Wednesday, February 7, 2007

Hash code, what the hack of that?

well u always heard of encryption and hashing in security context, if we have encryption to protect our data, then why we need to hash?

FYI, we use hash code for 2 most common things, which are

  • Verify data integrity, to make sure the the data is always original and the right data
  • Used to store password, not original password but hashed
    password.
  • Verify data integrity (use keyed hash code for better security)

    let say a person A wants to send a file via e-mail to person B. person B wants to ensure that the file in the e-mail has not been intercepted, therefore person B need to generate hash code of the file received by him (person B) and compare it with the hash code of the file generated which sent together with the original text by the person A. if both the hash codes are equal in comparison, then the file is original and had not been altered, otherwise the data had been corrupted or intercepted.

    example of keyed hash code :

    you can use HMACSHA1 or MACTripleDES, using HMACSHA1 has better flexibility since it can support any key size in bits and up to 160bits of hash code size.

    HMACSHA1 haHMACSHA1 = new
    HMACSHA1(Encoding.Unicode.GetBytes("secretKey"));
    byte[] hashedData =
    haHMACSHA1.ComputeHash(Encoding.Default.GetBytes("My important
    data."));
    string hashedCode = BitConverter.ToString(hashedData);

    since the sender and the receiver knows the "secretKey"; only the right "secretKey" can produce the right hash code comparing the hash code of the file from the sender, therefore transmitting file will be more secure to avoid someone intercepting the file in case the hacker had created a faked data with hash code of its faked data. In this way, you not only be able to ensure the data is unchanged during transmission and it also ensure you that the data integrity.

    Used to store password

    Do you know that hashed password is quite impossible to compute back to original password? How to derive this
    4B-E1-ED-D7-38-8A-AF-D5-A4-BD-D0-30-41-A8-34-7E-A1-84-E1-79-87-E8-7A-AA-79-2F-6D-7B-71-BA-01-A7 back to original data? The fact it is nearly impossible with any advance algorithm. Hash code is one way cryptographic functions. Therefore, if your customer said that he has lost the password and would like to retrieve it, the solution is to create a new password for him. That's all.

    In real world, security expert will suggests that storing hashed password instead of plain text password in their database for security reason; system uses the stored hash code to compare with the computed hash code of password by the user. First the reason is because, no one could know what the user real password in the database even the database administrator. Secondly, a small different in password will result significant different in hash code of password, therefore it will be very hard to guess the hash code pattern given the relationship between a list of hash codes.

    example of hash code :

    you can use MD5 (128bits), SHA1(160bits), SHA256(256bits)....SHA512(512bits) algorithms.

    HashAlgorithm haSHA256 = HashAlgorithm.Create("SHA256");
    byte[] password =
    Encoding.Default.GetBytes("MyPasSWoRd");
    string hashedPassword =
    BitConverter.ToString(haSHA256.ComputeHash(password));

    simple? Next i will discuss about applying encryption into your code.

    3 comments:

    Anonymous said...

    Ummm.... i used that code u gave me... i saved it as an . exe if that was wrong i need to know cuz wqen i open up the pass cracker hash it says it has been given an illigal action... it gives me a choice to ignore or close program... would i get into trouble if i ignore? Contact me at Countdorkula93@aol.com plz!!! Thankyou!!!

    Tecla said...

    Great work.

    Anonymous said...

    Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!