MD5 Encoding Differ in .net 1.1 and 2.0

Question

0.00/5 (No votes)

See more:

Hi All,

Recently, I'm deleveoping the extend application (.net 2.0) to generate the password, encrpyte the password using MD5 and insert it into Database for Client Login in Website(.net 1.1 Platform)

After developed the extend program, some of my user reported that some of the password cannot be using in website.

When I checked the coding for encryption, there's some problem that I found.

Here's my part of the encryption method.

C#

public string encryptStr(string strPassword)
{
    MD5 md5 = new MD5CryptoServiceProvider();
    byte[] pwd = Encoding.Unicode.GetBytes(strPassword);
    string ePwd = Encoding.Unicode.GetString(md5.ComputeHash(pwd));
    return ePwd;
}

If you just run it in Debug Mode, input to Password " you may not find any differ for the String Value "ePwd" in Platform .net 1.1 and 2.0

Using "ePwd" Convert to Byte[] again, you finds that the "pwd" is not same as the Convert Byte Value.

Posted 21-Jan-11 22:36pm

chrismok

Add a Solution

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Henry Minute · Answer 1 · 2011-01-22T00:15:00

Solution 1

Here[^] is a thread from someone having similar problems. Read through it to see if it provides any help.

Posted 22-Jan-11 0:15am

Henry Minute

Comments

Sandeep Mewara 22-Jan-11 12:50pm

Comment from OP:
Hi Henry,

Checked for this post.
Their solution is using suitable for ASCII, but not Unicode

Henry Minute · Answer 2 · 2011-01-22T07:09:00

Solution 3

Yes but did you not notice that they did not store the result of the ComputeHash() method in a string, as you do. They actually store the result in a byte[], which is correct. They return a string by using Convert.ToBase64String(hashResult);.

In doing this they claim that there will be no difference between 1.1 and 2.0. The fact that they use ASCII and you use Unicode encodings should make no difference to an array of byte.

Posted 22-Jan-11 7:09am

Henry Minute

Comments

Manfred Rudolf Bihy 22-Jan-11 13:13pm

Proposed as answer.

chrismok 22-Jan-11 21:45pm

However, I tried to use Convert.ToBase64String(hashResult) and pass it to DB directly.
In the table, I found that the string value change to "O0ty46HaTSwSYsMy6+Fqjg==", but not like "????????".

Henry Minute 23-Jan-11 7:03am

"O0ty46HaTSwSYsMy6+Fqjg==" is the hashed password. Does it bear any resemblance to the password entered? No it does not. So no one can work out what the original password was. It is therefore quite safe to store this in the database. Except, as Dave has said, MD5 is one of the least secure of the Encryption algorithms now because some clever computer scientists have found a way to decipher it, in some circumstances. If you think that they might get hold of your database then use a different encryption provider. The examples at http://msdn.microsoft.com/en-us/library/f9ax34y5%28v=VS.90%29.aspx use the SHA1 version. try that instead.

Dave Kreskowiak 23-Jan-11 9:43am

It sounds like you have no idea what a Base64 string is or why you're using it. http://en.wikipedia.org/wiki/Base64

chrismok 23-Jan-11 9:50am

The website is running for a few year and there's over 100 thousands users have register it and login on it, so it is not possible for changing the encrpyte and compare the password methodologoy.

Henry Minute 23-Jan-11 9:58am

Wow!
That's a lot of users. Suppose, though, that someone had cracked your password scheme. You would have to find a way to change things then.
One possibility that springs to mind is to detect which version of the framework the user is using and use verification from a different assembly depending on that version. Use a *.dll compiled under 1.1 and another compiled with 2.0/3.5/whatever for the rest.

chrismok 23-Jan-11 10:11am

Yes...... I tried to write the class library(1.1) or web service(1.1) and import it into .net 2.0 project for calling to insert the data. However...... the result still base on .net 2.0....I have a worse solution.... Develop the asp.net(1.1) page for encrypte the password and insert it to DB. For example, there's a client "123", and the generate password is "ABC1234", so the C# (2.0) will access the web page (http://localhost/InsertClient.aspx?cid=123&pw=ABC1234) for doing the insert action

Dave Kreskowiak · Answer 3 · 2011-01-22T18:23:00

Solution 4

Did you know that MD5 is considered "broken" and should not be used, especially for passwords?

And is called a "hash", not an "encoding". There is a vast difference between the two terms.

Posted 22-Jan-11 18:23pm

Dave Kreskowiak

Comments

chrismok 23-Jan-11 0:30am

What's means "Broken"?

Dave Kreskowiak 23-Jan-11 9:40am

MD5 is now a Very weak and flawed encryption. Use SHA512 instead.

Look it up in Wikipedia is you don't believe me. http://en.wikipedia.org/wiki/MD5

Henry Minute 23-Jan-11 7:18am

I wasn't going to mention that until later, if at all. :)

Dave Kreskowiak 23-Jan-11 9:45am

Yeah, it sounds as if the OP is doing copy-n-paste coding. It doesn't look like he has any idea what Base64 is and why he's using it.

Henry Minute 23-Jan-11 9:47am

Too true.