Encryption

[kerplunk]

How do I encrypt before storing to database(SQL Compact) and how to decrypt it back if needed?
Do I manually implement an encryption algorithm before storing? Then if I need that data, I again run a method that decrypts?

I saw an example way back, but his link was uploaded on Megaupload :)

[AceInfinity]

I wouldn't, well, you don't really need to decrypt after encryption. Just compare an input string (encrypted version) to the encrypted version stored in the database? Why decrypt it at any given time for any reason? This is typically the way people design PHP scripts to interact with Mysql databases. Salt + Hash, from input, compared to the original Salt + Hashed string which was saved into the database.

You can decrypt, but I don't see a reason for it. Just focus on the encryption. You can just use hashed values if you want, add a salt on top of them, otherwise if you're really desperate, then you can create your own encryption algorithm. Just mix and match algorithms plus bit, and/or byte modifications, and you're good. Just remember that the output has to be unique, otherwise it kind of defeats the purpose as now there's multiple input's the a person can use to access the database info pertaining to those member's credentials. You only want the ONE value to return that specific value which was saved as the key/pass in the database. This is more likely why people usually use MD5, it's simple and does the trick. Collisions, although known hardly ever happen by accident.

[kerplunk]

Ohh right :) forgot that I can just compare encrypted no need to decrypt, my bad haha.

What is the better way in securing accounts though? because what I'm planning to use this is for logins. Hash them or encrypt? Im thinking hashing does the job better?

[AceInfinity]

(09-14-2012 01:23 AM)#KerplunK Wrote:  What is the better way in securing accounts though? because what I'm planning to use this is for logins. Hash them or encrypt? Im thinking hashing does the job better?

As explained, you need the encrypted values to be unique, therefore that's why hashing is so common. Hashing is a form of encryption because it holds an original value when reversed (even though this would take some very complicated formulas to do so, and so people generally bruteforce them by checking permutation combinations).

You can do whatever you want, just make sure that your database can store these encrypted values without problems.

[Morpheus]

Try this:


Public Function Gen_ID(ByVal strToHash As String) As String
Dim md5Obj As New System.Security.Cryptography.MD5CryptoServiceProvider
Dim bytesToHash() As Byte = System.Text.Encoding.ASCII.GetBytes(strToHash)

bytesToHash = md5Obj.ComputeHash(bytesToHash)

Dim strResult As String = ""

For Each b As Byte In bytesToHash
strResult += b.ToString("x2")
Next

Return strResult
End Function

Use : MsgBox(Gen_ID("TechLifeForum"))

[kerplunk]

wow thanks a lot guys! :)

EDIT: How can I add random "salt" (meaning not hardcoded into the program or not in the database) but still retrieve the same hash?? kinda confused here :)

[kerplunk]

It seems it's not possible to have a random salt each account without having it saved somewhere. So I had it stored in the database as a separate column in the Accounts Schema.

[AceInfinity]

(09-14-2012 07:14 PM)#KerplunK Wrote:  It seems it's not possible to have a random salt each account without having it saved somewhere. So I had it stored in the database as a separate column in the Accounts Schema.

No, because then you wouldn't even know what the salt was lol, that's not really the idea though :) You want to know what the salt is, but you don't want others to know.

HINT: It doesn't even have to be plain string text, you could create it based on some array of bytes calculated by some controlled algorithm so that things have a formula. You'll want to be able to recreate this formula when you compare login input to the saved values in the database though of course.