Encrypting Passwords 
Author Message
 Encrypting Passwords

I am trying to write a program that stores passwords in an encrypted
format.  I am trying to use the Cryptostream to perform the encryption
and decryption.  This is what I have.

  Private Key As Byte() = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13,
14, 15, 16}
    Private IV As Byte() = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13,
14, 15, 16}

Public Function EncryptPassword(ByVal strPassword As String) As String

        Dim MemStream As New MemoryStream()
        Dim RMCrypto As New RijndaelManaged()
        Dim CryptStream As New CryptoStream(MemStream,
RMCrypto.Crea{*filter*}cryptor(Key, IV), CryptoStreamMode.Write)
        Dim SWriter As New StreamWriter(CryptStream)
        Dim SReader As New StreamReader(MemStream)
        Dim strEncryptedData As String

        SWriter.AutoFlush = True
        SWriter.WriteLine(strPassword)
        CryptStream.FlushFinalBlock()

        MemStream.Position = 0

        strEncryptedData = SReader.ReadLine

        SWriter.Close()
        SReader.Close()
        CryptStream.Close()
        MemStream.Close()

        Return strEncryptedData

    End Function

    Public Function DecryptPassword(ByVal strEncryptedData As String)
As String

        Dim MemStream As New MemoryStream()
        Dim RMCrypto As New RijndaelManaged()
        Dim CryptStream As New CryptoStream(MemStream,
RMCrypto.CreateDecryptor(Key, IV), CryptoStreamMode.Write)
        Dim SWriter As New StreamWriter(CryptStream)
        Dim SReader As New StreamReader(MemStream)
        Dim strPassword As String

        SWriter.AutoFlush = True
        SWriter.WriteLine(strEncryptedData)
        CryptStream.FlushFinalBlock()

        MemStream.Position = 0

        strPassword = SReader.ReadLine

        SWriter.Close()
        SReader.Close()
        CryptStream.Close()
        MemStream.Close()

        Return strPassword

    End Function

The encrypt returns a string of garbage as I think it should but there
is no way of knowing if what I have is right.

The decryption returns a blank string.  So one of the two routines is
wrong.

Any Ideas?

Thanks in advance for any help

Jeff



Tue, 01 Feb 2005 23:52:52 GMT  
 Encrypting Passwords
Instead of encrypting and decrypting, why not hash the password value and
store the hashed value.  Then, when you want to do a compare, take the
password value that the user enters, hash it and compare hashed values to
each other.  This is much more secure.


Wed, 02 Feb 2005 00:54:42 GMT  
 Encrypting Passwords
On Fri, 16 Aug 2002 12:54:42 -0400, "Karl L. Houseknecht"

Quote:

>Instead of encrypting and decrypting, why not hash the password value and
>store the hashed value.  Then, when you want to do a compare, take the
>password value that the user enters, hash it and compare hashed values to
>each other.  This is much more secure.

Could you give an example?  I have never done anything like that and
don't know quite what you mean.

Jeff



Wed, 02 Feb 2005 01:23:13 GMT  
 Encrypting Passwords

Quote:
> Could you give an example?  I have never done anything like that and
> don't know quite what you mean.

Absolutely.   The gist of this is that a hashing function is irreversable.
Once the password is hashed and the resulting value is stored (most likely
in a database table) nobody on earth can decrypt it.  It's a one-way
function.  This is good because your encryption scheme for passwords doesn't
depend on a password which can be easily stolen if you don't secure it well
(most people don't.  Lots of folks just hard code it into their app...ugh!)

This way, you can just hash the password guess that the user supplies and
compare it to the stored hash value.  There's no need to decrypt the stored
value this way.  Here's some sample code (look out for line wrapping):

Imports System.Security.Cryptography

Imports System.Text

Module Module1

Sub Main()

Dim strPassword As String = "Password" 'ok, so the user is stupid...

Dim cspSHA1 As New MD5CryptoServiceProvider() 'hash using the MD5 algorithm

'get a byte array representing

'the hashed value of the Password

'use ASCII encoding to make this simpler

Dim bytResult() As Byte =
cspSHA1.ComputeHash(ASCIIEncoding.ASCII.GetBytes(strPassword))

'a string representation of the hash value...for convenience

Dim strHash As String = ASCIIEncoding.ASCII.GetString(bytResult)

Console.WriteLine("Password: " & strPassword)

Console.WriteLine("Hash: " & strHash)

'trying to authenticate...enter passwords, hash and compare to original
value

Dim strPasswordTry1 As String = "PasswordGuess" ' a bad try

Dim strPasswordTry2 As String = "Password" ' the correct password

'same as above but all in one line

Dim strTry1 As String =
ASCIIEncoding.ASCII.GetString(cspSHA1.ComputeHash(ASCIIEncoding.ASCII.GetByt
es(strPasswordTry1)))

Dim strTry2 As String =
ASCIIEncoding.ASCII.GetString(cspSHA1.ComputeHash(ASCIIEncoding.ASCII.GetByt
es(strPasswordTry2)))

If String.Compare(strTry1, strHash) = 0 Then

Console.WriteLine("Try 1: Match")

Else

Console.WriteLine("Try 1: No Match")

End If

If String.Compare(strTry2, strHash) = 0 Then

Console.WriteLine("Try 2: Match")

Else

Console.WriteLine("Try 2: No Match")

End If

Console.WriteLine(vbCrLf & "Hit Enter to continue...")

Console.ReadLine()

End Sub

End Module



Wed, 02 Feb 2005 02:54:54 GMT  
 Encrypting Passwords
Oops.  Named my hashing algorithm object cspSHA1 thinking I was going to use
the SHA1 algorithm.  Changed my mind and used the MD5 algorithm and didn't
rename the variable.  Sorry for the confusion.


Wed, 02 Feb 2005 02:58:41 GMT  
 Encrypting Passwords
On Fri, 16 Aug 2002 14:58:41 -0400, "Karl L. Houseknecht"

Quote:

>Oops.  Named my hashing algorithm object cspSHA1 thinking I was going to use
>the SHA1 algorithm.  Changed my mind and used the MD5 algorithm and didn't
>rename the variable.  Sorry for the confusion.

One problem.  I need to store the passwords that the user supplies and
then use them later.  The object of the program is to store passwords
for network connections then at the press of a button to reestablish
all network connections without the user having to enter the password
for each connection.  With the hash can I get the original password
myself?

Thanks



Sat, 05 Feb 2005 19:31:00 GMT  
 Encrypting Passwords
Sorry, didn't know the requirements.  You'll have to resort to traditional
symmetric encryption here.  I looked at your code and I see you're trying to
use a StreamWriter to put the data into the CryptoStream.  I know the docs
show examples of this, but I haven't been able to get it to work yet.

What I typically do is put my plaintext into an appropriately sized Byte
array (usually in ASCII using ASCIIEncoding.ASCII.GetBytes, but you can do
Unicode too, just make sure your byte array is doubly as large).  I then
Write that byte array directly into the CryptoStream.  Before I close the
CryptoStream, I do a direct Read from the output stream into a byte array
sized to the output stream's length.  This is the ciphertext.

So, it's something like this (I have a textbox called txtLeft that contains
the plaintext and some member variables for the key, iv and ciphertext) :

Dim cspTDES As New TripleDESCryptoServiceProvider()

'create a triple DES object and initialize new session key and IV

With cspTDES

m_bytKey = .Key

m_bytIV = .IV

End With

Dim stmOut As New MemoryStream()

Dim cstTDES As New CryptoStream(stmOut, cspTDES.Crea{*filter*}cryptor(),
CryptoStreamMode.Write)

Dim bytIn(txtLeft.Text.Length - 1) As Byte

bytIn = (ASCIIEncoding.ASCII.GetBytes(txtLeft.Text))

cstTDES.Write(bytIn, 0, bytIn.Length)

cstTDES.FlushFinalBlock()

ReDim m_bytCipherText(stmOut.Length - 1)

stmOut.Position = 0

stmOut.Read(m_bytCipherText, 0, m_bytCipherText.Length)

cstTDES.Close()

Don't forget to call FlushFinalBlock when you're done writing to the
CryptoStream.


Quote:
> One problem.  I need to store the passwords that the user supplies and
> then use them later.  The object of the program is to store passwords
> for network connections then at the press of a button to reestablish
> all network connections without the user having to enter the password
> for each connection.  With the hash can I get the original password
> myself?



Sun, 06 Feb 2005 02:10:45 GMT  
 
 [ 7 post ] 

 Relevant Pages 

1. Problem in Encrypting password in Oracle Database using VB

2. CODE: PWD.BAS -- Encrypted password protection

3. Help with Encrypting password in database

4. Saving encrypted passwords to a database

5. Encrypting Password into files

6. Encrypting passwords.

7. Encrypted Password

8. Encrypting Passwords

9. Creating Encrypted Password Fields w/Web interface?

10. Encrypted Password

11. Saving encrypted passwords to a database

12. Repair encrypted password protected access DB from VB program

 

 
Powered by phpBB® Forum Software