Re: Simple VB.NET Web Application Encryption/Decryption of password
From: Alek Davis (alekDOTdavisATintelDOTcom)
Date: 11/16/03
- Previous message: Michael Giagnocavo [MVP]: "Re: Simple VB.NET Web Application Encryption/Decryption of password"
- In reply to: Fred Nelson: "Re: Simple VB.NET Web Application Encryption/Decryption of password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 15 Nov 2003 16:04:24 -0800
Fred,
It looks like Michael answered your second question (thanks Michael). With
respect to storage, I don't think it really matters much. If you really care
about performance and want to eliminate every unnecessary operation, then
you can skip the steps which append the salt value to the hash as well as
base64-encoding. So instead of returning a base64-encoded string which
contains a hash and salt, you would return a byte array containing the hash
(64 bytes) and a byte array containing the randomly generated salt. If I
remember it correctly the salt size falls within some range (so the size of
salt is pseudo-random), but you can change code to make it a fixed size (as
Michael suggested). This will save you a couple of micro- (or mili-)
seconds. In this case you can store the values as binary fields in the
database. The only problem you must be aware is that if for some reason the
hash value ends with zero, SQL server may chop it off. I don't know if this
behavior is the same in MS SQL 7/2000, but I have seen this happened in MS
SQL 6.5 (it depends on some database settings, so it does not happen
always). Just to be safe, I would append a non-zero byte value (e.g. 0xFF)
to both hash and salt, so the size in the database would be 65 bytes for
hash and whatever you choose for the salt plus one byte. To me it would be
too much hassle, so I would just keep everything as it is done in the sample
and store the base64-encoded string as a varchar. The max size would be: (64
+ salt size) adjusted for base64 encoding (don't remember off the top of my
head what the formula is, but I think it is just replacing every 2 bytes by
3 bytes).
Alek
"Fred Nelson" <fred@smartybird.com> wrote in message
news:%23ASMl94qDHA.2644@TK2MSFTNGP09.phx.gbl...
> Alek:
>
> Thanks again - I got it to work - "salt" and all!
>
> I do have one more question - how would you recommend storing the hashed
> values in an sql database - should they be as character or is there
another
> type that would be better.
>
> Also, assuming that I use the SHA512 hash algorithm - what is the max size
> of string field that I would need in the database - I had strings returned
> ranging in size from 92-96 - with a max of 96, could it ever be larger?
>
> Thanks again for your help!
>
> "Alek Davis" <alekDOTdavisATintelDOTcom> wrote in message
> news:uxHpcLtqDHA.1724@TK2MSFTNGP10.phx.gbl...
> > Fred,
> >
> > Check out these examples: http://www.obviex.com/samples/encryption.aspx
> and
> > http://www.obviex.com/samples/hash.aspx. I would recommend you to hash
> > passwords instead of encrypting them (unless you really need to know
> > password's plain text, which - in most cases - is not necessary).
> >
> > Alek
> >
> > "Fred Nelson" <fred@smartybird.com> wrote in message
> > news:ekDjASkqDHA.3180@TK2MSFTNGP11.phx.gbl...
> > > Hi:
> > >
> > > I'm developing a web application and I'm trying to find a simple way
to
> > > encrypt and decrypt a password field for a relatively low security
app.
> > >
> > > A one-way encryption won't work since I need to be able to e-mail
users
> > > their password if they loose it.
> > >
> > > I have searched MSDN and there are obviously many VERY complex
> encryption
> > > services available - I don't need certificates or PKI, Kerberos, etc -
> > just
> > > something simple:
> > >
> > > * for example:
> > >
> > > mykey = "somevalue"
> > >
> > > scrambledpassword = simpleencrypt(inpassword,mykey)
> > >
> > > unscrambledpassword = simpledecrtyp(scrambledpassword,mykey)
> > >
> > > Any help would be GREATLY apprecaited!
> > >
> > > Thanks,
> > >
> > > Fred
> > >
> > >
> > >
> >
> >
>
>
- Previous message: Michael Giagnocavo [MVP]: "Re: Simple VB.NET Web Application Encryption/Decryption of password"
- In reply to: Fred Nelson: "Re: Simple VB.NET Web Application Encryption/Decryption of password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
