String Encryption Help

I have had to create a simple string encryption program for coursework,
I have completed the task and now have to do a write up on how it could
be improved at a later date. If you could look through the code and
point me in the correct direction one would be very grateful.
>
Example Input : j1mb0jay
Example Output 1 :
rZHKZbYZWn/4UgL9mAjN2DUz7X/UpcpRxXM9SO1QkvkOe5nOPEKnZldpsB7uHUNZ
Example Output 2 :
8SFgIdt0K0GqOggOt5VUzRc+sVtgPPQJt5xen7WksC3SljaXC/H38pWpjZ37tHyY
Example Outout 3 :
an+RFZnhJpyv+UgdViO6SlZtPZ66DzZ1tGFifpq3QkHr9MX9O/JQkojuS2O0IYIG
>
As seen above I have used the time as a factor when creating the
passwords, so two users with the same password will not have the same
hash stored in the database.
>

j1mb0jay wrote:>
Some reflections:
>>a hashing algorithm and doesn't do any encryption at all.
>it. As you are using a hash, the string can not be decrypted into the
original string.

Random random = new Random();
int randomInt = (int) ( random.NextDouble() * 100 );

milli = milli + randomInt;
i = i + milli;
ePassword = ePassword + "-" + i.ToString();

milli += randomInt;
i += milli;
ePassword += ( "-" + i.ToString() );

>I have had to create a simple string encryption program for coursework, I
>have completed the task and now have to do a write up on how it could be
>improved at a later date. If you could look through the code and point me
>in the correct direction one would be very grateful.
>
Example Input : j1mb0jay
Example Output 1 :
rZHKZbYZWn/4UgL9mAjN2DUz7X/UpcpRxXM9SO1QkvkOe5nOPEKnZldpsB7uHUNZ
Example Output 2 :
8SFgIdt0K0GqOggOt5VUzRc+sVtgPPQJt5xen7WksC3SljaXC/H38pWpjZ37tHyY
Example Outout 3 :
an+RFZnhJpyv+UgdViO6SlZtPZ66DzZ1tGFifpq3QkHr9MX9O/JQkojuS2O0IYIG
>
As seen above I have used the time as a factor when creating the
passwords, so two users with the same password will not have the same hash
stored in the database.
>
public string JJEncryption(string password)
{
//Creates a random number generator.
Random random = new Random();
//Creates a random int.
double randomNo = random.NextDouble();
//Turns the double into a number that i can use.
double roundedRandomNo = randomNo * 100;
>
//Case the double into and int (loosing all decimal places)
int randomInt = (int)roundedRandomNo;
>
//Gets the current milli second.
int milli = DateTime.Now.Millisecond;
>
//Convert the milli second and the random int into a string and
add it to an empty string;
string ePassword = ConvertToBase64(milli.ToString()) + "-" +
ConvertToBase64(randomInt.ToString());
>
//Update the value of milli by adding the random number to it.
milli = milli + randomInt;
>
//Foreach character in the paratmeter string "password"
foreach (char c in password)
{
//Convert the letter into a number.
int i = Convert.ToInt32(c);
//Add the value of milli to the number representation of
the current letter.
i = i + milli;
//Add this as a string to the return string
ePassword = ePassword + "-" + i.ToString();
}
//Return the enrypted password.
ePassword = MD5Encrypt(ePassword, true);
return ePassword;
}
>
private string ConvertToBase64(string text)
{
try
{
byte[] enc = new byte[text.Length];
for (int i = 0; i < text.Length; i++)
{
enc[i] = System.Convert.ToByte(text[i]);
}
>
return System.Convert.ToBase64String(enc);
}
catch
{
}
>
return string.Empty;
}
>
//Helped from CodeProject.com
private string MD5Encrypt(string toEncrypt, bool useHashing)
{
byte[] keyArray;
byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(toEncrypt);
>
// Get the key from config file
string key = ApplicationSettings.MeetySettings.Key;
//System.Windows.Forms.MessageBox.Show(key);
//If hashing use get hashcode regards to your key
if (useHashing)
{
MD5CryptoServiceProvider hashmd5 = new
MD5CryptoServiceProvider();
keyArray =
hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(key ));
//Always release the resources and flush data of the
Cryptographic service provide. Best Practice
>
hashmd5.Clear();
}
else
keyArray = UTF8Encoding.UTF8.GetBytes(key);
>
TripleDESCryptoServiceProvider tdes = new
TripleDESCryptoServiceProvider();
//set the secret key for the tripleDES algorithm
tdes.Key = keyArray;
//mode of operation. there are other 4 modes. We choose
ECB(Electronic code Book)
tdes.Mode = CipherMode.ECB;
//padding mode(if any extra byte added)
>
tdes.Padding = PaddingMode.PKCS7;
>
ICryptoTransform cTransform = tdes.CreateEncryptor();
//transform the specified region of bytes array to resultArray
byte[] resultArray =
cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
//Release resources held by TripleDes Encryptor
tdes.Clear();
//Return the encrypted data into unreadable string format
return Convert.ToBase64String(resultArray, 0,
resultArray.Length);
}
>
--
Regards JJ (UWA)
>
--
Regards JJ (UWA)

Hi... It looks a bit overly complex to me but I'll assume it is doing
what you intend. I'd make the suggestion that you simplify the
process where possible however. From the look of it many of the
interim values aren't really used anywhere (though I may have missed
it) so you can probably get your random integer var set this way.
>>
And the various additions and concatenations can use the += operator
so these:>
become:>
As Göran points out you may want to use a StringBuilder as well.
>
I guess if I had a question it would be is there slightly less
complicated way to get the non-matching hash if that is your goal? Do you
consider it more secure by virtue of the particular algorithm
used to adjust it?
>

>I have had to create a simple string encryption program for coursework, I
>have completed the task and now have to do a write up on how it could be
>improved at a later date. If you could look through the code and point me in
>the correct direction one would be very grateful.
>
>Example Input : j1mb0jay
>Example Output 1 :
>rZHKZbYZWn/4UgL9mAjN2DUz7X/UpcpRxXM9SO1QkvkOe5nOPEKnZldpsB7uHUNZ
>Example Output 2 :
>8SFgIdt0K0GqOggOt5VUzRc+sVtgPPQJt5xen7WksC3Slja XC/H38pWpjZ37tHyY
>Example Outout 3 :
>an+RFZnhJpyv+UgdViO6SlZtPZ66DzZ1tGFifpq3QkHr9MX 9O/JQkojuS2O0IYIG
>
>As seen above I have used the time as a factor when creating the passwords,
>so two users with the same password will not have the same hash stored in
>the database.
>
>public string JJEncryption(string password)
{
//Creates a random number generator.
Random random = new Random();

//Creates a random int.
double randomNo = random.NextDouble();
//Turns the double into a number that i can use.
double roundedRandomNo = randomNo * 100;
>
//Case the double into and int (loosing all decimal places)
int randomInt = (int)roundedRandomNo;
>
//Gets the current milli second.
int milli = DateTime.Now.Millisecond;
>
//Convert the milli second and the random int into a string and
>add it to an empty string;
string ePassword = ConvertToBase64(milli.ToString()) + "-" +
>ConvertToBase64(randomInt.ToString());
>
//Update the value of milli by adding the random number to it.
milli = milli + randomInt;
>
//Foreach character in the paratmeter string "password"
foreach (char c in password)
{
//Convert the letter into a number.
int i = Convert.ToInt32(c);
//Add the value of milli to the number representation of the
>current letter.
i = i + milli;
//Add this as a string to the return string
ePassword = ePassword + "-" + i.ToString();
}
//Return the enrypted password.
ePassword = MD5Encrypt(ePassword, true);
return ePassword;

}
>
>private string ConvertToBase64(string text)
{
try
{
byte[] enc = new byte[text.Length];
for (int i = 0; i < text.Length; i++)
{
enc[i] = System.Convert.ToByte(text[i]);
}
>
return System.Convert.ToBase64String(enc);
}
catch
{
}
>
return string.Empty;
}

>
>//Helped from CodeProject.com
>private string MD5Encrypt(string toEncrypt, bool useHashing)
{
byte[] keyArray;
byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(toEncrypt);
>
// Get the key from config file
string key = ApplicationSettings.MeetySettings.Key;
//System.Windows.Forms.MessageBox.Show(key);
//If hashing use get hashcode regards to your key
if (useHashing)
{
MD5CryptoServiceProvider hashmd5 = new

>MD5CryptoServiceProvider();
keyArray =
>hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(ke y));
//Always release the resources and flush data of the
>Cryptographic service provide. Best Practice
>
hashmd5.Clear();
}
else
keyArray = UTF8Encoding.UTF8.GetBytes(key);
>
TripleDESCryptoServiceProvider tdes = new
>TripleDESCryptoServiceProvider();

//set the secret key for the tripleDES algorithm
tdes.Key = keyArray;
//mode of operation. there are other 4 modes. We choose
>ECB(Electronic code Book)
tdes.Mode = CipherMode.ECB;

//padding mode(if any extra byte added)
>
tdes.Padding = PaddingMode.PKCS7;
>
ICryptoTransform cTransform = tdes.CreateEncryptor();
//transform the specified region of bytes array to resultArray
byte[] resultArray =
>cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
//Release resources held by TripleDes Encryptor
tdes.Clear();
//Return the encrypted data into unreadable string format
return Convert.ToBase64String(resultArray, 0,
>resultArray.Length);
}
>
>--
>Regards JJ (UWA)

On Sun, 22 Apr 2007 13:54:55 +0100, "j1mb0jay" <jap6@aber.ac.uk>
wrote:
>Random is not cryptographically secure. For a cryptographically
secure PRNG use System.Security.Cryptography.RandomNumberGenerator
Alternatively, write your own - google 'Yarrow' or 'Fortuna' for
examples.
>
>Have a look at using System.Security.SecureString instead of a plain
string for holding a password.
>You can use Encoding.UTF8.GetBytes to convert a string to bytes.
>
>MD5 should not be used in new applicatins as it has some weaknesses.
Better to use SHA-256 or SHA-512.3DES should not be used except for backwards compatibility - its 64
bit blocksize is too small for safety. Use AES (=Rijndael) instead as
it uses 128 bit blocks.
>A bad choice. ECB mode leaks information. For a good illustration
(literally) see
http://en.wikipedia.org/wiki/Block_c...s_of_operation
>
You should use either CBC or CTR mode.
>
>
>

>Göran Andersson wrote:>
>I have the methods to turn it back into the orignal and i use them on my
>applications.
>Does this mean i am encrypting ?

>Thank you for the reply.

Göran Andersson wrote:>
I have the methods to turn it back into the orignal and i use them on my
applications.

Does this mean i am encrypting ?
>
Thank you for the reply.

:: Hashing is not encryption. MD5Encrypt is a misleading name, as MD5 is
a hashing algorithm and doesn't do any encryption at all.

Göran Andersson wrote:>
Some people call hashing "one way encryption".
>
Arne

Göran Andersson wrote:>
Some people call hashing "one way encryption".
>
Arne

>Arne Vajhøj wrote:>
>Yes. To be strictly correct one would say that hashing can be used as a
>one way encryption. The hashing algorithm still does hashing, not
>encryption. The difference is subtle, but one should be aware that
>hashing serves a different purpose than encryption, so not all hashing
>algorthms are well suited for one way encryption.

Random is not cryptographically secure. For a cryptographically
secure PRNG use System.Security.Cryptography.RandomNumberGenerator
Alternatively, write your own - google 'Yarrow' or 'Fortuna' for
examples.
>
>

>Have looked into the secure random Int32 and have come up with this.
>
public int CreateSecureRandomInt()
{
RNGCryptoServiceProvider random = new
>RNGCryptoServiceProvider();
byte[] randBytes = new byte[4];
random.GetNonZeroBytes(randBytes);

int i = (BitConverter.ToInt32(randBytes,0));

if (i < 0)
i += (i - (i * 2)) - i;

string s = i.ToString();
s = s.Substring(1, 1);
return (Int32.Parse(s));

}
>Is this what you ment ?
>Or have i gone of on a tanjant ?
>
>Still reading about the rest before i try and implerment as i have to have
>an understanding
>of the code to produce the required write up.

Ok just for you...... since im not planning on using it any where other
than coursework, heres the code to decrypt, try them !!
>
I assure you they work.
>
>
public string JJDycryption(string ePassword)
{
>
string nonB64password = MD5Decrypt(ePassword,true);
>
char[] splitter = { '-' };
>
string[] s = nonB64password.Split(splitter);
>
int milli = Convert.ToInt32(ConvertFromBase64(s[0]));
>
int ramdom = Convert.ToInt32(ConvertFromBase64(s[1]));
>
milli = milli + ramdom;
>
string password = string.Empty;
>
for (int index = 2; index < s.Length; index++)
>
{
>
int i = Convert.ToInt32(s[index]);
>
i = i - milli;
>
char c = Convert.ToChar(i);
>
password = password + c.ToString();
>
}
>
return password;
>
}
>
private string MD5Decrypt(string cipherString, bool useHashing)
{
byte[] keyArray;
//get the byte code of the string
>
byte[] toEncryptArray = Convert.FromBase64String(cipherString);
>
System.Configuration.AppSettingsReader settingsReader = new
AppSettingsReader();
//Get your key from config file to open the lock!
string key = ApplicationSettings.MeetySettings.Key;
>
if (useHashing)
{
//if hashing was used get the hash code with regards to
your key
MD5CryptoServiceProvider hashmd5 = new
MD5CryptoServiceProvider();
keyArray =
hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(key ));
//release any resource held by the MD5CryptoServiceProvider
>
hashmd5.Clear();
}
else
{
//if hashing was not implemented get the byte code of the
key
keyArray = UTF8Encoding.UTF8.GetBytes(key);
}
>
TripleDESCryptoServiceProvider tdes = new
TripleDESCryptoServiceProvider();
//set the secret key for the tripleDES algorithm
tdes.Key = keyArray;
//mode of operation. there are other 4 modes. We choose
ECB(Electronic code Book)
>
tdes.Mode = CipherMode.ECB;
//padding mode(if any extra byte added)
tdes.Padding = PaddingMode.PKCS7;
>
ICryptoTransform cTransform = tdes.CreateDecryptor();
byte[] resultArray =
cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
//Release resources held by TripleDes Encryptor
tdes.Clear();
//return the Clear decrypted TEXT
return UTF8Encoding.UTF8.GetString(resultArray);
}
>
private string ConvertFromBase64(string text)
{
string ret = string.Empty;
byte[] enc = System.Convert.FromBase64String(text);
for (int i = 0; i < enc.Length; i++)
{
ret += System.Convert.ToChar(enc[i]).ToString();
}
return ret;
}
>
Regards JJ (UWA)
>

Thank you very much for your help dont want to annoy you to much.
>
I have changed the requested... and hopefully this is what you ment.
>
private int CreateSecureRandomInt()
{
RNGCryptoServiceProvider random = new
RNGCryptoServiceProvider();
byte[] randBytes = new byte[4];
random.GetBytes(randBytes);
int i = (BitConverter.ToInt32(randBytes,0));
randBytes = null;
>
if (i < 0)
CreateSecureRandomInt();
>
while (i 10)
{
i = i / 10;
}
>
return i;
}
>
I will work on the rest of the "fixes" over the next few days and will
post back.
>
I tried replacing this ...
tdes.Mode = CipherMode.ECB;
>
with...
tdes.Mode = CipherMode.CBC;
>
But it seems to output characters which can not be converted to base64,
which would mean a big change.
I need to do some more reading.
>
Once again thanks
>
Regards JJ (UWA)

Arne Vajhøj wrote:>
As i just posted above this is not one way !!! So does this mean i am
encrypting.

>Thank you very much for your help dont want to annoy you to much.
>
>I have changed the requested... and hopefully this is what you ment.
>
private int CreateSecureRandomInt()
{
RNGCryptoServiceProvider random = new
>RNGCryptoServiceProvider();
byte[] randBytes = new byte[4];
random.GetBytes(randBytes);
int i = (BitConverter.ToInt32(randBytes,0));
randBytes = null;
>
if (i < 0)
CreateSecureRandomInt();

>
while (i 10)
{
i = i / 10;
}
>
return i;
}

>I will work on the rest of the "fixes" over the next few days and will post
>back.
>
>I tried replacing this ...
>tdes.Mode = CipherMode.ECB;
>
>with...
>tdes.Mode = CipherMode.CBC;
>
>But it seems to output characters which can not be converted to base64,

>which would mean a big change.
>I need to do some more reading.
>
>Once again thanks
>
>Regards JJ (UWA)

>
I ran some tests on your code as written. The results were not good:
>

>rossum wrote:>
>If you called the method from a loop, you will be creating a lot of
>random generators in a short time. As the system time is used to create
>the initial seed in the random generator, this will of course give bad
>randomness.
>
>If you are going to create more than one random number, you should
>create one random generator, and use that to create all the random numbers.