0

Could anyone clarify the "whole" story with Rsa-related thing. (I guess, that's because of padding or something).

Ok. My general aim is to encrypt passwords (one way only) to store in database in hashed state.

My approach is:

I create private/public keys with this How to Generate Unique Public and Private Key via RSA (common) approach.

const int PROVIDER_RSA_FULL = 1;
const string CONTAINER_NAME = "KeyContainer";
CspParameters cspParams;
cspParams = new CspParameters(PROVIDER_RSA_FULL);
cspParams.KeyContainerName = CONTAINER_NAME;
cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
cspParams.ProviderName = "Microsoft Strong Cryptographic Provider";
rsa = new RSACryptoServiceProvider(cspParams);

string publicPrivateKeyXML = rsa.ToXmlString(true);
string publicOnlyKeyXML = rsa.ToXmlString(false);
// do stuff with keys...

and when needed, do this:

var rsa = new RSACryptoServiceProvider();
rsa.FromXmlString(publicOnlyKeyXML);
var valueToEncode = Console.ReadLine();
Console.WriteLine(Convert.ToBase64String(rsa.Encrypt(Encoding.UTF8.GetBytes(valueToEncode), false)));
// initially that's rsa.Encrypt(...

and every new time I do the same value encryption, I receive different values, which is not suitable to store password in such way (as I don't decrypt it for users' authentication, but just compare hashed value).

Could anyone clarify the situation with the encoding stuff?

And also, what are the common practices for passwords encoding to hashes these days (.NET/C#).

Thank you!

Community
  • 1
  • 1
Agat
  • 4,577
  • 2
  • 34
  • 62
  • 1
    Encryption and hashing are two **different** things. You need to use bcrypt or PBKDFv2. Do not use RSA. – SLaks Jun 10 '13 at 15:17
  • I am surely understand meaning of words "hashing" and "encrypting", however, still, the question is on the table. – Agat Jun 10 '13 at 15:18
  • Then why are you using an **encryption** algorithm? Encryption is not idempotent. – SLaks Jun 10 '13 at 15:19
  • The **core** question is **why** those outputs are **different**? (In some conditions I have some code which results the same values (I have some public/private keys pair generated (not by me) which works fine). – Agat Jun 10 '13 at 15:20
  • So, generally, that's even not a question about passwords and hashing. That's to understand how is the code works and why the values are different. – Agat Jun 10 '13 at 15:27
  • Yes; you're seeing padding. http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ – SLaks Jun 10 '13 at 15:50

0 Answers0