Reputation: 17459
How to Use SHA1 or MD5 in C#?(Which One is Better in Performance and Security for Authentication)
In C# how we can use SHA1 automatically?
Is SHA1 better than MD5?(We use hashing for user name and password and need speed for authentication)
Upvotes: 25
Views: 63201
Answers (7)
Reputation: 7238
From MSDN
byte[] data = new byte[DATA_SIZE];
byte[] result;
SHA1 sha = new SHA1CryptoServiceProvider();
// This is one implementation of the abstract class SHA1.
result = sha.ComputeHash(data);
Upvotes: 9
Reputation: 9897
MD5 is better in performance and SHA1 is better for security. You can get an idea from this comparison
Upvotes: 0
Reputation: 7750
I'd like use these things.
MD5, SHA1/256/384/512 with an optional Encoding parameter.
Othere HashAlgorithms.Thanks to Darin Dimitrov.
public static string MD5Of(string text)
{
return MD5Of(text, Encoding.Default);
}
public static string MD5Of(string text, Encoding enc)
{
return HashOf<MD5CryptoServiceProvider>(text, enc);
}
public static string SHA1Of(string text)
{
return SHA1Of(text, Encoding.Default);
}
public static string SHA1Of(string text, Encoding enc)
{
return HashOf<SHA1CryptoServiceProvider>(text, enc);
}
public static string SHA384Of(string text)
{
return SHA384Of(text, Encoding.Default);
}
public static string SHA384Of(string text, Encoding enc)
{
return HashOf<SHA384CryptoServiceProvider>(text, enc);
}
public static string SHA512Of(string text)
{
return SHA512Of(text, Encoding.Default);
}
public static string SHA512Of(string text, Encoding enc)
{
return HashOf<SHA512CryptoServiceProvider>(text, enc);
}
public static string SHA256Of(string text)
{
return SHA256Of(text, Encoding.Default);
}
public static string SHA256Of(string text, Encoding enc)
{
return HashOf<SHA256CryptoServiceProvider>(text, enc);
}
public static string HashOf<TP>(string text, Encoding enc)
where TP: HashAlgorithm, new()
{
var buffer = enc.GetBytes(text);
var provider = new TP();
return BitConverter.ToString(provider.ComputeHash(buffer)).Replace("-", "");
}
Upvotes: 1
Reputation: 27
use SHA1 or SHA2 The MD5 algorithm is problematic.
http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html http://msdn.microsoft.com/en-us/library/system.security.cryptography.md5%28v=vs.85%29.aspx
Upvotes: 1
Reputation: 25277
Not sure what you mean by automatically, but you should really use SHA256 and higher. Also always use a Salt (code) with your hashes. A side note, after time has passed, using hardened hashes is far better than using a plain speed-based hashing function. I.e.: hashing over a few hundred iterations, or using already proven hashing functions such as bcrypt (which is mentioned below I believe). A code sample for using a SHA256 hash function in .NET is as follows:
byte[] data = new byte[DATA_SIZE];
byte[] result;
using(SHA256 shaM = new SHA256Managed()) {
result = shaM.ComputeHash(data);
}
Will do the trick for you using SHA256 and is found at MSDN.
Sidenote on the "cracking" of SHA1: Putting the cracking of SHA-1 in perspective
Upvotes: 34
Reputation: 1987
Both are too fast to be used, directly at least. Use Key Strengthening to "slow down" the password hashing procedure. Speed is the unfortunately the enemy to password security.
How slow is slow enough? Slowing down a password hash from ~microseconds to ~hundreds of milliseconds will not adversely affect the perceived performance of your application... but will make cracking passwords literally a hundred thousand times slower.
View this article for details: http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
The problem is that MD5 is fast. So are its modern competitors, like SHA1 and SHA256. Speed is a design goal of a modern secure hash, because hashes are a building block of almost every cryptosystem, and usually get demand-executed on a per-packet or per-message basis.
Speed is exactly what you don’t want in a password hash function.
... snip ...
The password attack game is scored in time taken to crack password X. With rainbow tables, that time depends on how big your table needs to be and how fast you can search it. With incremental crackers, the time depends on how fast you can make the password hash function run.
That said, use BCrypt. SCrypt was recently developed, but I doubt that any stable (or production ready) libraries exist for it yet. Theoretically, SCrypt claims to improve upon BCrypt. "Building your own" is not recommended, but iterating MD5 / SHA1 / SHA256 thousands of times ought to do the trick (ie: Key Strengthening).
And in case you don't know about them, be sure to read up on Rainbow Tables. Basic security stuff.
Upvotes: 11
Reputation: 1038930
SHA1 is stronger than MD5 so if you have the choice it would be better to use it. Here's an example:
public static string CalculateSHA1(string text, Encoding enc)
{
byte[] buffer = enc.GetBytes(text);
SHA1CryptoServiceProvider cryptoTransformSHA1 = new SHA1CryptoServiceProvider();
return BitConverter.ToString(cryptoTransformSHA1.ComputeHash(buffer)).Replace("-", "");
}
Upvotes: 28
Related Questions
- Which of the .NET included hashing algorithms are suitable for password hashing?
- Hashing passwords with MD5 or sha-256 C#
- Looking for a C# hash faster then MD5 or SHA256
- Better hashing than SHA1
- How should I compute files hash(md5 & SHA1) in C#
- Faster MD5 alternative?
- C# High speed MD5/SHA hash over network
- SHA1 or AES - which is better in asp.net?
- SHA vs MD5 or other? What is least overhead implementation in MVC3?
- What should I use for password fields in a table; MD5 or SHA1?