Hashing with Cryptography and SHA in C#

Disclaimer: Security is a very important aspect, not only for a computer system, but for an entire organization and/or company. Different types of organizations store different types of data which have different types of security requirements. My suggestion is to always consult a security expert with experience in your domain prior to implementing a security solution.

That being said, this article will cover one of many security flaws that should be avoided/improved when you begin the design of your system or when you want to improve the security of your system. I have seen many systems that store login id and password, in plain text in the database. They are relying on the security of the DBMS to protect the integrity of their systems. Big mistake! If the administrator access or any access with read on the table where the passwords are stored is granted, you have immediately lost control and integrity of your system. You no longer really know who is doing what on your system. Therefore, you should never store anything in your database, in plain text, that you don’t want seen by everyone.

Here is a simple example of how to hash a value using SHA512.

[sourcecode language="csharp" padlinenumbers="true"]
public static string hashSHA512(string unhashedValue)
{
    SHA512 shaM = new SHA512Managed();
    byte[] hash = shaM.ComputeHash(Encoding.ASCII.GetBytes(unhashedValue));
 
    StringBuilder stringBuilder = new StringBuilder();
    foreach (byte b in hash)
    {
        stringBuilder.AppendFormat("{0:x2}", b);
    }
    return stringBuilder.ToString();
}
[/sourcecode]

This method uses the .Net cryptography libraries to encrypt a string. You could use this method during the creation of a user on your system. The hashed value, for example, a password, would be stored hashed on the database. Meaning not plain text. I would even go so far as to hash and store the login id too. No need to give away 50% of the information when you don’t need to.

Then, at login you can call a method similar to this one.

[sourcecode language="csharp"]
public static bool Validate(string enteredValue, string hashedValue)
{
    if (hashSHA512(enteredValue) == hashedValue) return true; 
    return false;
}
[/sourcecode]

The enteredValue is the login id entered by the user, the engryptedValue is the data stored on the database. If the hashed entered value equals the hashed value stored on the database, then you can be relatively certain that the person being authenticated has the proper credential. NOTE: Be certain that if you send the login id and password across the network or internet that you use SSL or hash on the client side.

The SHA512 hashed value for this good password L0!g&cd9wTn7 is:

667a9094d22f011704c26310e188f4be6bdaf6b20dc8767b3e27ff20899b78 de9ee52a1cb4e078055de819734cdbe60ca7ef71590d277c48c367430240b 27655

which is the value that would be stored on the database. If someone is able to get that value, there is no way for them to translate that back into my original password.

Download the source




Leave a Comment

Your email address will not be published.