Dr. Dobb's | Hash Functions in .NET

Hash Functions in .NET

Dino Esposito explains the use of .NET 2.0 hash functions to protect a password or the contents of a file.

October 13, 2006
URL:http://www.drdobbs.com/windows/hash-functions-in-net/193301875

Hash functions are an important security tool in .NET and ASP.NET applications. Over the Web any input is potentially evil and must be carefully checked to be safe. For this reason, you should avoid sending out critical information as clear text. Encryption is one possible answer to this issue. Depending on the context, encryption can be applied to the protocol level (HTTPS) or to individual pieces of data, care of the programmer. Encryption does a good job of protecting data, but requires a key. The burden of protecting the key is placed on you. Once the key is known, the wall built around your data disappears. In addition, encryption does have a relevant computational cost. Yet, in some cases you can't just do without encryption-for example, to authenticate a user and be sure about his or her identity you need encryption (typically, certificates).

There are other situations in which integrity and confidentiality of data can be obtained without encryption. Imagine you have to call a library subject to authentication rules. Instead of sending out credentials as clear text, you can calculate a hash value and send it over the wire. On the server, you can compare the hash against a set of stored hashes, one for each authorized user. If a match is found, you have successfully verified the credentials, have an identity to work with, and can proceed with tasks. If not, the credentials are invalid and you just reject the call.

This pattern is commonly used to verify passwords. On the server, you keep a hashed version of the user's password. From the client, you receive the password as clear text; hash it on the server and verify the obtained value against stored hashes. In this way, at least you avoid storing passwords as clear text, which solves a potential big privacy issue in case your database is hacked. Needless to say, there are other issues related to storing passwords, but they go beyond the scope of this article.

In .NET Framework, hash functions only work with arrays of bytes. If you want to hash a string (for example, a password or the contents of a file), you have to extract the contents as bytes. Here's how to do it:


UnicodeEncoding ue = new UnicodeEncoding();
byte[] bytes = ue.GetBytes(text);
SHA1Managed sha1 = new SHA1Managed();
byte[] hashValue = sha1.ComputeHash(bytes);

First and foremost, you get a byte array out of the input data. This process is known as encoding, that is transforming a set of Unicode characters into a sequence of bytes. In .NET, there are various encoding classes to choose from based on the input character set. They are UTF8, UTF7 and UTF16 or just Unicode.

Once you hold an instance of the correct encoding class, you pass the GetBytes method the text and get its bytes. Next, you get an instance of the hash generator and call its ComputeHash method. To compare two hash values, you simply iterate and compare all of contained bytes.


bool same = true;
int i=0;
while(i<providedHashValue.Length && same)
{
         if (providedHashValue[i] != hashValue[i])
              same = false;
         i++;
}

SHA1 is one of the most popular hash algorithms and is implemented by the SHA1Managed class in the .NET Framework. However, be aware that holes have been found in the algorithm, as well as in other equally popular hash algorithms such as MD5. Today, SHA512 is deemed to be the most reliable and safe hashing algorithm. In .NET Framework, it is implemented by the SHA512Managed class. The key benefit of hash values is that they provide a unique, fixed-length, deterministic representation of a block of data.