Tutorial :Why is my SHA1 hash not matching?


I don't think I was specific enough last time. Here we go:

I have a hex string:

742713478fb3c36e014d004100440041004 e0041004e00000060f347d15798c9010060 6b899c5a98c9014d007900470072006f007 500700000002f0000001f7691944b9a3306 295fb5f1f57ca52090d35b50060606060606

The last 20 bytes should (theoretically) contain a SHA1 Hash of the first part (complete string - 20 bytes). But it doesn't match for me.

Trying to do this with PHP, but no luck. Can you get a match?


742713478fb3c36e014d004100 440041004e0041004e00000060 f347d15798c90100606b899c5a 98c9014d007900470072006f00 7500700000002f0000001f7691944b9a

sha1 hash of ticket appended to original:


My sha1 hash of ticket:


Here's what is in the ticket and how it's being stored. FWIW, I can pull out username, etc, and spot the various delimiters. http://www.codeproject.com/KB/aspnet/Forms_Auth_Internals/AuthTicket2.JPG

Edited: I have discovered that the string is padded on the end by the decryption function it goes through before this point. I removed the last 6 bytes and adjusted by ticket and hash accordingly. Still doesn't work, but I'm closer.


Your ticket is being calculated on the hex string itself. Maybe the appended hash is calculated on another representation of the same data?


I think you are getting confused about bytes vs characters.

Internally, php stores every character in a string as a byte. The sha1 hash that PHP generates is a 40 character (40 byte) hexademical representation of the 20-byte binary data, since each binary value needs to be represented by 2 hex characters.

I'm not sure if this is the actual source of your discrepancy, but seeing this misunderstanding makes me wonder if it's related.


Try trimming the string first, its suprisingly easy to have a newline or space on the end that changes the hash completely.


According to this Online SHA1 tool the hash of the given text (after removing new lines and spaces) is


Idea: Make sure your inputing characters not a hex number to the PHP version.


The problem was that the original was a keyed hash. I had to use hash_hmac() with a validation key rather than sha1() without.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »