Well, let's get some terminolgy straight first, and that might help clear
things up :)
Encryption describes the act of applying a cipher to plain text, which
results in encrypted text (cipher text). You can then reverse the process to
get your original plain text.
A hash, on the other hand, has little to do with encryption directly
(meaning it's not an encryption cipher). A hash simply provides a calculated
value based on the input. Hashes have a number of properties:
1) The hash value is a given fixed size regardless of how much input you use
2) Using the same input will always result in the same hash value
3) It *should* be computationally infeasible to get the same hash value if
different input is used (this is not always guaranteed)
4) Hashes are one-way. You can't take a hash value and apply an algorithm to
retrieve the original input
Hashes are usually used as a message digest or message authentication code
to ensure content hasn't be tampered with (a hash before and after
transmission of data should provide the same results). However, for security
purposes as far as password storage goes, we run into a few snags.
First of all, since the same input always returns the same hash value, I can
take several hundred thousand words (and even some common funny spellings)
and create the hash value for all of them. I now have a dictionary. If i'm
able to get your hashed password list, I can compare them to my dictionary
and "lookup" the original text. This is one reason why strong passwords
(sequences of characters that are unlikely to be guessed in a dictionary
attack) are so important. But there are better ways to protect yourself.
There are indeed keyed hash algorithms, and the framework provides two of
them: HMACSHA1 and MACTripleDES. Because they require a key, a potential
attacker using a dictionary would have to create a dictionary for every
possible key value in a brute force dictionary attack. This ups the level of
security. The other thing you can do is salt is the input, as you've seen.
Finally, a big asset is to make sure you can prevent collisions (two input
values resulting in the same hash value). To do that, use the biggest hash
with the best algorithm. So far, I suspect that of all the non-keyed hashes
provided in the framework, SHA256 will be that algorithm. You don't have
"learn" how to use it, because all hash classes in the framework work the
same way. If you can use MD5, you can use SHA256. The only real difference
is that SHA256 will produce a longer hash value. Also note that, as you said
earlier, SHA and MD5 don't use keys.
-Rob
"PJones" <pj****@hotmail .com> wrote in message
news:uH******** ******@TK2MSFTN GP14.phx.gbl...
thanks Jim
seems like using the built in md5 stuff in .net along with some salt will
be good enough
maybe sha256 if I can find a good function for it
"Jim Hughes" <NO*********@Ho tmail.com> wrote in message
news:uk******** ******@tk2msftn gp13.phx.gbl... User supplies initial password
You create and store hash based on that password, you don't store the
original password and have no need to know what it actually was.
User tries to login and supplies password again.
You recreate hash using same function as before and compare hash to the
one you stored previously.
No key is required because you use the same hash function each time.
Keys are only necessary when you need to encrypt and then decrypt.
http://aspnet.4guysfromrolla.com/articles/112002-1.aspx has a good
article on password management with salt values.
"PJones" <pj****@hotmail .com> wrote in message
news:uP******** ******@TK2MSFTN GP09.phx.gbl...I am looking for the best way to one way encrypt a password for storage
ina database using (asp.net / vb.net)
basically I need some functions or examples that I can freely use in a
commercial project
anyone got any good functions or links I can look at ?
I was looking at MD5 hash .. the examples I saw confused me as I
didn't see a key ?
Does MD5 not used a key ?
I was also looking into SHA-1
I figure if I am going to do this I might as well make it a good as
possible within reason
any help or pointers is appretiated