Decrypting in c#

Question

I have to do the decryption before comparing the password. I have not used this before can anyone tell me how the decryption code should be like. thanks

public string Encript(string password)
        {
            System.Security.Cryptography.MD5CryptoServiceProvider objCript =
                new System.Security.Cryptography.MD5CryptoServiceProvider();
            byte[] bs = System.Text.Encoding.UTF8.GetBytes(password);
            bs = objCript.ComputeHash(bs);
            System.Text.StringBuilder s = new System.Text.StringBuilder();

            foreach (byte b in bs)
            {
                s.Append(b.ToString("x2").ToLower());
            }
            password = s.ToString();
            return password;
        }

Answer 1

The MD5 algorithm is not a cypher algorithm, but a hash generator. A hash code should be a one-way function, therefore there is no "decryption". For your problem: You should save the password in the database MD5-hashed as well, so only compare the hash values!

Answer 2

Don't try to decrypt the password!

Store the encrypted password and the used salt somewhere. Then, when the user enters the password, encrypt the user input with the same hash function and salt and compare the encrypted values.

Edit: This article describes the common authentication approach.

Answer 3

You can't(easily) decrypt MD5. Use a key-based encryption.(can't think of any on the top of my head except the simple XOR encryption)

Answer 4

Please take a look: http://msdn.microsoft.com/en-us/library/system.security.cryptography.md5.aspx

it already has an example - you should compare encrypted values instead (it's not really possible to get clear password from hash in acceptable time)

Answer 5

There's a full length example of how to use the MD5CryptoServiceProvider to compare a given string (say the user's password) with a given hash (say the hashed password stored in the database as Matten suggested) on MSDN here:

MD5CryptoServiceProvider Class

(In fact, your code looks like it derived from part of the example.)

Answer 6

Actually, there is no decryption.

What you're doing here is getting the MD5 hash of the password, rather than decrypting it. Basically, there isn't a way to get the password back from the hash (not easily, at least).

One use of the MD5 hash is to store the hash in the database instead of storing the user's password. Then when you receive a hash from the user, you compute the hash from it and compare it to the already stored password.

It's good practice to apply an application 'salt' to the password. This way, the hash of 'password' on one system is different from the hash of 'password' on another. Have a look at this question for an example: MD5 hash with salt for keeping password in DB in C#

Answer 7

Like the other users have said before, MD5 is a one-way hash algorithm. You cannot decrypt the hash in order to retrieve the original password. The best you can do is to "guess" the password, hash it with MD5 and compare it to the hash. This is a brute force approach and will generally take a lot of time. And if a salt was used when generating the hash, then it will take even more time.

If you really want to find out the original message you can resort to using rainbow tables. This is basically a database which contains a lot of precomputed hashes, which should bring down the total time of your brute force attack. But if a salt was used, you're pretty much out of luck here.

A good article on bad passwords, hashes, salts, rainbow tables...etc. can be found here:

Bad passwords are not fun and good entropy is always important: demystifying security fallacies

You aren't actually trying to break into someone's site, now are you?