Encrypting Passwords using Sha and MD5 Encryption techniques in .Net by qamar


   Securing application has always been a tough task for developers. Security threats have been minimized by various means, some of them are Encrypting Query string, Placing important configuration informations in secure places such as in Windows Registry, Encrypting Password in database etc.
Here we will discuss the two common hashing algorithms i.e SHA1 (Secure Hashing Algorithm) and MD5 (Message Digest Algorithm). They are said to be irreversible, you can’t decrypt them. They are said to be secure since it computationally infeasible to reverse the process to discover the original message from the digest. They are therefore frequently used to produce a unique one-way hash representation of a sensitive message.
   SHA1: The algorithm is able to take a very large message and produce a 160-bit message digest. 
   MD5:The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit “message digest” of the input.
   We will now implement these algorithms to secure passwords in database. It is not a good practice to put them clear in database. Storing passwords as a clear test means that you are potentially trying to breach you application yourself.
Consider a table with two columns, “Name” and “Password”. Assume the passwords store in the table are in clear text format. We will now apply hashing algorithms to produce message digest and secure them.
   .Net provide various namespaces to implement SHA1 and MD5 Hash Algos. System.Security.Cryptography namespace which can be used for producing SHA1 message digests. System.Web.Security can also be used to implement them.
I will use System.Web.Security namespace as an example. Remember that reference of System.Web is not included by default in windows application. You have to add it manually.


   For web projects, Visual Studio automatically add the reference of? System.Web and you have to just add using keyword to put its reference in your code.As we are developing a windows application therefore we have to explicitly add the reference of System.Web.dll as above.?Create a windows application and put some controls (as shown below) in the main form and insert the code in the button click event.

private void btnEncrypt_Click(object sender, System.EventArgs e)
{
 //Encrypting password. Applying SHA1 Encryption Algo
 this.txtEncryptedPassword.Text = EncryptingPassword();
 updatePasswordInDB("Server=Fahad; database=TestDB; uid=sa; pwd=sqladmin");
}
public string EncryptingPassword()
{
//Return Encrypted Password
 return FormsAuthentication.HashPasswordForStoringInConfigFile
(this.txtPassword.Text.Trim(), "SHA1");
}

   Right now, ignore the “updatePasswordInDB” function. We will?discuss it below.?I have just called a function EncryptingPassword( ) . This function returns the encrypted? message of text in Clear Password textbox. The result you can see in second textbox.

For MD5 just replace SHA1 to MD5.

FormsAuthentication.HashPasswordForStoringInConfigFile(this.txtPassword.Text.Trim(), “MD5″);?? 

   The message length for MD5 is shorter than SHA1. This is the 128 bit and 160 bit encryption difference.?In order to update it in database, we have to open connection and execute command on it. The function which do the above task is somewhat like this.

public void updatePasswordInDB(string connectionString){
?? SqlConnection objConn= new SqlConnection(connectionString);
?? objConn.Open();
?? SqlCommand objcmd? = new SqlCommand(“update TestEncryption set password = ‘” + ??
????????????????????????? ?this.txtEncryptedPassword.Text.Trim() + “‘ where name = ‘Qamar’”, objConn);
????????????????? objcmd.ExecuteNonQuery();
}


Dont forget to import the necessary namespaces for database handling. Note that I have updated the password for user named ?Qamar? only. It?s an example query but you can generate your own what your business requirements needs.

   The final table view now will become

   Now when you have to authenticate the user then you can simply convert his/her given password to the respective message digest and compare with the one stored in database. Although this is not the end. Many other different algorithms are still there but if you are prepared only for one sided conversion, they are the bests.
Attachments:
Project Files : Qamar_Encryption.Zip
By Qamar Ahmad Hafeezi