How to fetch the password from the password digest from the API exposed in ASP.NET with C# via webservice during password digest authentication?

Question

1.00/5 (1 vote)

See more:

I want to retrieve the password from the password digest from the hosted API in asp.net with c# via webservice while consuming the same during Password Digest Authentication

Password Digest Creation Logic
Password_Digest =  Base64(SHA-1(nonce + created + password ))

Request API is created with Password Digest,nounce and Created Time Stamp in the SOAP Envelope Header Node and exposed to a middle ware via webservice.
I want to retrieve the Password from the Password Digest value in the Soap Envelope Header Tag in the response API which would contain the Password Digest value,Nounce and Created Time Stamp Value.
I need to authenticate from the Request API creation logic as above and then only allow access and provide the response back.

What I have tried:

My Sample Request XML with Password Digest is as below:

<string xmlns="http://tempuri.org/"><soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:t24="https://soa.nbf.ae/T24Service/"> <soapenv:header> <wsse:security soapenv:mustunderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:usernametoken wsu:id="UsernameToken-8" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:username>alex.jr <wsse:password type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Fp2VQAFpZKHBp08DjXf/lX4cm58= <wsse:nonce encodingtype="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">tqTc87Gz7mCUVSslHuuisQ== <wsu:created>2020-01-13T10:46:54.412Z <soapenv:body> <sendtot24request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <request> <company>Test <user_name>alex.jr <message_id>312313 <transaction_id>102 <external_ref_id>0000120

Posted 12-Jan-20 18:25pm

ranio

Updated 12-Jan-20 21:13pm

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2020-01-12T21:14:00

If by

Quote:
"I want to retrieve the password from the password digest"

you mean

Quote:
"I want to get the original password text back"

Then you can't: SHA is not an encryption algorithm, it is a hashing algorithm. The difference is simple: hashing functions cannot be reversed to obtain the original input at all - that's the whole point of using them for password storage (preferably with a salt value to prevent identical passwords having identical hashes).

What you do is generate the hash from the entered password and salt, and compare that with the stored value. If the hashes match, it's correct. If they don't, it's not.
You can't recover passwords with this system - that's the whole idea - so your password store is of no use to anybody even if it is compromised as it can't be used to log in.