How can I decrypt HMAC SHA256 encrypted string?
private string CreateToken(string message, string secret)
{
secret = secret ?? "";
var encoding = new System.Text.ASCIIEncoding();
byte[] keyByte = encoding.GetBytes(secret);
byte[] messageBytes = encoding.GetBytes(message);
using (var hmacsha256 = new HMACSHA256(keyByte))
{
byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
return Convert.ToBase64String(hashmessage);
}
}
How can I do reverse engineering if I have resultant string?
Thanks in advance.
A hash is a one-way function, by definition it is not reversible. What is it that you are trying to achieve?
If it's for something like password comparison then just hash the password you have and then compare the resulting hashes. Without any further context it's hard what to suggest.
HMACSHA256: It is a hash based Message authentication code.It is used to verify the message integrity on the insecure channel.It is a forward only hash algorithm, it can not be decrypted. It hashes the message based on the shared secret key which is known by both parties(sender and receiver).Sender uses the shared secret and compute the hash value from original data and send both the original data and hash value and then receiver re-computes the hash value from the original data. If both hash value matches it means no tempered in original data, if not matched it means tempered in original data for this scenario validation is failed.
Related
I need to validate (not decrypt) a password created in Symfony 2 in C#.
An existing application built in Symfony 2 is being rewritten in C#. The security token is stored in a local database.
The current Symfony password settings are
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
API\CoreEntityBundle\Entity\User:
algorithm: sha512
iterations: 512
encode_as_base64: true
How can I reliably hash the given password and compare against the stored token to determine if the password supplied is correct?
If your password is salted: Concatenate the password with the "{salt}" (such that "EncodedPassword{SaltUsed}" is the final string), store in salted. If it's not just store the password in salted.
Hash salted using sha512, store in digest
Repeat iterations - 1 times (511 in your case):
Concatenate digest and salted
Hash concatenation using sha512, store result in digest for next iteration
Base64 Encode the final digest.
You can also take a look at Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder for the implementation.
This is a working version.
string CalculateHash(string plain, string salt)
{
var salted = $"{plain}{{{salt}}}";
var saltedBytes = Encoding.UTF8.GetBytes(salted);
using (var sha512 = SHA512.Create())
{
var digest = sha512.ComputeHash(saltedBytes);
var outputBytes = new byte[digest.Length + saltedBytes.Length];
for (var iteration = 1; iteration < 512; iteration++)
{
Buffer.BlockCopy(digest, 0, outputBytes, 0, digest.Length);
Buffer.BlockCopy(saltedBytes, 0, outputBytes, digest.Length, saltedBytes.Length);
digest = sha512.ComputeHash(outputBytes);
}
var result = Convert.ToBase64String(digest);
return result;
}
i implement AES 256 bit algorithm in C# but i am encrypting 128bit block of plain text which require padding so i dont want to pad and want use to stream cipher
use stream cipher instead of using 128 bit block
encrypt stream byte by byte
CryptLib _crypt = new CryptLib();
//string plainText = "This is the text to be encrypted";
String iv = CryptLib.GenerateRandomIV(16); //16 bytes = 128 bits
string key = CryptLib.getHashSha256("my secret key", 31); //32 bytes = 256 bits
MessageBox.Show(arm);//////////////////////
String cypherText = _crypt.encrypt(string1, key, iv);
Console.WriteLine("iv=" + iv);
Console.WriteLine("key=" + key);
Console.WriteLine("Cypher text=" + cypherText);
MessageBox.Show(cypherText);
textBox1.Text = cypherText;
Console.WriteLine("Plain text =" + _crypt.decrypt(cypherText, key, iv));
MessageBox.Show(_crypt.decrypt(cypherText, key, iv));
String dypher = _crypt.decrypt(cypherText, key, iv);
string outp = string.Empty;
char[] value = dypher.ToCharArray();
If the input data is always an exact multiple of the block size you can just specify no padding.
if you have data of unknown non-uniform block lengths padding is the general way to handle that.
Why do you not want to use padding.
Additionally:
It is common to prefix the encrypted data with the IV for use during decryption. The IV does not need to be secret and with this method the IV does not need to be shared in some other way and can easily be a different random value for each encryption.
Deriving a key from a password (string) with a hash function is not considered secure, instead use a key derivarion function such as PBKDF2.
I am new in C# wpf programming but I am trying to connect to MySQL database and to hash my password. Unfortunately while I was implementing the algorith I get error in this code:
byte[] plainTextWithSaltBytes = new byte[plainTextBytes.Length + saltBytes.Length];
salt.CopyTo(plainTextWithSaltBytes, 0);
plainText.CopyTo(plainTextWithSaltBytes, salt.Length);
The error is:
Error: no overload for method 'Copy To' takes 2 arguments Exceptions: System.ArgumentNullException System.ArgumentOutOfRangeException
enter code here
By any chance do you know what is causing this errors and how to fix it?
You need to copy plainTextBytes, not plainText:
byte[] plainTextWithSaltBytes = new byte[plainTextBytes.Length + saltBytes.Length];
salt.CopyTo(plainTextWithSaltBytes, 0);
plainTextBytes.CopyTo(plainTextWithSaltBytes, salt.Length);
If you need to do simple hash, this bit of code may encrypt your password:
String GetEncryptedPassword (String prmUser, String prmPassword)
{
// Concatenating the password and user name.
String encryptedPassword = prmUserName + prmPassword;
// Converting into the stream of bytes.
Byte[] passInBytes = Encoding.UTF8.GetBytes(encryptedPassword);
// Encrypting using SHA1 encryption algorithm.
passInBytes = SHA1.Create().ComputeHash(passInBytes);
// Formatting every byte into %03d to make a fixed length 60 string.
return passInBytes.Aggregate(String.Empty, (pass, iter) => pass += String.Format("{0:000}", iter));
}
This code will give you a nice encrypted hash of 60 characters. But remember that you can't regenerate your original username and password from the hash, because this is a one way algorithm. There are few more encryption algorithms in System.Security.Cryptography that you can use.
I have created a web form in c# that accepts username and password and stores password in MSSQL 2005 db in 'image' format. The password is merged with salt, encoded in UTF8 and lastly it is applied with a SHA512 encryption. I want to be able to see the passwords in string format when I pull them up back from the database. How should my decrypt function be, if the following is how I encrypted the password? Is that possible? :
string loginID = "";//This will be stored in varchar format in MSSQL..(Unrelated to the question)
string password =""; //This is where I store password inputted by user.
Random r = new Random();
int salt = r.Next((int)Math.Pow(2, 16));
int verifyCode = r.Next((int)Math.Pow(2, 16));
string tmpPwd = password.ToLower() + salt.ToString();
UTF8Encoding textConverter = new UTF8Encoding();
byte[] passBytes = textConverter.GetBytes(tmpPwd);
byte[] hashedPWD = new SHA512Managed().ComputeHash(passBytes);
The value in hashedPWD is stored in MSSQL as image datatype and salt is stored as int.
You can't - that's what a hash function is, by definition - a one-way function. Up until the last line, you can get the password back, but after the hash function, all you can do is generate a second hash and compare the two to see if they've produced the same result, in which case you can presume that the source strings were the same.
I am doing md-5 hashing in both android and c# at the same time. But both the results should be the same for the same inputs. Is there any difference in the way its done in both the languages?
I get different outputs in both the cases. Here is the c# code for md-5 calculation:
//this method hashes the values sent to it using MD5
public static String hashwithmd5(String toHashMD5)
{
byte[] keyArray;
MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();
keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(toHashMD5));
hashmd5.Clear();
return Convert.ToBase64String(keyArray, 0, keyArray.Length);
}
and here is the code for md5 in android using bouncycastle
public byte[] Hashing(String toHash) throws Exception{
byte[] hashBytes = toHash.getBytes("UTF-8");
EditText et = (EditText) findViewById(R.id.entry);
org.bouncycastle.crypto.digests.MD5Digest digest = new org.bouncycastle.crypto.digests.MD5Digest();
digest.reset();
digest.update(hashBytes, 0, hashBytes.length);
int length = digest.getDigestSize();
byte[] md5 = new byte[length];
digest.doFinal(md5, 0);
et.setText(md5.toString());
return md5;
}
the result of md5 in c# is :XUFAKrxLKna5cZ2REBfFkg==
the result of md5 in android is :[B#4053cf40
The C# code converts the hash to Base64, the java code does not. If you convert both raw hashes to e.g. hex strings, they'll be the same.
When you use this in Java:
byte[] md5 = new byte[length];
// ...
md5.toString()
you are not getting a representation of the byte values. You get the generic "string representation" of an object. Here, [B#4053cf40 basically means "array of bytes (that's for the '[B') which internally happens to be at address 4053cf40".
Use android.util.Base64 to convert your bytes to a Base64 encoded string.
#erik is correct. MD5 is no longer considered a "secure" hash; use SHA-256.
Erik is absolutely right. MD5 usage is near extinction, use any strong SHA