New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.

New Store Encryption Helper class - Part 2

Hash algorithms

The System.Security.Cryptography namespace contains several implementations of Hash algorithms. Three kinds of algorithms are available: MD5, SHA in different 'flavor' (SHA-1, SHA-256, SHA-384 and SHA-512) and RIPEMD-160. MD5 is popular but weak. SHA is stronger and widely used. RIPE Message Digest is less well knows. Probably because RIPEMD was designed by a group of European academic researchers, while SHA was designed by the NSA.

A Hash algorithm creates a fixed length hash value, also called the message digest, from a plain text message. The message himself is not encrypted and this is a one way process. In other words, you can’t recreate the original message from the message digest. Those algorithms can be used to tamper a message or to detect changes. The message can't be changed and the message digest is the proof that it has not been altered. Because if you change just a few bits, the resulting message digest will be completely different. Although it is possible than two different messages produce the same message digest, the probability of a collision is very low. This is why a message digest is sometime used as a key in a hash table.

Do not confuse the message digest with the hash value used in a HashTable class! The first is a byte array of a fixed size generated by a cryptographic Hash algorithm; while the second is an integer computed by a mathematical function. In some cases, this function can be simple as returning a record identifier. If you are curious, look at the GetHashCode() method of the String class using Reflector. You will discover how a hash value can be computed from a string.

Suppose you are competitor in a contest about computer history. One question is: "Who is the inventor of the DEK Hash Function?" You call me for the answer but I want to be fair with other competitors and I tell you: "I know his name and I can prove it, it's: 59FFB19672028402F240543166FED84A30BE3424". With this SHA-1 message digest, you will be able to verify my answer, when I will give it to you. Do you know the name of this person?

Another common use case of a Hash algorithm is to generate a cryptographic key from a weak password. This allows you to have a more secure scheme when encrypting a message with a password using a symmetric algorithm. Also instead to store an encrypted password in a database, you can use a Hash algorithm to create a message digest and store it into the database. To authenticate a user, you just have to create a message digest with the submitted password and compare it with the stored one.

Keyed-Hash algorithms

The main problem with Hash algorithms is than the same message produces always the same message digest thus they are exposed to dictionary attacks. Some articles on the Internet show you how to 'salt' your message. This can be done by a function like: Hash(message + Hash(salt)). Instead, you should use the more secure keyed hash algorithms.

HMAC (Hash-based Message Authentication Code) algorithms inherit from the hash algorithms combined with a secret key. The .Net framework implements seven of them: HMACMD5, HMACRIPEMD-160, HMACSHA1, HMACSHA256, HMACSHA384, HMACSHA512 and HMACTripleDES. They are used to control both data integrity and authentication of a message. Of course the secret key must be shared to be able to validate the message.

Imagine you have a B2B on line store. The user account could be used by several people to authenticate the company and allow access to the company’s orders and other data. However, you don't want than anyone can submit an order! You could then use a keyed hash algorithm with a secret key shared by a few people allowed to submit an order. To avoid a brute force attack against a weak secret key, you can apply a Hash algorithm to a passphrase and use the message digest as the secret key. Moreover, a passphrase like 'My Secret Key' is simpler to memorize by a human than 04F13208B4A051...

I'd write briefly on asymmetric algorithms, and then I give you more details about symmetric algorithms in the new part. Stay tuned!


There are currently no comments, be the first to post one.

Comment Form

Only registered users may post comments.


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out