CODEWITHSUNDEEP
c#
Daniyal Tariq
Daniyal Tariq

Reputation: 97

Encryption Salt Algo CryptSharp gives different encryption of password ..... How to get ride of this

At the time of registering

string crypt = CryptSharp.Crypter.Sha512.GenerateSalt();
crypt = txtspss.Text.Trim();
crypt = CryptSharp.Crypter.Sha512.Crypt(txtspss.Text, crypt);

At the time of login..

string cpass=dr["strUPass"].ToString();
bool matches = Crypter.CheckPassword(pass,cpass);
if (matches)
{....}

Upvotes: 1

Views: 1186

Answers (3)

James
James

Reputation: 1904

A salt is supposed to be unique. By doing this, someone trying to crack passwords has to do a separate compuation for each password, instead of being able to generate hashes for a million passwords and then check them against the entire stolen password database.

CryptSharp encodes passwords in Modular Crypt Format. Here's the design. Suppose the algorithm is A, the salt is B, and the hash is C. GenerateSalt writes AB, Crypt reads AB and generates C, returning ABC. Underneath, you see, CheckPassword is more or less equivalent to:

Crypter.Crypt(password, crypt) == crypt

Because Crypt reads only AB, if you pass it ABC, it's the same as passing it AB. This is how Crypt does double-duty both generating and checking password hashes.

At registration, GenerateSalt and Crypt, and at log-in, CheckPassword. Many people will tell you this or that about storing salts separately, etc. and this is good general advice, but Modular Crypt Format is designed so everything needed is stored in the same string. It's all taken care of for you.

Oh... Also, in your code, you have a bug. Your line in the middle isn't doing you any good. The following will work correctly:

string crypt = CryptSharp.Crypter.Sha512.GenerateSalt();
crypt = CryptSharp.Crypter.Sha512.Crypt(txtspss.Text.Trim(), crypt);

Upvotes: 3

Tamim Al Manaseer
Tamim Al Manaseer

Reputation: 3724

SHA512 is a Hashing algorithm, and to make it more secure against attacks like rainbow tables library methods optionally take a salt value.

The same salt value should be present when hashing and when comparing the hash of a new value, and in your code you don't seem to be doing that.

When registering a user; the Salt should be stored in the database and retrieved when logging in so it can be supplied to the CheckPassword function.

Upvotes: 0

nvoigt
nvoigt

Reputation: 77285

There is not enough code to say what exactly is wrong, but you should start by using the result of 

CryptSharp.Crypter.Sha512.GenerateSalt()

because right now, you just dump it by overwriting the variable in the following line.

Upvotes: 0

Related Questions