Im implementing users account in my website.I need to encrypt passwords from new members,however im getting crazy with many options that ive found to accomplish that.
Symmetric and asymmetric cryptosystems, public versus private keys, digital signatures, hash algorithms, RSA, DES, Rijndael, PGP, MD5, SHA-1, https, secure sockets, Camellia, IDEA; what does it all mean?
I dont even know the difference between MD5 and rinjdael,can somenone tell me the best option to encrypt?
If you are using asp.net, you can use the built in user account features.
If you insist on building your own, you shouldn't encrypt, you should hash and ONLY store the hash, not the actual password.
Here is a link to get you started.
comment update
membership providers for MySql
membership providers for Oracle
What is the easiest way to encrypt a password when I save it to the registry?
you dont encrypt passwords you hash them, see the link for a similar issue
If you want to store passwords in a database for example, I would recommend you to use HMAC (Hash-based Message Authentication Code); you'll need a cryptographic hash function (e.g. SHA-512) in combination with a secret key to generate the MAC. Also, it's important to note here that you don't encrypt the password, but you rather hash it.
For the encryption of locally saved passwords for example (though Bruce Schneier says you should write your passwords down on paper), you can use an asymmetric-key cryptosystem like RSA. In this case you'll have a key pair consisting of a public key, which you'll share with your friends, and a private key, which you should, well, keep private. The nice thing about RSA is that you can either encrypt messages with your public key and then decrypt them with your private key; or you can use it to digitally sign documents by using your private key to calculate the hash of a document, and then validate it using your public key. Pretty nifty!
You shouldn't encrypt the password but take a hash of it using a salt (to protect against rainbow tables) and SHA-256 or better. This means you don't have to keep a secret key and worry about loads of key management stuff and also means that no one (including yourself) can find out a users password from the data in your database (they can only confirm that they have guessed the right password).
It is also suggested that you use a lot (1000+) of iterations of the hash to make it slow to calculate (not too slow for the user entering the correct password but far too slow if you're hashing loads of words to see if any match the contents of your db).
If you google salts, rainbow tables, hashes etc there is loads of information out there.
Here is a really good article that I used when I was first learning how to store passwords. This is a really good primer and it is written in C#
This has been answered before, but the short version is that you salt the password, hash it with at least SHA-256, and preferably use strengthening. If this doesn't make sense to you, you're not ready to write anything yet; keep researching.
I think you could use MD5, it's simple to implement on .Net and it's a 128 bits (one way) cryptographic hash function. It has hash colission problems on wide ranges though.
Or you could check at Gost which is a 256 bits cryptographic hash function.
i have used this code to encrypt the password in binary format.. may be this will help you
private string Encrypt(string clearText)
{
string EncryptionKey = "MAKV2SPBNI99212";
byte[] clearBytes = Encoding.Unicode.GetBytes(clearText);
using (Aes encryptor = Aes.Create())
{
Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
encryptor.Key = pdb.GetBytes(32);
encryptor.IV = pdb.GetBytes(16);
using (MemoryStream ms = new MemoryStream())
{
using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write))
{
cs.Write(clearBytes, 0, clearBytes.Length);
cs.Close();
}
clearText = Convert.ToBase64String(ms.ToArray());
}
}
return clearText;
}
