one way password encryption

User supplies initial password
You create and store hash based on that password, you don't store the
original password and have no need to know what it actually was.

User tries to login and supplies password again.
You recreate hash using same function as before and compare hash to the one
you stored previously.

No key is required because you use the same hash function each time.

Keys are only necessary when you need to encrypt and then decrypt.

http://aspnet.4guysfromrolla.com/articles/112002-1.aspx has a good article
on password management with salt values.

"PJones" <pj****@hotmail .com> wrote in message
news:uP******** ******@TK2MSFTN GP09.phx.gbl...

I am looking for the best way to one way encrypt a password for storage in
a database using (asp.net / vb.net)
basically I need some functions or examples that I can freely use in a
commercial project

anyone got any good functions or links I can look at ?

I was looking at MD5 hash .. the examples I saw confused me as I didn't
see a key ?
Does MD5 not used a key ?

I was also looking into SHA-1

I figure if I am going to do this I might as well make it a good as
possible within reason

any help or pointers is appretiated

thanks Jim

seems like using the built in md5 stuff in .net along with some salt will be
good enough
maybe sha256 if I can find a good function for it


"Jim Hughes" <NO*********@Ho tmail.com> wrote in message
news:uk******** ******@tk2msftn gp13.phx.gbl...

User supplies initial password
You create and store hash based on that password, you don't store the
original password and have no need to know what it actually was.

User tries to login and supplies password again.
You recreate hash using same function as before and compare hash to the
one you stored previously.

No key is required because you use the same hash function each time.

Keys are only necessary when you need to encrypt and then decrypt.

http://aspnet.4guysfromrolla.com/articles/112002-1.aspx has a good article
on password management with salt values.

"PJones" <pj****@hotmail .com> wrote in message
news:uP******** ******@TK2MSFTN GP09.phx.gbl...

I am looking for the best way to one way encrypt a password for storage in
a database using (asp.net / vb.net)
basically I need some functions or examples that I can freely use in a
commercial project

anyone got any good functions or links I can look at ?

I was looking at MD5 hash .. the examples I saw confused me as I didn't
see a key ?
Does MD5 not used a key ?

I was also looking into SHA-1

I figure if I am going to do this I might as well make it a good as
possible within reason

any help or pointers is appretiated

Well, let's get some terminolgy straight first, and that might help clear
things up :)

Encryption describes the act of applying a cipher to plain text, which
results in encrypted text (cipher text). You can then reverse the process to
get your original plain text.

A hash, on the other hand, has little to do with encryption directly
(meaning it's not an encryption cipher). A hash simply provides a calculated
value based on the input. Hashes have a number of properties:
1) The hash value is a given fixed size regardless of how much input you use
2) Using the same input will always result in the same hash value
3) It *should* be computationally infeasible to get the same hash value if
different input is used (this is not always guaranteed)
4) Hashes are one-way. You can't take a hash value and apply an algorithm to
retrieve the original input

Hashes are usually used as a message digest or message authentication code
to ensure content hasn't be tampered with (a hash before and after
transmission of data should provide the same results). However, for security
purposes as far as password storage goes, we run into a few snags.
First of all, since the same input always returns the same hash value, I can
take several hundred thousand words (and even some common funny spellings)
and create the hash value for all of them. I now have a dictionary. If i'm
able to get your hashed password list, I can compare them to my dictionary
and "lookup" the original text. This is one reason why strong passwords
(sequences of characters that are unlikely to be guessed in a dictionary
attack) are so important. But there are better ways to protect yourself.
There are indeed keyed hash algorithms, and the framework provides two of
them: HMACSHA1 and MACTripleDES. Because they require a key, a potential
attacker using a dictionary would have to create a dictionary for every
possible key value in a brute force dictionary attack. This ups the level of
security. The other thing you can do is salt is the input, as you've seen.
Finally, a big asset is to make sure you can prevent collisions (two input
values resulting in the same hash value). To do that, use the biggest hash
with the best algorithm. So far, I suspect that of all the non-keyed hashes
provided in the framework, SHA256 will be that algorithm. You don't have
"learn" how to use it, because all hash classes in the framework work the
same way. If you can use MD5, you can use SHA256. The only real difference
is that SHA256 will produce a longer hash value. Also note that, as you said
earlier, SHA and MD5 don't use keys.

-Rob
"PJones" <pj****@hotmail .com> wrote in message
news:uH******** ******@TK2MSFTN GP14.phx.gbl...

thanks Jim

seems like using the built in md5 stuff in .net along with some salt will be good enough
maybe sha256 if I can find a good function for it


"Jim Hughes" <NO*********@Ho tmail.com> wrote in message
news:uk******** ******@tk2msftn gp13.phx.gbl...

User supplies initial password
You create and store hash based on that password, you don't store the
original password and have no need to know what it actually was.

User tries to login and supplies password again.
You recreate hash using same function as before and compare hash to the
one you stored previously.

No key is required because you use the same hash function each time.

Keys are only necessary when you need to encrypt and then decrypt.

http://aspnet.4guysfromrolla.com/articles/112002-1.aspx has a good article on password management with salt values.

"PJones" <pj****@hotmail .com> wrote in message
news:uP******** ******@TK2MSFTN GP09.phx.gbl...

I am looking for the best way to one way encrypt a password for storage ina database using (asp.net / vb.net)
basically I need some functions or examples that I can freely use in a
commercial project

anyone got any good functions or links I can look at ?

I was looking at MD5 hash .. the examples I saw confused me as I didn't see a key ?
Does MD5 not used a key ?

I was also looking into SHA-1

I figure if I am going to do this I might as well make it a good as
possible within reason

any help or pointers is appretiated

all very good info..

thank you rob for taking the time to explain in such detail

"Rob Teixeira" <RobTeixeira@@m sn.com> wrote in message
news:e6******** ******@TK2MSFTN GP15.phx.gbl...

Well, let's get some terminolgy straight first, and that might help clear
things up :)

Encryption describes the act of applying a cipher to plain text, which
results in encrypted text (cipher text). You can then reverse the process
to
get your original plain text.

A hash, on the other hand, has little to do with encryption directly
(meaning it's not an encryption cipher). A hash simply provides a
calculated
value based on the input. Hashes have a number of properties:
1) The hash value is a given fixed size regardless of how much input you
use
2) Using the same input will always result in the same hash value
3) It *should* be computationally infeasible to get the same hash value if
different input is used (this is not always guaranteed)
4) Hashes are one-way. You can't take a hash value and apply an algorithm
to
retrieve the original input

Hashes are usually used as a message digest or message authentication code
to ensure content hasn't be tampered with (a hash before and after
transmission of data should provide the same results). However, for
security
purposes as far as password storage goes, we run into a few snags.
First of all, since the same input always returns the same hash value, I
can
take several hundred thousand words (and even some common funny spellings)
and create the hash value for all of them. I now have a dictionary. If i'm
able to get your hashed password list, I can compare them to my dictionary
and "lookup" the original text. This is one reason why strong passwords
(sequences of characters that are unlikely to be guessed in a dictionary
attack) are so important. But there are better ways to protect yourself.
There are indeed keyed hash algorithms, and the framework provides two of
them: HMACSHA1 and MACTripleDES. Because they require a key, a potential
attacker using a dictionary would have to create a dictionary for every
possible key value in a brute force dictionary attack. This ups the level
of
security. The other thing you can do is salt is the input, as you've seen.
Finally, a big asset is to make sure you can prevent collisions (two input
values resulting in the same hash value). To do that, use the biggest hash
with the best algorithm. So far, I suspect that of all the non-keyed
hashes
provided in the framework, SHA256 will be that algorithm. You don't have
"learn" how to use it, because all hash classes in the framework work the
same way. If you can use MD5, you can use SHA256. The only real difference
is that SHA256 will produce a longer hash value. Also note that, as you
said
earlier, SHA and MD5 don't use keys.

-Rob
"PJones" <pj****@hotmail .com> wrote in message
news:uH******** ******@TK2MSFTN GP14.phx.gbl...

thanks Jim

seems like using the built in md5 stuff in .net along with some salt will

be

good enough
maybe sha256 if I can find a good function for it


"Jim Hughes" <NO*********@Ho tmail.com> wrote in message
news:uk******** ******@tk2msftn gp13.phx.gbl...

> User supplies initial password
> You create and store hash based on that password, you don't store the
> original password and have no need to know what it actually was.
>
> User tries to login and supplies password again.
> You recreate hash using same function as before and compare hash to the
> one you stored previously.
>
> No key is required because you use the same hash function each time.
>
> Keys are only necessary when you need to encrypt and then decrypt.
>
> http://aspnet.4guysfromrolla.com/articles/112002-1.aspx has a good article > on password management with salt values.
>
> "PJones" <pj****@hotmail .com> wrote in message
> news:uP******** ******@TK2MSFTN GP09.phx.gbl...
>>I am looking for the best way to one way encrypt a password for storage in >>a database using (asp.net / vb.net)
>> basically I need some functions or examples that I can freely use in a
>> commercial project
>>
>> anyone got any good functions or links I can look at ?
>>
>> I was looking at MD5 hash .. the examples I saw confused me as I didn't >> see a key ?
>> Does MD5 not used a key ?
>>
>> I was also looking into SHA-1
>>
>> I figure if I am going to do this I might as well make it a good as
>> possible within reason
>>
>> any help or pointers is appretiated
>>
>
>