PBKDF2 changes from 2017r3 to 2018r1

I have a client-server password log in mechanism. Both are built with Xojo. Client sends password over TLS.
On the server, a PBKDF2 hash was created for the password and saved in the sqlite db along with a salt. This was done in 2017 r3 and works well.
However, building the server with 2018r1 I cannot log in as I get a different hash. No change in code or password.
What am I doing wrong?
The code is below

dim salt as Text= rs.Field(“Salt”).StringValue.ToText
dim has as text = rs.Field(“Hash”).StringValue.ToText

Dim saltData As Xojo.Core.MemoryBlock
saltData = Xojo.Core.TextEncoding.UTF8.ConvertTextToData(salt)

Dim passwordData As Xojo.Core.MemoryBlock
passwordData = Xojo.Core.TextEncoding.UTF8.ConvertTextToData(password.ToText)

Dim hashData As Xojo.Core.MemoryBlock
hashData = Xojo.Crypto.PBKDF2(saltData, passwordData, 500, 32, Xojo.Crypto.HashAlgorithms.SHA256)

Dim hex As Text

For b As Int8 = 0 To hashData.Size - 1
hex = hex + hashData.Int8Value(b).ToHex(2)

if hex.Compare(has,Text.CompareCaseSensitive) <> 0 then
ioerrors.Append "Incorrect password for "+username
Return nil
end if

Well first of all, hex is not case sensitive, so don’t compare it that way. FFFF is the same as ffff.

But that’s probably not the issue. If you’re pulling your data from the database that way, the salt and hash are probably already hex encoded. I don’t see you decoding the salt before passing it into the PBKDF2 method.

Confirm that the input bits are identical between each version. PBKDF2 is a standard, the issue is likely something to do with how you prepare the input memory blocks. I suspect encoding issues, but I can’t tell from this code.

I have the same issue that hash values have arbitrarily changed from 2017 > 2018 meaning users can’t log into the app even though no code has changed on my end.

I’ve mad a sample app proving that the same data w/ salt hashed in 2017r2 does not match the exact same input in 2018r11 using the build in Xojo.Crypto.PBKDF2 functions. The problem is now how do I get around it so I can build an update without breaking my entire app’s login process?

I’ve not used the Xojo Crypto classes but I would say this line is potentially the cause:

hex = hex + hashData.Int8Value(b).ToHex(2)

Int8Value will return a signed value between -128 and 127. I think you should have been using UInt8Value to return a value between 0 and 255.

My guess is that Xojo have changed how ToHex handles negative numbers which has broken your code. If i’m correct you could solve this by writing your own version of ToHex that works the same way as previous versions of Xojo.

Depending on what Xojo did with negative numbers you might find that the hashes you have been generating are less secure. Ideally you should be using UInt8Value so that ToHex returns the correct value. This would then introduce a data versioning problem that you would have to address.

@Tom Iwaniec I’d be interested in seeing that example project.

Edit: Nevermind, I see the other thread.

Kevin, that’s right. More information here.

Reading Gino’s comment from the other thread, it looks like all negative numbers are converted to hex as 00 to 0F and because positive int8 only goes up to 7F all above hex numbers like 80, AA, DF are converted to 00, 0A, 0F

From what I see there is no issue with PBKDF2.