm
by KyleMassacre
Quick question:
Is the Unity version for lack of a better term going to be somehow different than the web version? If so, seems a little odd. I figured you would just develop an API resource to communicate between the game and your database.

Player enters credentials, credentials get sent to your server and validated there. If you go that route you could look at https://oauth2.thephpleague.com/

**EDIT**
If you haven’t gotten too far on your web side of things and are not opposed to using frameworks you could look at Laravel. Laravel has a package called Passport which basically uses the package I linked to and allows for OAuth and you can even look into Socialite for Laravel which allows authentication through Google, FB, Twitter and etc.

Re: Encrypting a password the same in C# and PHP?

Posted: Fri Jul 06, 2018 10:25 pm
by Sharlenwar
I'm no expert, but if you are going to encrypt a password in C#, I imagine you would use the same method that PHP uses, this way the "hashstring" should be identical.

Re: Encrypting a password the same in C# and PHP?

Posted: Fri Jul 06, 2018 10:49 pm
by KyleMassacre
Sharlenwar wrote:I'm no expert, but if you are going to encrypt a password in C#, I imagine you would use the same method that PHP uses, this way the "hashstring" should be identical.
I think that is what he is stating he is having trouble with. I myself can’t really think of a scenario where you need to use a hash system twice which is why I suggested an OAuth approach. A JWT would work as well which is similar in fashion.

User logs in on app -> App sends HTTP request to website -> Website validates credentials-> Website returns a token -> token is used for everything else

Re: Encrypting a password the same in C# and PHP?

Posted: Sat Jul 07, 2018 3:12 am
by Jackolantern
I believe this is what Kyle was mentioning, but is there some reason why you can't use the exact same login table to login in both? You could then go on and have separate tables for the PHP and C# code.

But if you need to have them separate, I think the issue is that you are looking at what are essentially convenience functions in PHP that don't exist in exactly the same form in C#. You will need to create your own hashing function and use a lower-level function. Just ensure you are using the same hashing algorithm, such as SHA-256 and the same SALT if you use one. Both .NET and PHP include support for directly hashing a string value, and provided you use the same algorithm and SALT, they will produce the same hashed output value. Then you can write the logic in both systems to use that hash function you write on the incoming passwords and compare them to the hashed value in the database and it should work out fine :)

Re: Encrypting a password the same in C# and PHP?

Posted: Sat Jul 07, 2018 3:59 am
by hallsofvallhalla
my suggestion is to hire a 80 year old security guard.

Re: Encrypting a password the same in C# and PHP?

Posted: Sat Jul 07, 2018 9:25 pm
by OldRod
Sharlenwar wrote:I'm no expert, but if you are going to encrypt a password in C#, I imagine you would use the same method that PHP uses, this way the "hashstring" should be identical.
That's what I'm trying to do - find a method that words in both, that produces the same hash

I have it set up where the player logs in through Unity to play, but they also can access a web site using the same username/password and look at their stats, look at various items their character has, etc. At least that's the plan. So the password has to be encrypted the same way by both PHP and C# in order to work.

Re: Encrypting a password the same in C# and PHP?

Posted: Sat Jul 07, 2018 9:26 pm
by OldRod
hallsofvallhalla wrote:my suggestion is to hire a 80 year old security guard.
:)

"It's only 2 days to retirement, don't shoot me!!"

Re: Encrypting a password the same in C# and PHP?

Posted: Sat Jul 07, 2018 9:27 pm
by OldRod
Jackolantern wrote:I believe this is what Kyle was mentioning, but is there some reason why you can't use the exact same login table to login in both? You could then go on and have separate tables for the PHP and C# code.

But if you need to have them separate, I think the issue is that you are looking at what are essentially convenience functions in PHP that don't exist in exactly the same form in C#. You will need to create your own hashing function and use a lower-level function. Just ensure you are using the same hashing algorithm, such as SHA-256 and the same SALT if you use one. Both .NET and PHP include support for directly hashing a string value, and provided you use the same algorithm and SALT, they will produce the same hashed output value. Then you can write the logic in both systems to use that hash function you write on the incoming passwords and compare them to the hashed value in the database and it should work out fine :)
OK, thanks. I'll do some digging. I was just hoping there was a method out there, but I am not turning it up on Google.

Re: Encrypting a password the same in C# and PHP?

Posted: Sat Jul 07, 2018 10:28 pm
by Jackolantern
OldRod wrote: That's what I'm trying to do - find a method that words in both, that produces the same hash
Then you want the low-level hashing algorithm methods. So in PHP you want to just use the hash() method:

Code: Select all

$hashedValue = hash('sha256', 'The quick brown fox jumped over the lazy dog.');
And in C#:

Code: Select all

using System.Security.Cryptography;

//...
SHA256 mySHA256 = SHA256Managed.Create();
var hashedValue = mySHA256.ComputeHash("The quick brown fox jumped over the lazy dog.");
In both cases, hashedValue should be the same.

EDIT: That should be right. In all honesty, I think I have forgotten PHP. But I used the C# one just a week or two ago.