-4

I'm writing an authentication system with sign-up and all. The passwords are hashed with a salt. I've run into a problem where the implementation I'm using operates with the salt and the final hash being byte arrays. I cannot turn this back into regular human-readable string that I can store in SQL and I've tried almost all the Encodings in the Encoding class when printing to the console..

Any help would be much appreciated. Am I just missing something very obvious?

Code sample below:

class Program
    {
        static void Main(string[] args)
        {
            //The salt and hash sizes are 16 bytes (128 bits)
            int saltSize = 16;
            int hashSize = 16; 
            int iterations = 100000;

            RNGCryptoServiceProvider randomness = new RNGCryptoServiceProvider();
            byte[] salt = new byte[saltSize];
            randomness.GetBytes(salt);

            string password = "Mypassissecure7";
            byte[] passBytes = Encoding.Default.GetBytes(password);

            Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(passBytes, salt, iterations, HashAlgorithmName.SHA512);

            byte[] hash = pbkdf2.GetBytes(hashSize);
            
        }
    }
  • 4
    What's wrong with a Base64 string? https://stackoverflow.com/questions/11743160/how-do-i-encode-and-decode-a-base64-string – Rachel Ambler Aug 10 '20 at 21:47
  • You say "it's not correct" - by what basis? What are you trying to get back out? – Rachel Ambler Aug 10 '20 at 21:49
  • @RachelAmbler I added that edit right before I saw your comment. I had tried that line on my own through Intellisense. I suspected it could still be incorrect as I'm ignorant of text encodings and it was a stab in the dark. I feel much better now seeing your suggestion and will most likely move forward with that! Thanks. –  Aug 10 '20 at 21:50
  • 1
    All Base64 encoding does is turn a binary string into an extremely safe text string using just Alpha's, Numerics and + or / symbols. – Rachel Ambler Aug 10 '20 at 21:57
  • Thank you for all advice and clarification! –  Aug 10 '20 at 21:59
  • Note that you can't turn any arbitrary byte array to a string through Encoding since they're unlikely to be valid encodings, see the 2nd paragraph https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#remarks – Martheen Aug 10 '20 at 22:03
  • 2
    i think it's more common to use hex strings for hashes, but also depends on usecase. but if it's for SQL, why not use an BLOB, binary or maybe varbinary to store the `byte[]` directly? – Patrick Beynio Aug 10 '20 at 22:06
  • @PatrickBeynio I'd have just stored the byte array myself, but the question was requesting a safe string method. – Rachel Ambler Aug 10 '20 at 22:07
  • @PatrickBeynioThanks for that insight as well. It's very helpful. I now have many options available to tackle this. –  Aug 10 '20 at 22:10
  • It is really good idea to review [MCVE] from time to time. I.e. using incorrect encoding (https://stackoverflow.com/questions/6006422/how-does-encoding-default-work-in-net) has absolutely nothing to do with you question - so true minimal sample would skip that part to avoid confusion. – Alexei Levenkov Aug 10 '20 at 23:34

1 Answers1

2

For completions sakes:

var base64String = System.Convert.ToBase64String(hash);

or

var hexString = BitConverter.ToString(hash);
Rachel Ambler
  • 1,440
  • 12
  • 23
  • Note for the latter - https://learn.microsoft.com/en-us/dotnet/api/system.bitconverter.tostring?view=netcore-3.1#System_BitConverter_ToString_System_Byte___ - `All the elements of value are converted. The order of hexadecimal strings returned by the ToString method depends on whether the computer architecture is little-endian or big-endian.`. i.e. the value of `hexString` will be different on different machines. – mjwills Aug 11 '20 at 00:26