hey guys i wanted to know to create a decrypt function for this crypt function :
public static string CreateHash(string unHashed)
{
System.Security.Cryptography.MD5CryptoServiceProvider x = new System.Security.Cryptography.MD5CryptoServiceProvider();
byte[] data = System.Text.Encoding.ASCII.GetBytes(unHashed);
data = x.ComputeHash(data);
return System.Text.Encoding.ASCII.GetString(data);
}
there is any way to decrypt function ?
hashes i got is like : ??????7hYkr?4??w
MD5 is a hash function.
So it's only one way: there is no practical way to decrypt it.
Read the introduction of the wikipedia article about cryptographic hash functions to understand how those behave.
However, if you have passwords encrypted with this function, and you want to check that a user provided password matches, you can encrypt the user provided string, and compare the result with the encrypted blob that is in your database (which is the most common use for those function).
Related
I am working on an API which requires a header for API authentication. The header contains a hash string which is created using md5 algorithm and a secret key. I want to write a function like this:
public string CreateMD5Hash(string input, string secretKey)
{
return output;
}
I tried to use bouncy castle API. But I couldn't find proper documentation. That is why I couldn't make it use.
Okay BASICALLY let's break this into two simple concepts Cryptography and Hashing.
Cryptography
There are three fields secrete key a value and an encrypted value, and two methods.
Encrypt(value, secret-key) this method gets value and secret key and returns the encrypted value.
Decrypt(encrypted-value, secret-key) and this method gets encrypted value and secret key and returns the value.
like AES, DES, etc ...
Hashing
There are just two fields value and hashed value, and one method.
Hash(value) this method gets the value and returns the hashed value.
like MD5, SHA family, etc ...
Simple right!
So your question is not correct because MD5 is a hashing algorithm that usually is used for hashing passwords and comparing the hash of them.
Now I recommend taking a look at the API you are talking about for authentication.
You can share the link of documentation or an already encrypted header (if it is not sensitive data) to help you.
Update
According to the link, it is using HMAC with MD5.
This is the sample in the document, written in PHP.
$hash = hash_hmac('md5', $string, $key);
You can use this code for C#:
using System.Security.Cryptography;
using System.Text;
...
public string HashHmacMD5(string message, string secret)
{
Encoding encoding = Encoding.UTF8;
using (HMACMD5 hmac = new HMACMD5(encoding.GetBytes(secret)))
{
var msg = encoding.GetBytes(message);
var hash = hmac.ComputeHash(msg);
return BitConverter.ToString(hash).ToLower().Replace("-", string.Empty);
}
}
Your question is somewhat confusing.
For simple API authentication, you want to generate a secret that you want to share with the caller. This secret should be validated on your side.
Normally you would generate a random secure string with length about 50 - this is the secret. You share this secret with the caller - normally you warn the caller to securely store the value, since there is no way to recover it. Do not store this secret in the database.
You would generate a salt and hash the secret. You store both the salt and the hashed secret in the database. When the request comes in, you extract the value in the header, hash it with the salt and compare the result with the hashed secret in the database. User would be authenticated if they are match.
Is this more inline with your thinking? Is your question, how to hash it properly?
I am using the function below to encrypt password and store it into my database. Now I need to decrypt it back and compare it with the login user. Please help me.
public static string encrypt_string_using_MD5(string s)
{
byte[] byte_array = System.Text.Encoding.Default.GetBytes(s);
System.Security.Cryptography.HashAlgorithm alg =
System.Security.Cryptography.HashAlgorithm.Create("MD5");
byte[] byte_array2 = alg.ComputeHash(byte_array);
System.Text.StringBuilder sb
= new System.Text.StringBuilder(byte_array2.Length);
foreach(byte b in byte_array2)
{
sb.AppendFormat("{0:X2}", b);
}
return sb.ToString();
}
You cannot Decrypt Hash. Hash is like signature of your original content.
What you can do is to store this Hash in database. Whenever user enters password. you compute the hash of value user entered and compare it with stored hash and if it matches then authentication is succesfull
You can not decrypt it, because it is not encrypted.
You create a hash of the text, and not an encrypted version.
A hash is like a fingerprint of data. This can be used for example to safely store passwords in a database. When someone wants to login again, you again calculate the hash and check the new hash against the one the in database to see if they match. If they do, then the password is the same and the user can login.
A good explanation can be found at http://www.securityinnovationeurope.com/blog/whats-the-difference-between-hashing-and-encrypting
Hence you use MD5, it's irreversible. Why are you sending passwords as plain text anyway...?
Either way, when comparing values (one plain, one hashed) hash the plain one and compare that.
This is the encryption I have when people register on my site:
$salt = generateSalt();
$hashedPassword = crypt($userPass, $salt);
and here is my generateSalt function:
function generateSalt() {
$salt = uniqid(mt_rand(), true);
$salt = '$1$' . $salt;
return $salt;
}
When I encrypt a password with this I get for example:
$1$92999442$AK4yZPjnj6BKc9yj4CXKu1
But when I crypt the same password on C# with this function:
hashedPassword = GenerateMD5(uName, salt);
GenerateMD5 function:
public String GenerateMD5(String input, String salt)
{
Byte[] bytes = System.Text.Encoding.UTF8.GetBytes(input + salt);
System.Security.Cryptography.MD5Cng md5hashstring = new System.Security.Cryptography.MD5Cng();
byte[] hash = md5hashstring.ComputeHash(bytes);
string hex = BitConverter.ToString(hash).Replace("-", string.Empty);
return hex;
}
I get a complete different output. With the same password and the same salt I get this output:
9DE11D48C3F7DF1BF89FC76D755A2596
What function should I use in PHP and C# to get the same output?
Because you're using two completely different algorithms. In PHP you're using crypt() which uses DES, and in C# you're using MD5. They're never going to produce the same output. If you want the same output, you should use md5() in PHP instead of crypt()
Also, don't use MD5, it's deprecated. You should be using at least SHA-2 now
http://php.net/md5
http://blogs.msdn.com/b/csharpfaq/archive/2006/10/09/how-do-i-calculate-a-md5-hash-from-a-string_3f00_.aspx
and adding a random salt to your input is part of them problem. you'll end up with a different input every time, hence a different hash output.
If I were you I'd consider using password_hash instead. Does all that crypt work for you in a nice, neat package, complete with random salt.
As to why your function doesn't match, you're using MD5 in your C# code. I'm no expert in C# but you should use some sort of bcrypt hashing system. There is an open source bcrypt for C# that might do the trick for you. In theory, since they use the same system, one should be able to validate the other since they all store the salt in the string. Just pluck the salt from the string and plug the password and salt into the other one and they should match.
This is so called md5crypt by Poul-Henning Kamp, not to be confused with MD5. Md5crypt for first used to protect FreeBSD passwords from bruteforce, but then became more widespread. It was incorporated into GNU libc crypt() and many programs had interfaces to this system call, including PHP, and some PHP developers made use of it. Md5crypt invokes MD5 no less than 1000 times to make brute-force harder (but nowadays md5crypt is considered outdated by its author!). I have seen implementation of md5crypt for many programming languages, this one is for C#.
This question already has an answer here:
Vb.net Decrypt sha512 hash
(1 answer)
Closed 8 years ago.
I encrypt the password by following code
HashAlgorithm hashAlgorithm = null;
hashAlgorithm = new SHA512CryptoServiceProvider();
try
{
byte[] byteValue = Encoding.UTF8.GetBytes(source);
byte[] hashValue = hashAlgorithm.ComputeHash(byteValue);
StringBuilder sb = new StringBuilder();
for (int i = 0; i <= hashValue.Length - 1; i++)
{
sb.AppendFormat("{0:x2}", hashValue[i]);
}
return Convert.ToString(sb);
}
catch
{
throw;
}
after that I saved it in database.
now I want to retrieve actual password by decrypting it. please help me
You hash a password and you don't encrypt it. That being said you cannot decrypt it.
Taken from here
Encryption transforms data into another format in such a way that only
specific individual(s) can reverse the transformation. It uses a key,
which is kept secret, in conjunction with the plaintext and the
algorithm, in order to perform the encryption operation. As such, the
ciphertext, algorithm, and key are all required to return to the
plaintext.
while
Hashing serves the purpose of ensuring integrity, i.e. making it so
that if something is changed you can know that it’s changed.
Technically, hashing takes arbitrary input and produce a fixed-length
string that has the following attributes:
The same input will always produce the same output.
Multiple disparate inputs should not produce the same output.
It should not be possible to go from the output to the input.
Any modification of a given input should result in drastic change to the hash.
Hashing is used in
conjunction with authentication to produce strong evidence that a
given message has not been modified. This is accomplished by taking a
given input, encrypting it with a given key, hashing it, and then
encrypting the key with with the recipient’s public key and signing
the hash with the sender’s private key.
then what can I use with which I can convert output to input?
You should decrypt your data and not hash them. Encrypting and Decrypting data is a big subject. A good starting point is to read this. Generally, you have two types of encryoption, symmetric and assymmetric. So initially, read about them and then choose the one you think is suits your needs. Then try to implement it. You will make use of algorithms that are already implemented in .NET and can be used instantiating objects of the corresponding classes and calling specific methods.
However, I have to make a note here. Usually, we hash the passwords and we don't encrypt them. This is more secure. Taken from here:
Though hashing and encryption both provide valuable capabilities, for
the vast majority of situations, there is only one right option for
storing user passwords for an online application: hashing. This is a
one-way function in which a hashed value cannot be reversed to obtain
the original input value (i.e., the password). Symmetric encryption is
based on the use of an encryption key and is a reversible operation.
Anyone possessing the key can decrypt an encrypted value to obtain the
original value.
I have some simple code but I need to get back my plain text from my hash code.
private string Hash(string ToHash)
{
// First we need to convert the string into bytes,
// which means using a text encoder.
Encoder enc = System.Text.Encoding.ASCII.GetEncoder();
// Create a buffer large enough to hold the string
byte[] data = new byte[ToHash.Length];
enc.GetBytes(ToHash.ToCharArray(), 0, ToHash.Length, data, 0, true);
// This is one implementation of the abstract class MD5.
MD5 md5 = new MD5CryptoServiceProvider();
byte[] result = md5.ComputeHash(data);
return BitConverter.ToString(result);
}
As far as I am aware, you can't un-hash something. It simply goes against the idea of hashing. Are you sure you are not thinking about 'encrypting'? As with a symmetric or asymmetric key?
Are you trying to compare a password someone entered to the stored hash of their password? If so, then instead of trying to unhash the stored password, you just need to hash the password they enter and then compare the two hashes to see if they match.
You should not be able to reverse a hash - it is by definition a one-way function. You might be able to guess what the plaintext of an md5 hash is by using a rainbow table or brute force guessing but it is expensive and not really what you're looking for.