RSA encryption problem .net

Question

5.00/5 (2 votes)

See more:

Hi all,

I am using .Net RSACryptoProvider to encrypt a password and store it
in a database. So I keep the public key unchanged by importing the public key xml file each time for encryption. But I found that each time the encrpyted output are different even I keep the public key the same. Why ?

Thanks

Posted 17-Mar-11 19:27pm

Kim0618

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2011-03-17T21:23:00

Without seeing your relevant code fragment, it is difficult to say.

However, it is neither necessary nor desirable to store a RSA encrypted password. If you do, then every password has to be encrypted with a known key, which must be provided to the code in order to decrypt it each time you need to check it.

Instead, use a MD5 or SHA hash of the password (preferably SHA, since MD5 is officially classed as "broken"). Since hashes are not reversible you cannot get back to the password from the stored value and it requires no key at all to generate.

To check the password, generate the hash from what the user input, and compare the two hash values. If they are the same, the passwords match.

It is a good practice to include the Username or ID in with the password before you generate the hash, this prevents two users with the same password from generating identical hash values.
"Why I use RSA encrypted password is that I store the private key and the public key is included in the code. If users forget the password then he can send the encrypted value to me and I can use the private key to decrypt it and send it back to the user.

The problem now I have is that the RSA encryption method generate different encrypted values each time even using the same public key."

Not a good idea: nobody should have access to passwords, not even you.

If the user forgets the password, then you could

1) Send him a hint, as several sites do, based on text he entered when he registered.
2) Reset the password to a random value, and email it to him on his registered address.

If you do it your way, then you are sending a password, in clear, to someone who you do not necessarily know is the original user. Major security breach! Picture the scene:

You sign up for your site.
You go off for a meeting.
I use your PC to request my password from your site, claiming I forgot it.
Your site sends it to me.
I delete the email and walk away.

Now, I have your password, and you don't know anything has happened.
And since many, many people use the same password for everything because they can't remember multiple ones, I now have access to your bank as well... And you still don't know it's gone - lucky me!

No-one, even trusted people like you, should have access to passwords at all. Hash them: it's simple, quick, and efficient. It uses a fixed space in the database, and it's a lot more secure.

C#

public byte[] SHA2Hash(string s)
    {
    SHA512 shaM = new SHA512Managed();
    byte[] bs = Encoding.UTF8.GetBytes(s);
    return shaM.ComputeHash(bs);
    }

Sergey Alexandrovich Kryukov · Answer 2 · 2011-03-18T17:20:00

You might miss the general theoretical bases of the assymmetric (public-key) encryption.
If you did understand the idea, you would not probably ask your Question.

Please forgive me if this is not true and you do understand it well.

I just know a good way to introduce into it.
First of all, everything is based on the idea of mathematical on-way function: http://en.wikipedia.org/wiki/One-way_function[^]. The use of one-way function in ciphering is based on the fact that the backdoor method could not be found: http://en.wikipedia.org/wiki/Backdoor_(computing)[^].

Just a generation of pair of keys is already an example if one-way function: you can quickly generate a key, but not find one key by the other. Please pay attention that for RSA an asymmetric backdoor exists.

See the article on asymmetric key algorithm and public-key cryptography to understand how all this is related to encryption: http://en.wikipedia.org/wiki/Asymmetric_key_algorithm[^]. RSA (http://en.wikipedia.org/wiki/RSA[^]) is just one of the encryption algorithms of that sort.

—SA

RSA encryption problem .net

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0