| |
|
Hashing with Cryptography and SHA in C#
|
| |
| Disclaimer: Security is a very important aspect, not only for a
computer system, but for an entire organization and/or company. Different types
of organizations store different types of data which have different types of
security requirements. My suggestion is to always consult a security expert
with experience in your domain prior to implementing a security solution. |
| |
| That being said, this article will cover one of many security flaws
that should be avoided/improved when you begin the design of your system or when
you want to improve the security of your system. I have seen many systems that
store login id and password, in plain text in the database. They are relying on
the security of the DBMS to protect the integrity of thier systems. Big mistake!
If the administrator access or any access with read on the table where the passwords
are stored is granted, you have immediatly lost control and integrity of your
system. You no longer really know who is doing what on your system. Therefore,
you should never store anything in your database, in plain text, that you don't
want seen by everyone. |
| |
| Here is a simple example of how to hash a value using SHA512. |
| |
public static string hashSHA512(string unhashedValue)
{
SHA512 shaM = new SHA512Managed();
byte[] hash =
shaM.ComputeHash(Encoding.ASCII.GetBytes(unhashedValue));
StringBuilder stringBuilder = new StringBuilder();
foreach (byte b in hash)
{
stringBuilder.AppendFormat("{0:x2}", b);
}
return stringBuilder.ToString();
}
|
| |
| This method uses the .Net cryptography libraries to engrypt a string.
You could use this method during the creation of a user on your system.
The hashed value, for example, a password, would be stored hashed on the database.
Meaning not plain text. I would even go so far as to hash and store the login id too.
No need to give away 50% of the information when you don't need to. |
| |
| Then, at login you can call a method similiar to this one. |
| |
public static bool Validate(string enteredValue,
string hashedValue)
{
if (hashSHA512(enteredValue) == hashedValue) return true;
return false;
}
|
| |
| The enteredValue is the login id entered by the user, the engryptedValue
is the data stored on the database. If the hashed entered value equals the hashed
value stored on the database, then you can be relativly certain that the person
being authenticated has the proper credential. NOTE: Be certain that if you
send the login id and password across the network or internet that you use SSL
or hash on the client side. |
| |
| The SHA512 hashed value for this good password L0!g&cd9wTn7 is: |
| |
| 667a9094d22f011704c26310e188f4be6bdaf6b20dc8767b3e27ff20899b78
de9ee52a1cb4e078055de819734cdbe60ca7ef71590d277c48c367430240b
27655 |
| |
| which is the value that would be stored on the database. If someone is
able to get that value, there is no way for them to translate that back into my original
password. |
| |
| |
| Download the source |
|
|
| |
|
|
| |
|
|
| |
| |
| Posts: 113 |
| Comments:
86 |
| Fundamentals:
16 |
| |
 |
| |
| |
|
| |
 |
| |
 |
| |
 |
| |
|
| 2011 December (2) |
| 2011 November (6) |
| 2011 October (7) |
| 2011 September (7) |
| 2011 August (9) |
| 2011 July (9) |
| 2011 June (8) |
| 2011 May (9) |
| 2011 April (7) |
| 2011 March (9) |
| 2011 February (8) |
| 2011 January (8) |
| 2010 December (7) |
| 2010 November (8) |
| 2010 October (4) |
| |
| |
|
| |
|
|
| |
| |
|
The sample code on this website is provided to illustrate a concept and should not be used in
applications or Web sites without proper professional consultation, as it may not illustrate
the safest coding practices. I assume no liability for incidental or consequential damages
should the sample code be used for purposes other than as intended.
|
| |
|
| | | |
Newsletter | 
RSS Feeds
