Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I need to create an encryption class that does not accept special characters,that uses letters and numbers only.
Does anyone have one or can you help me develop it?
You don't need to create a separate encryption algorithm to do this. Just use the following regex to validate your input:
[A-Za-z0-9]+
This will validate that the input only contains alphanumeric charactrs. After that, you can perform whatever encryption you want.
So, basically, you could have a class like the following (and I'm mixing C# and pseudocode here):
public class Encryption {
private readonly Regex regex = new Regex("[A-Za-z0-9]+");
public string Encrypt(string toEncrypt) {
if (toEncrypt == null)
throw new ArgumentNullException("toEncrypt");
// This check is very important
// If toEncrypt contains non-alphanumeric characters, is an empty string, or consists only of whitespace don't accept it
if (!regex.IsMatch(toEncrypt))
throw new ArgumentException("String is not alphanumeric");
// Obviously pseudocode
// Replace this line with a call to AES, 3DES, Twofish, Caesar Cipher, or whatever encryption algorithm you want
return EncryptionAlgorithm.Encrypt(toEncrypt, whateverKey);
}
}
The term "encryption" is actually pretty vague in this case. If you're looking for "serious" encryption, you probably want to use either Twofish or the Advanced Encryption Standard (AES); both are highly secure at this point and have good library support, but AES is somewhat better studied. The other AES contest finalists (such as Serpent) are also highly secure, but they tend not to be studied as thoroughly or have as good of library support as Twofish and AES. Unless you have a good reason to use Twofish or one of the other AES contest finalists instead of AES, it's probably better to just use AES.
I say "highly secure at this point" because security's intrinsically relative to current technology; for example, public-key cryptography would be broken by quantum computers. DES was considered secure until hardware became fast enough to brute-force it. (In fact, it's still considered relatively secure against other kinds of attacks, such as differential crypanalysis).
Note that if you're serious about security it's rarely a good idea to try to design your own algorithm.
There are also classical ciphers like the Caesar Cipher available. You should only use these if you don't care about security at all as they're all badly broken at this point. They aren't built into the .NET framework but most of them are pretty easy to implement yourself.
Encryption produces binary output, not characters, if you need a character representation use Base64 or hexadecimal encoding.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I need an algorithm that creates vouchers that is based on an internet kiosk timer. Basically, voucher should have the amount of time allowed encrypted into it. I was thinking of having the amount of time in hex at the start with a few random chars after it then a checksum at the end. However any other ideas are welcome
Use c# builtin libraries for encryption. Since you are the only entity that needs to encrypt/decrypt you can use either a asymetric key(public/private) schema, where you keep both keys private or a symmetric key solution.
Make sure the keys are sufficiently large so that they are not easy to break (at least 256 bits, preferably more).
You don't need to add random chars at the start. You don't need to add checksum at the end. The encryption library should fail to decrypt if the content has been tampered with (accidental character change, but will not stop a very determined attacker). If you want to be extra sure there's been no tampering generate an additional public/private keys and use them to sign the encrypted string.
If you don't care that users can see your voucher string, you can just put it in plain text and just use the libraries to sign it.
So all you need is to have a class that is serializable and contains all the fields of your voucher. Get the serialized string and pass it through the encryption/signing routines. When you get it backs use the same routines to make sure the string is authentic then deserialize it and you have your data.
The most important thing is to use the libraries correctly (follow the tutorials, instructions) and you keep your keys safe.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I'm looking for the Lua or C equivalent to the .NET method System.Web.Helpers.Crypto.VerifyHashedPassword. The issue I'm solving for is the password hash being created by a .NET application but need to have a Lua application handle the authentication.
The source for the .NET class is available here but it seems this will get fairly deep and difficult quickly to rebuild in either Lua or C.
Existing crypto libraries in Lua didn't appear to solve this issue.
Any help is appreciated!
I don't think there's an exact equivalent implementation available for Lua. From looking at the C# implementation it's well documented so it shouldn't be too hard to port the implementation over to Lua or C.
The good news is that the crypto primitives used in the .NET implementation is available so you don't need to rewrite those parts. In particular, you'll need:
PBKDF2 key derivation function from rfc2898.
SHA1 used by PBKDF2 as the underlying hashing function. Depending on your requirements you may want SHA256 in there too but PBKDF2 itself is designed to be hash function agnostic. SHA1 is the default used if going by rfc2898 specs.
Base32/64 encoding decoding functions. From looking at the source the hashedPassword is expected to be in base64.
Also pay attention to this important comment:
/* =======================
* HASHED PASSWORD FORMATS
* =======================
*
* Version 0:
* PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
* (See also: SDL crypto guidelines v5.1, Part III)
* Format: { 0x00, salt, subkey }
*/
Now there are a couple of PBKDF2 lua implementations out there:
https://github.com/moteus/lua-bgcrypto-sha/blob/master/src/lua/pbkdf2.lua
https://github.com/bungle/lua-resty-nettle/blob/master/lib/resty/nettle/pbkdf2.lua
For base encoding utilities check out https://github.com/aiq/basexx for a pure lua implementation.
The framework you linked does provide some rudimentary test vectors in the crypto unittest here. You can use that to test your own implementation to make sure it has the same behavior.
I did write my own PBKDF2 implementation in pure lua as an exercise in wifi WPA cracking. If you're interested in it, I can share it.
Take any library/code/whatever, say, https://www.gnu.org/software/libc/manual/html_node/crypt.html (the first result on google for 'c md5 library') Then simply hash the input password (important: same hash alg as the password is encrypted with. Probably an md5, as I guessed above - if it's not md_5 - well, you have the source code to it, figure out what alg it is) and compare the byte arrays - if they exactly match, then the password is either correct or a collision at least - if they don't exactly match, the password is wrong.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
How to encrypt Decrypt text without using Base64String?
I don't want to use Base64String because encrypted text should not contains any special character like #, $, #, /, \, |,=,% ,^
Well the obvious approach if you don't want to use base64 is to use base16 - i.e. hex.
There are plenty of examples of converting between a byte array and a hex string representation on Stack Overflow. (BitConverter.ToString(data).Replace("-", "") is an inefficient way of performing the conversion to a string; there's nothing quite as simple for the reverse, but it's not much code.)
EDIT: As noted in comments, SoapHexBinary has a simple way of doing this. You may wish to wrap the use of that class in a less SOAP-specific type, of course :)
Of course that will use rather more space than base64. One alternative is to use base64, but using a different set of characters: find 65 characters you can use (the 65th is for padding) and encode it that way. (You may find there's a base64 library available which allows you to specify the characters to use, but if not it's pretty easy to write.)
Do not try to just use a normal Encoding - it's not appropriate for data which isn't fundamentally text.
EDIT: As noted in comments, you can use base32 as well. That can be case-insensitive (potentially handy) and you can avoid I/1 and O/0 for added clarity. It's harder to code and debug though.
There's a great example in the MySQL Connector source code for the ASP.NET membership provider implementation. It may be a little hassle to download and research, but it has a well-established encryption and decryption module in there.
http://dev.mysql.com/downloads/connector/net/#downloads
Choose the 'source code' option before downloading.
If you want encoding/decoding for data transmission or condensed character storage, you should edit your question. Answers given to an encoding question will be much different than answers given to an encryption/decryption question.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
What algorithm should I use to hash passwords into my database?
I am new to this hashing on password. I read the hashing + salt make passwords really safe. But still confused which hashing algorithm should I use as there are many like.
MD5CryptoServiceProvider
SHA1Managed
SHA256Managedetc.
How can I decide which one is good for me or all are equal. Can I pick up anyone blindly?
MD5:
In 1996, a flaw was found with the design of MD5, and while it was
not a clearly fatal weakness, cryptographers began recommending the
use of other algorithms, such as SHA-1—which has since been found to
be vulnerable as well.
SHA1:
In 2005, cryptanalysts found attacks on SHA-1 suggesting that the
algorithm might not be secure enough for ongoing use
SHA2 which SHA256 is a type of does not have a known vulnerability as of the moment of writing.
Fast hash algorithms like MD5, SHA-1 or even SHA-256 are not good choices to hash passwords, because they are much too fast and can be brute-forced too easily. One can calculate about 3 Giga SHA-1 values per second with common hardware in 2013.
Instead you can use a slow key-derivation function like BCrypt or PBKDF2. CSharp has native support for PBKDF2, it can be implemented with the Rfc2898DeriveBytes class, an example you can find here.
Also easy to use is this BCrypt library. Often people are not sure if it is safe to use such libraries, but i don't think there are arguments against using it. As long as the library returns the correct value and generates the salt correctly, it should be fine, because the security comes from the algorithm and not from the implementation.
MD5 is considered crackable. SHA1 is good but maybe crackable. SHA256 is good.
https://security.stackexchange.com/questions/5586/why-do-people-think-that-this-is-bad-way-to-hash-passwords
SHA1 vs md5 vs SHA256: which to use for a PHP login?
Is SHA-1 secure for password storage?
This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
How to encrypt a string in .NET?
Which one is the most excellent and toughest encryption for String type data in C#..
That really depends on your exact requirements.
Most modern encryption algorithms are probably more than strong enough for your needs if you use them properly.
The weak point in your system will not be the encryption algorithm itself. Almost every other aspect of your setup will be more vulnerable to attack than the algorithm.
My primary answer is "it depends upon what you're doing with that string". This question (and answers) will guide you...
.NET Secure Memory Structures
... but it depends if you're encyrpting/security that string in memory, how you're persisting it, how you intend using that string and how you intend disposing of it.
These SO questions touch on these topics too..
How to encrypt a string in .NET?
What's the best way to encrypt short strings in .NET?
... and contain useful links.
That would be a one-time pad. If correctly implemented it's been proved to be impossible to crack but an OTP is most probably not a viable option for you.
RSA encryption is very secure and .NET supports it. But since asymmetric encryption is only designed for encrypting data smaller than it's key size it's often not a great choice for encryption of arbitrary strings. That leads us to block ciphers and among those I would recommend AES.