This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
What algorithm should I use to hash passwords into my database?
I am new to this hashing on password. I read the hashing + salt make passwords really safe. But still confused which hashing algorithm should I use as there are many like.
MD5CryptoServiceProvider
SHA1Managed
SHA256Managedetc.
How can I decide which one is good for me or all are equal. Can I pick up anyone blindly?
MD5:
In 1996, a flaw was found with the design of MD5, and while it was
not a clearly fatal weakness, cryptographers began recommending the
use of other algorithms, such as SHA-1—which has since been found to
be vulnerable as well.
SHA1:
In 2005, cryptanalysts found attacks on SHA-1 suggesting that the
algorithm might not be secure enough for ongoing use
SHA2 which SHA256 is a type of does not have a known vulnerability as of the moment of writing.
Fast hash algorithms like MD5, SHA-1 or even SHA-256 are not good choices to hash passwords, because they are much too fast and can be brute-forced too easily. One can calculate about 3 Giga SHA-1 values per second with common hardware in 2013.
Instead you can use a slow key-derivation function like BCrypt or PBKDF2. CSharp has native support for PBKDF2, it can be implemented with the Rfc2898DeriveBytes class, an example you can find here.
Also easy to use is this BCrypt library. Often people are not sure if it is safe to use such libraries, but i don't think there are arguments against using it. As long as the library returns the correct value and generates the salt correctly, it should be fine, because the security comes from the algorithm and not from the implementation.
MD5 is considered crackable. SHA1 is good but maybe crackable. SHA256 is good.
https://security.stackexchange.com/questions/5586/why-do-people-think-that-this-is-bad-way-to-hash-passwords
SHA1 vs md5 vs SHA256: which to use for a PHP login?
Is SHA-1 secure for password storage?
Related
This question already has answers here:
Decrypt from SHA256
(3 answers)
Closed 8 months ago.
How can I decode SHA256 in c#?
I tested an online SHA256 Decrypt website and it worked.
Is it possible in c#?
https://10015.io/tools/sha256-encrypt-decrypt
On the website we can read
SHA256 is a hashing algorithm. There is no direct method for SHA256 decryption. SHA256 is decrypted by using Trial & Error methodology. It may take some time if either the text that will be decrypted or the character set that will be used for decryption is long.
Basically a hash function (such as sha256) is irreversible. You cannot retrieve the inputs given a hash (that's why it's widely used for security purposes).
In order to perform a "decryption", you only have one way to go : guess and check. That what the website does [...] SHA256 is decrypted by using Trial & Error methodology [..].
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I need to create an encryption class that does not accept special characters,that uses letters and numbers only.
Does anyone have one or can you help me develop it?
You don't need to create a separate encryption algorithm to do this. Just use the following regex to validate your input:
[A-Za-z0-9]+
This will validate that the input only contains alphanumeric charactrs. After that, you can perform whatever encryption you want.
So, basically, you could have a class like the following (and I'm mixing C# and pseudocode here):
public class Encryption {
private readonly Regex regex = new Regex("[A-Za-z0-9]+");
public string Encrypt(string toEncrypt) {
if (toEncrypt == null)
throw new ArgumentNullException("toEncrypt");
// This check is very important
// If toEncrypt contains non-alphanumeric characters, is an empty string, or consists only of whitespace don't accept it
if (!regex.IsMatch(toEncrypt))
throw new ArgumentException("String is not alphanumeric");
// Obviously pseudocode
// Replace this line with a call to AES, 3DES, Twofish, Caesar Cipher, or whatever encryption algorithm you want
return EncryptionAlgorithm.Encrypt(toEncrypt, whateverKey);
}
}
The term "encryption" is actually pretty vague in this case. If you're looking for "serious" encryption, you probably want to use either Twofish or the Advanced Encryption Standard (AES); both are highly secure at this point and have good library support, but AES is somewhat better studied. The other AES contest finalists (such as Serpent) are also highly secure, but they tend not to be studied as thoroughly or have as good of library support as Twofish and AES. Unless you have a good reason to use Twofish or one of the other AES contest finalists instead of AES, it's probably better to just use AES.
I say "highly secure at this point" because security's intrinsically relative to current technology; for example, public-key cryptography would be broken by quantum computers. DES was considered secure until hardware became fast enough to brute-force it. (In fact, it's still considered relatively secure against other kinds of attacks, such as differential crypanalysis).
Note that if you're serious about security it's rarely a good idea to try to design your own algorithm.
There are also classical ciphers like the Caesar Cipher available. You should only use these if you don't care about security at all as they're all badly broken at this point. They aren't built into the .NET framework but most of them are pretty easy to implement yourself.
Encryption produces binary output, not characters, if you need a character representation use Base64 or hexadecimal encoding.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I'm looking for the Lua or C equivalent to the .NET method System.Web.Helpers.Crypto.VerifyHashedPassword. The issue I'm solving for is the password hash being created by a .NET application but need to have a Lua application handle the authentication.
The source for the .NET class is available here but it seems this will get fairly deep and difficult quickly to rebuild in either Lua or C.
Existing crypto libraries in Lua didn't appear to solve this issue.
Any help is appreciated!
I don't think there's an exact equivalent implementation available for Lua. From looking at the C# implementation it's well documented so it shouldn't be too hard to port the implementation over to Lua or C.
The good news is that the crypto primitives used in the .NET implementation is available so you don't need to rewrite those parts. In particular, you'll need:
PBKDF2 key derivation function from rfc2898.
SHA1 used by PBKDF2 as the underlying hashing function. Depending on your requirements you may want SHA256 in there too but PBKDF2 itself is designed to be hash function agnostic. SHA1 is the default used if going by rfc2898 specs.
Base32/64 encoding decoding functions. From looking at the source the hashedPassword is expected to be in base64.
Also pay attention to this important comment:
/* =======================
* HASHED PASSWORD FORMATS
* =======================
*
* Version 0:
* PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
* (See also: SDL crypto guidelines v5.1, Part III)
* Format: { 0x00, salt, subkey }
*/
Now there are a couple of PBKDF2 lua implementations out there:
https://github.com/moteus/lua-bgcrypto-sha/blob/master/src/lua/pbkdf2.lua
https://github.com/bungle/lua-resty-nettle/blob/master/lib/resty/nettle/pbkdf2.lua
For base encoding utilities check out https://github.com/aiq/basexx for a pure lua implementation.
The framework you linked does provide some rudimentary test vectors in the crypto unittest here. You can use that to test your own implementation to make sure it has the same behavior.
I did write my own PBKDF2 implementation in pure lua as an exercise in wifi WPA cracking. If you're interested in it, I can share it.
Take any library/code/whatever, say, https://www.gnu.org/software/libc/manual/html_node/crypt.html (the first result on google for 'c md5 library') Then simply hash the input password (important: same hash alg as the password is encrypted with. Probably an md5, as I guessed above - if it's not md_5 - well, you have the source code to it, figure out what alg it is) and compare the byte arrays - if they exactly match, then the password is either correct or a collision at least - if they don't exactly match, the password is wrong.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to store password in database
does anyone know a way to secure a password that the user is creating on the site which is then saved in a database table?
The passwords are currently stored as Plain text, I know..I Know!
Thanks
The standard answer goes like this:
Do not store passwords in clear text. Store hashed versions of passwords. When you hash passwords - choose appropriate hashing algorithm and use unique salt values as well.
http://www.troyhunt.com/2011/06/owasp-top-10-for-net-developers-part-7.html
Also PLEASE read this.
http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
Some hashing algorythms are too fast (or too easy to break using modern computing power). Use password hashing algoritms (like scrypt).
Salt the password using a per-record salt (i.e. all users use a different salt based on some piece of user information). Than take this salted password and hash it using some hashing algorithm such as an SHA hash.
See for example Hash and salt passwords in C#
You can secure a password by hashing it
You can hash it using md5 encrypt.
This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
How to encrypt a string in .NET?
Which one is the most excellent and toughest encryption for String type data in C#..
That really depends on your exact requirements.
Most modern encryption algorithms are probably more than strong enough for your needs if you use them properly.
The weak point in your system will not be the encryption algorithm itself. Almost every other aspect of your setup will be more vulnerable to attack than the algorithm.
My primary answer is "it depends upon what you're doing with that string". This question (and answers) will guide you...
.NET Secure Memory Structures
... but it depends if you're encyrpting/security that string in memory, how you're persisting it, how you intend using that string and how you intend disposing of it.
These SO questions touch on these topics too..
How to encrypt a string in .NET?
What's the best way to encrypt short strings in .NET?
... and contain useful links.
That would be a one-time pad. If correctly implemented it's been proved to be impossible to crack but an OTP is most probably not a viable option for you.
RSA encryption is very secure and .NET supports it. But since asymmetric encryption is only designed for encrypting data smaller than it's key size it's often not a great choice for encryption of arbitrary strings. That leads us to block ciphers and among those I would recommend AES.