2

I need to store a password as an encrypted string in an XML file, and be able to pull it back out again. A quick glance through the System.Security.Cryptography Namespace reveals many options, some of which are hashing and some encryption.

This is the first time I have done any kind of string encryption (where the value is pulled back out again), and I was expecting something like this:

string plainTextPassword = "mypassword";
string myKey = "some key that people are unlikely to guess";
string encryptedPassword = SomeObject.Encrypt(myKey, plainTextPassword);
// ... write encryptedPassword to xml file ...

and 

// ... read encryptedPassword from xml file ...
string decryptedPassword = SomeObject.Decrypt(myKey, encryptedPassword);

But when I look in the namespace there are services that provide hashing in there also, rather than purely encryption. I also notice that a lot of other questions are more around hashing (or at least one way encryption) and are not particularly concerned with retrieving the strings afterwards.

I definitely want more than just hashing the password. Where should I start?

sennett
  • 8,014
  • 9
  • 46
  • 69
  • 1
    This CodeProject article will answer all your questions as well as provide code snippets to help solve your problem: http://www.codeproject.com/Articles/10154/NET-Encryption-Simplified – Paul Sasik Jun 06 '12 at 03:53
  • 1
    Whatever your problem is, MD5 is almost certainly NOT the right answer. – Adam Robinson Jun 06 '12 at 03:53
  • I voted to close simply because your question is too broad. "Where do I start" questions are generally not a good fit for SO; please try to express your question specifically rather than generally. What have you tried and why didn't it work? – Adam Robinson Jun 06 '12 at 03:55
  • @PaulSasik Thanks. Reading now. – sennett Jun 06 '12 at 03:55
  • @sennett: The code samples are VB.NET (just noticed) but easy enough to convert to C#. Pay attention to how hashes are used **with** encryption techniques, they are _not_ encryption. – Paul Sasik Jun 06 '12 at 03:58
  • @AdamRobinson Thanks for your feedback. I was searching and found loads on MD5, SHA1 etc, which is not what I'm after (Lucifer's comment seems pretty much the default response). I thought that it would be good to have some constructive opinions about appropriate algorithms for this specific task (storing encrypted password in XML file). – sennett Jun 06 '12 at 03:58
  • @PaulSasik What do you mean? We seem to be agreeing! I know that SHA1 and MD5 are not encryption algorithms. Have I missed something? – sennett Jun 06 '12 at 04:02
  • @sennett: Sorry mate. Late here. You're right. Here's a code sample using Rijndael: http://kiranpatils.wordpress.com/2008/03/13/encryptiondecryption-helper-class-using-rijandelmanaged/ It sucks for "strength" of encryption but will get something going quickly (hopefully.) – Paul Sasik Jun 06 '12 at 04:05
  • @PaulSasik No problem :) Stick these links in an answer and I'll mark as done. Thanks for your time you helped me a lot. – sennett Jun 06 '12 at 04:08
  • 1
    Here is a question I asked a while ago. http://stackoverflow.com/questions/165808/simple-2-way-encryption-for-c-sharp Not sure if it will meet your requirements, but it's one I use for simple hiding of information. – Matt Dawdy Jun 06 '12 at 04:15
  • In general it's bad idea to decrypt passwords. Standard practice is to use random salt and compute hash string for the password and store the same. To compare password match, ask user password and repeat the process. Then see if hash match. – Ankush Jun 06 '12 at 05:15
  • @Ankush: It's a bad idea to store passwords in a reversible format *if you're the one doing the authentication*. If, on the other hand, he's storing the password that allows him access to some other service, he obviously needs it reversible. – Adam Robinson Jun 06 '12 at 12:25

1 Answers1

2

This CodeProject article will answer all your questions as well as provide code snippets to help solve your problem: http://www.codeproject.com/Articles/10154/NET-Encryption-Simplified

The code samples are VB.NET (just noticed) but easy enough to convert to C#. Pay attention to how hashes are used with encryption techniques, they are not encryption.

Here's a code sample using Rijndael: http://kiranpatils.wordpress.com/2008/03/13/encryptiondecryption-helper-class-using-rijandelmanaged/ The way it s implemented sucks for "strength" of encryption but will get something going quickly (hopefully.)

Paul Sasik
  • 79,492
  • 20
  • 149
  • 189