asp.net-core.net-coreasp.net-identitypassword-hashdpapi

Does `Microsoft.AspNetCore.Identity.PasswordHasher<TUser>` use ASP.NET Core Data Protection under the covers?


Background: I have a ASP.NET Core 3.1 application that is running in an AWS FARGATE container (on Linux).

What I need to do: I need to hash passwords using a built-in .NET Core solution. I'd prefer to use a solution where I don't have to manage key rotation; but will do so if there's no other option.

I'd like to use the Microsoft.AspNetCore.Identity.PasswordHasher<TUser> to hash the passwords. However, I have no idea if this uses some sort of key rotation mechanism (e.g. DPAPI) to generate the hashes. According to ASP.NET Core Data Protection, the default implementation handles key generation and rotation - i.e. keys are stored in the LOCAL CryptoRing and rotated by default every 90 days. Therefore:

  1. keys are not transferable
  2. keys to decrypt are only good for 90 days

If I need to handle key rotation, I think (not sure) that the cloud-based solution is to generate a crypto key and add to Azure. But, I need to know if I even need to do this if I'm only using Microsoft.AspNetCore.Identity.PasswordHasher<TUser> to hash the passwords and not using any ASP.NET Core Data Protection. TIA


Solution

  • EDIT: According to Barry Dorans (@blowdart), it does not use ASP.NET Data Protection:

    https://github.com/dotnet/aspnetcore/issues/21331#issuecomment-621345491