CODEWITHSUNDEEP
c#hashstreammd5salt-cryptography
Keith Marsh
Keith Marsh

Reputation: 175

Salting a C# MD5 ComputeHash on a stream

I can't see any way to salt a MD5.ComputeHash(Stream). Am I missing some way of injecting bytes into the HashAlgorithm?

I tried performing a ComputeHash(byte[]) before performing the stream compute, but, unsurprisingly, it had no effect. Any ideas (apart from modifying the file)?

Thanks for your time.

addendum Just to be a little more specific, I want to use a stream to get a hash on a large file that I don't want to load into memory.

FileInfo myFI= new FileInfo("bigfile.dat");
FileStream myIFS = piFile.OpenRead();
MD5 md5 = MD5.Create();
byte[] hash = md5.ComputeHash ( myIFS );
myIFS.Close ();

Upvotes: 3

Views: 11522

Answers (5)

Simeon Pilgrim
Simeon Pilgrim

Reputation: 26043

To avoid pull all the file into memory like Dabblernl's solution you'll want to use a FileStream as is discussed in this SO question Computing MD5SUM of large files in C#, but the MD5CryptoServiceProvider does not allow you to add extra data to the end.

Thus you need a merged stream like this:

public class MergedStream : Stream, IDisposable
{
    Stream s1;
    Stream s2;

    public MergedStream(Stream first, Stream second)
    {
        s1 = first;
        s2 = second;
    }

    public override int Read(byte[] buffer, int offset, int count)
    {
        int s1count = (int)Math.Min((long)count, s1.Length - s1.Position);
        int bytesRead = 0;

        if (s1count > 0)
        {
            bytesRead += s1.Read(buffer, offset, s1count);
        }

        if (s1count < count)
        {
            bytesRead += s2.Read(buffer, offset + s1count, count - s1count);
        }

        return bytesRead;
    }

    public override void Write(byte[] buffer, int offset, int count)
    {
        throw new NotImplementedException();
    }

    public override bool CanRead
    {
        get { return s1.CanRead && s2.CanRead; }
    }

    public override bool CanSeek
    {
        get { return s1.CanSeek && s2.CanSeek; }
    }

    public override bool CanWrite
    {
        get { return s1.CanWrite && s2.CanWrite; }
    }

    public override void Flush()
    {
        s1.Flush();
        s2.Flush();
    }

    public override long Length
    {
        get { return s1.Length + s2.Length; }
    }

    public override long Position
    {
        get
        {
            return s1.Position + s2.Position;
        }
        set
        {
            throw new NotImplementedException();
        }
    }

    public override long Seek(long offset, SeekOrigin origin)
    {
        throw new NotImplementedException();
    }

    public override void SetLength(long value)
    {
        throw new NotImplementedException();
    }

    void IDisposable.Dispose()
    {
        s1.Dispose();
        s2.Dispose();
    }
}

Which you can then use like this to salt you file hash

        FileStream fs = new FileStream(@"c:\text.txt", FileMode.Open);
        var m = new MemoryStream(ToAnsiiBytes("SALT"), false);
        var ms = new MergedStream(fs, m);

        var C = hasher.ComputeHash(ms);
        PrintHash(Console.Out, C);

with ToAnsiiBytes and PrintHash just being utility functions as such:

    static void HashAndPrint(TextWriter op, string text)
    {
        MD5 md5 = new MD5CryptoServiceProvider();

        byte[] bytes = ToAnsiiBytes(text);

        byte[] hash = md5.ComputeHash(bytes);

        PrintHash(Console.Out, hash);
        Console.Out.WriteLine( " = {0}", text);
    }

and 

    public static void PrintHash(TextWriter op, byte[] hash)
    {
        foreach (byte b in hash)
        {
            op.Write("{0:X2}", b);
        }
    }

when the file c:\text.txt contains the text toto you can run this code to see that the file + salt equals the same as the text "totoSALT"

        FileStream fs = new FileStream(@"c:\text.txt", FileMode.Open);

        var hasher = new MD5CryptoServiceProvider();
        var A = hasher.ComputeHash(fs);
        PrintHash(Console.Out, A);
        Console.Out.WriteLine();

        var salt = new byte[] { 0x53, 0x41, 0x4C, 0x54 };

        var B = hasher.ComputeHash(ToAnsiiBytes("SALT"));
        PrintHash(Console.Out, B);
        Console.Out.WriteLine();

        var m = new MemoryStream(ToAnsiiBytes("SALT"), false);

        fs.Seek(0, SeekOrigin.Begin);
        var ms = new MergedStream(fs, m);

        var C = hasher.ComputeHash(ms);
        PrintHash(Console.Out, C);
        Console.Out.WriteLine();


        HashAndPrint(Console.Out, "toto");
        HashAndPrint(Console.Out, "totoSALT");
        HashAndPrint(Console.Out, "SALT");

with this output

F71DBE52628A3F83A77AB494817525C6
8C4F4370C53E0C1E1AE9ACD577DDDBED
308DB2451D6580FEEB09FCF2DC1CEE19
F71DBE52628A3F83A77AB494817525C6 = toto
308DB2451D6580FEEB09FCF2DC1CEE19 = totoSALT
8C4F4370C53E0C1E1AE9ACD577DDDBED = SALT

Upvotes: 0

DxCK
DxCK

Reputation: 4552

this is the right way to do it:

    private static byte[] _emptyBuffer = new byte[0];

    public static byte[] CalculateMD5(Stream stream)
    {
        return CalculateMD5(stream, 64 * 1024);
    }

    public static byte[] CalculateMD5(Stream stream, int bufferSize)
    {
        MD5 md5Hasher = MD5.Create();

        byte[] buffer = new byte[bufferSize];
        int readBytes;

        while ((readBytes = stream.Read(buffer, 0, bufferSize)) > 0)
        {
            md5Hasher.TransformBlock(buffer, 0, readBytes, buffer, 0);
        }

        md5Hasher.TransformFinalBlock(_emptyBuffer, 0, 0);

        return md5Hasher.Hash;
    }

Upvotes: 5

Jeff Moser
Jeff Moser

Reputation: 20053

You might consider using the HMACMD5 class and setting the Key property instead. In general, I'd go with an HMAC rather than the standard hash function since they offer a bit better security.

Upvotes: 3

bbmud
bbmud

Reputation: 2688

The answer to the lack of examples is in my opinion: you don't really need to salt it.

The hash algorithm like MD5 takes a table of bytes of arbitrary length and converts it to a table of bytes of known length - the operation is not easily reversible and small changes to the input table cause unpredictable changes in the output table:

input => MD5 => output

The purpose of salting is protection against attacks where user has already precomputed table of hash results (rainbow tables). By introducing small changes in the input, the results are change drastically, so even if attacker knows the hash result and the salt, it is very difficult to guess the input:

input + salt => MD5 => output

The reason for hashing files is to compute a checksum. E.g. you publish a file on your web page along with the hash result. User then downloads a file, runs it through MD5 and compares the result with your published result. It would be very difficult to tamper with the file, because each manipulation would change the resulting hash.

Salting is not necessary here, because you would have to publish the salt with the resulting hash, so that the user can repeat the hashing operation.

If you really need to introduce salting, just change the input stream in the repeatable way, e.g. add one (with overflow) to each byte.

Upvotes: 6

Dabblernl
Dabblernl

Reputation: 16121

I think you can use a syntax like:

byte[] saltedBytes;
//TODO: fill the saltedBytes;
var hasher=new MD5CryptoServiceProvider();
var memoryStream=new MemoryStream(saltedBytes);
hasher.ComputeHash(memoryStream);
memoryStream.Close;

Upvotes: 1

Related Questions