Email Password Remember me?  Lost your password?

• Download Library - 17 Kb

Introduction

This article describes how to use a MD5 class library I have written for .NET.

MD5 is recommended to be implemented in the following manner

Encrypting
1. Generate a Random "Salt" Value
2. Merge the string to encrypt with the "Salt"
3. MD5 the merged string
4. Save the MD5 Hash in one location and the Salt in another, usually a separate "Table" in your DBMS (Database Management System)

Testing
1. Locate the saved "Salt"
2. Merge the string and the saved "Salt"
3. MD5 the merged string
4. Test the new MD5 hash against the saved, if a match is found allow usage to whatever you were protecting.

Background

I chose to write this class library because all the articles and recommendation I found and were told at MSDN events recommended storing this Salt in a DBMS. I was writing an ASP.NET application where I wanted to use XML files for storage of usernames and passwords. Storing Salts in the same XML file isn't recommended, but I also didn't think it was secure storing them in any XML file "plainly". I decided to write a class that would generate the salt, merge it with the string, encrypt the string, take the salt and place it in a RANDOM location in the hash, save the hash. This allows me to store the HASH in one XML file and makes the Salt far more secure since it has to be found in the HASH string first, very difficult to do. Also since the HASH string looks so similar to regular MD5 HASH strings its hard to determine when this method is actually being used.

Using the code

Since the code is being distributed as a Class Library it is very easy to use.

Steps to using this class library:
1. Download the package
2. Extract it to your HD
3. Right click references in VS.NET IDE (Solution Explorer) and hit "Add Reference"
4. Add code similar to that below

Imports IST.DataHash


'Code was removed for simplicity




Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim MD5 As New MD5
        'Encrypts the specified string

          lblEncString.Text = MD5.Encrypt(txtEncrypt.Text)
End Sub

Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click

Dim MD5 As New MD5

  'Verifys the string matches the hash, returns True or False.

  lblDecString.Text = MD5.Verify(txtEncrypt.Text, lblEncString.Text)

End Sub

Source Code

Imports System.Security.Cryptography
Imports System.Text
Namespace DataHash
    ''' -----------------------------------------------------------------------------

    ''' Project	 : DataHash

    ''' Class	 : DataHash.MD5

    ''' 

    ''' -----------------------------------------------------------------------------

    ''' <SUMMARY>

    ''' Provides advanced MD5 support for your applications

    ''' </SUMMARY>

    ''' <REMARKS>

    ''' </REMARKS>

    ''' <HISTORY>

    ''' 	[Frazell Thomas]	4/13/2004	Created

    ''' </HISTORY>

    ''' -----------------------------------------------------------------------------

    Public Class MD5
        Private EncStringBytes() As Byte
        Private Encoder As New UTF8Encoding
        Private MD5Hasher As New MD5CryptoServiceProvider

        ''' <SUMMARY>

        ''' Encryptes the specified string to MD5 with the Salt information embedded

        ''' </SUMMARY>

        ''' <REMARKS>

        ''' Accepts any non-array string type

        ''' </REMARKS>

        ''' <RETURNS>

        ''' Returns a string containing the MD5 HASH with embedded SALT

        ''' </RETURNS>

        ''' <EXAMPLE>

        ''' <CODE>

        ''' 'Generates a MD5 Hash for a string

        ''' Dim S as string

        ''' Dim MD5 as new IST.DataHash.MD5

        ''' s = "This is a string"

        ''' s = MD5.Encrypt(s)

        ''' 

        ''' 

        'Encrptes the string in MD5 when passed as a string

        Public Function Encrypt(ByVal EncString As String) As String
            'Variable Declarations

            Dim RanGen As New Random
            Dim RanString As String = ""
            Dim MD5String As String
            Dim RanSaltLoc As String

            'Generates a Random number of under 4 digits

            While RanString.Length <= 3
                RanString = RanString & RanGen.Next(0, 9)
            End While

            'Converts the String to bytes

            EncStringBytes = Encoder.GetBytes(EncString & RanString)

            'Generates the MD5 Byte Array

            EncStringBytes = MD5Hasher.ComputeHash(EncStringBytes)

            'Affixing Salt information into the MD5 hash

            MD5String = BitConverter.ToString(EncStringBytes)
            MD5String = MD5String.Replace("-", Nothing)

            'Finds a random location in the string to sit the salt

            RanSaltLoc = RanGen.Next(4, MD5String.Length)

            'Shoves the salt in the location

            MD5String = MD5String.Insert(RanSaltLoc, RanString)

            'Adds 0 for values under 10 so we always occupy 2 charater spaces

            If RanSaltLoc < 10 Then
                RanSaltLoc = "0" & RanSaltLoc
            End If

            'Shoves the salt location in the string at position 3

            MD5String = MD5String.Insert(3, RanSaltLoc)

            'Returns the MD5 encrypted string to the calling object

            Return MD5String
        End Function

        ''' 


        ''' Verifies a string against an MD5 Hash string.

        ''' 

        ''' 

        ''' Accepts any non-array string type

        ''' 

        ''' 

        ''' Returns True or False

        ''' 

        ''' 

        ''' 

        ''' 'Test a string against an MD5 Hash

        ''' Dim S as string

        ''' Dim MD5String as string

        ''' Dim MD5 as new IST.DataHash.MD5

        ''' s = "This is a string"

        ''' MD5String = MD5.Encrypt(s)

        ''' 'Prints the test results on screen

        ''' console.write(MD5.Verify(s,MD5String))

        ''' 

        ''' 

        'Verifies the String entered matches the MD5 Hash

        Public Function Verify(ByVal S As String, ByVal Hash As String) As Boolean
            'Variable Declarations

            Dim SaltAddress As Double
            Dim SaltID As String
            Dim NewHash As String

            'Finds the Salt Address and Removes the Salt Address from the string

            SaltAddress = Hash.Substring(3, 2)
            Hash = Hash.Remove(3, 2)

            'Finds the SaltID and removes it from the string

            SaltID = Hash.Substring(SaltAddress, 4)
            Hash = Hash.Remove(SaltAddress, 4)

            'Converts the string passed to us to Bytes

            EncStringBytes = Encoder.GetBytes(S & SaltID)

            'Encryptes the string passed to us with the salt

            EncStringBytes = MD5Hasher.ComputeHash(EncStringBytes)

            'Converts the Hash to a string

            NewHash = BitConverter.ToString(EncStringBytes)
            NewHash = NewHash.Replace("-", Nothing)

            'Tests the new has against the one passed to us

            If NewHash = Hash Then
                Return True
            ElseIf NewHash <> Hash Then
                Return False
            End If
        End Function

    End Class
End Namespace

Points of Interest

Various MD5 references

Using MD5 to Encrypt Passwords in a Database
Search MD5 here on CodePlanet

History

March 7, 2006 - Released Source Code due to much demand and authorization by Infinity Squared Technologies, Inc.
April 13, 2004 - Released Version 1.0 publicly

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

That doesn't work leusha 6:21 26 Jul '06   Hi. I've been testing your class for almost half an hour. MD5.Verify() simply doesn't work as you can't put the result in a String. Moreover, you don't return the "salt" so how do you want to compare a string and its hash if you don't return the salt? I dunno why everybody was looking forward to see the source code. Sign In·View Thread·PermaLink Re: That doesn't work [modified] Frazell 8:26 26 Jul '06   The source code has been published as of a long time ago, due to user requests and my company's agreement to release it. What problem are you having? The code works perfectly and has been in use in many of my company's projects since its inception, in some form. If you can provide more information i can help with the problem i'm sure. As the article explains, the solution was devised as a way for me to store a salt and hash in an XML database that could be stolen. If that database was stolen the "hidden" has was designed to make it impossible for a malicious user to immediately run a dictionary attack on the passwords and to make it very hard to decipher the string to find the salt value. As a result the salt is IN the rest of the MD5 string itself in a random location. -- modified at 13:26 Wednesday 26th July, 2006 Sign In·View Thread·PermaLink Still no source code! calzakk 4:30 3 May '06   :( Sign In·View Thread·PermaLink No Source Code !!!! alex_boyer 4:08 28 Jan '06   Do you want a patent for your code !!!! what a pity .... Sign In·View Thread·PermaLink Re: No Source Code !!!! Frazell 11:38 28 Jan '06   No, a patent is not what is wanted for the code. I agree with everyone here that posting this article, which i still believe can be very helpful to developers, without the source code was not a good idea. The source code for this article will be posted to the article within the next few days (hopefully today). I appologize for the incomplete and probably un-usable article, but i hope the posting of the code helps to rectify this situation. ------ What makes one intelligent? All things are equal; nothing. One who thinks one knows or has anything more than another is the greatest fool. Wisdom is the understanding and ability to accept you and all you know is nothing, equal to that of anyone or anything. Knowledge alone creates a blind fool. Are you wise? Sign In·View Thread·PermaLink Re: No Source Code !!!! vö 14:59 15 Feb '06   WTF ? WHERE IS THE SOURCE ? Sign In·View Thread·PermaLink 1.00/5 Re: No Source Code !!!! Frazell 7:30 7 Mar '06   Sorry for the delay... The source code has been added and I hope it is useful. ------ What makes one intelligent? All things are equal; nothing. One who thinks one knows or has anything more than another is the greatest fool. Wisdom is the understanding and ability to accept you and all you know is nothing, equal to that of anyone or anything. Knowledge alone creates a blind fool. Are you wise? Sign In·View Thread·PermaLink Re: No Source Code !!!! stingrayweb 14:15 14 Apr '06   Despite no source code being posted, there's a right way and wrong way to request it. Beginning your post with "WTF" is a pretty rude way to make a request from someone who is providing something useful for you for free. Sign In·View Thread·PermaLink 5.00/5 Code Requested !! nopub 23:00 17 Nov '05   The main interest of code project is to provide source code. I lost my time while reading then downloading the project. How can I be sure your code does not contain some virus or anything else that can blow up in a year in one of my projects? Please post the code or keep all for your own. GRRrrrr.... Sign In·View Thread·PermaLink Security through Obscurity is not Security Malby 15:05 19 May '04   nt Sign In·View Thread·PermaLink Re: Security through Obscurity is not Security Frazell 1:08 20 May '04   Yes i agree that Security thru obscurity isnt much security at all, but thats the only known way to prevent dictionary attacks on a comprimised database. Its common practice to use a SALT with hash encrpyted password data and also highly recomended you dont store them in the same place. In the end your trying to hide that valuable SALT. This isnt a bullet proof method, but i believe in the usage of XML DB's it offers some level of extra protection. ------ What makes one intelligent? All things are equal; nothing. One who thinks one knows or has anything more than another is the greatest fool. Wisdom is the understanding and ability to accept you and all you know is nothing, equal to that of anyone or anything. Knowledge alone creates a blind fool. Are you wise? Sign In·View Thread·PermaLink 3.00/5 Re: Security through Obscurity is not Security alpha_azilu 17:49 22 May '08   I think this method would be working well. Because the most of people think like that guy. "Store data and Salt in separate place" If they want to hack, they must be find Which table that you store "Salt" in database. So they will never found that table. Cause that table doesn't exist in the first place. P.S. My English grammar is terrible. If there are any error in my sentence. Don't hesitate to tell me the correction Sign In·View Thread·PermaLink CoDePLaNeT??? reflex@codeproject 9:06 13 Apr '04   WTF? Sign In·View Thread·PermaLink Re: CoDePLaNeT??? Frazell 13:07 13 Apr '04   ??? The library is just a method of doing MD5 easier in .NET (by randomizing the SALT in the HASH and not another location). I havent had it "expertly" looked after, but i believe its a more secure method to doing MD5. Since in security you are supposed to look at it as the intruder WILL get in. This method makes sure he gets very confused in what he has stolen and also makes it equally as hard to use that stolen information. All without confusing other people who may be (or in the future may be) developing your application as well. ------ What makes one intelligent? All things are equal; nothing. One who thinks one knows or has anything more than another is the greatest fool. Wisdom is the understanding and ability to accept you and all you know is nothing, equal to that of anyone or anything. Knowledge alone creates a blind fool. Are you wise? Sign In·View Thread·PermaLink 1.33/5 nice, but martininick 9:00 13 Apr '04   sounds pretty neat, but what about the source? id like to see how this was done, since i was thinking about doing something along those lines myself. Sign In·View Thread·PermaLink Re: nice, but Frazell 13:08 13 Apr '04   I was thinking of releasing the source, but it depends on if i get approval from the company to do it. So hopefully i will be able to ------ What makes one intelligent? All things are equal; nothing. One who thinks one knows or has anything more than another is the greatest fool. Wisdom is the understanding and ability to accept you and all you know is nothing, equal to that of anyone or anything. Knowledge alone creates a blind fool. Are you wise? Sign In·View Thread·PermaLink 1.17/5 Re: nice, but chrisbond 0:04 25 May '04   Looks a great article but i've got to agree without the source its useless as you cant change anything to suit your needs etc. Sign In·View Thread·PermaLink Re: nice, but RHarding_1 3:36 21 Oct '05   I ahve to agree that without the source for this code, its of very little use to me. I understand your dsire to post soemthing on codeproject, but please, don't just post a blurn about how to use your custom API, without telling me how you created the API in the first place. Sign In·View Thread·PermaLink 2.75/5

Last Visit: 11:31 21 Nov '09     Last Update: 11:31 21 Nov '09 1