Thread: Using the Cryptography APIs in .NET
View Single Post
  #2 (permalink)  
Old 02-08-2008, 04:49 AM
Sathish Kumar Sathish Kumar is offline
D-Web Analyst
  
Join Date: Feb 2007
Posts: 304
Sathish Kumar is on a distinguished road
Post Re: Using the Cryptography APIs in .NET
The .NET framework contains a number of cryptography services that allow you to incorporate security services into your .NET applications. These libraries are located under the System.Security.Cryptography namespace and provide various functions such as encryption and decryption of data, as well as other operations such as hashing and random-number generation. In this article, I will show you how to use some of the common security APIs to make your .NET applications more secure.

Hashing

The first, most common security function that you will perform is hashing. Consider the situation where you need to build a function to authenticate users before they can use your application. You would require the user to supply a login credential, most commonly containing a user name and a password. This login information would need to be persisted to a database. And it is not uncommon for developers to store the passwords of users directly on a database. This is a big security risk, because hackers who had a chance to glance at the users' database would be able to obtain the passwords of your users. A better approach is to store the hash values of the users' passwords, instead of the users' passwords themselves. A hashing algorithm has the following properties:
  • It maps a string of an arbitrary length to small binary values of a fixed length, known as a hash value.
  • The hash value of a string is unique, and small changes in the original string will produce a different hash value.
  • It is improbable to find two different strings that produce the same hash value.
  • It is impossible to use the hash value to find the original string.

Instead of storing the passwords of your users verbatim in the database, you should store their hash values. When the user logs in to your application, the password provided is compared with the hash values stored in the database. In this way, even if hackers actually stole the user's database, it does not expose the actual password. One downside to storing the hash values of users' passwords is that in the event that a user loses his password, there is no way of retrieving it. In this case, you'd need to generate a new password for the user and request that he change it immediately. But this inconvenience is a small price to pay for the security of your application.

There are many hashing algorithms available in .NET, but the most commonly used are the SHA1 and MD5 implementations. Let's take a look at how they work in .NET.
__________________
Sathish Kumar.R
Knowledge is meant to SHARE
Reply With Quote