Subscribe to Sergio Tapia - Lost in the GC.        RSS Feed
***** 1 Votes

[C#] Using BCrypt in a .NET Application - Why it's better than SHA or MD5.

Icon 3 Comments
You guys know that I'm not a cryptography expert. In fact, I didn't use hashing and salting well until my second year as a programmer during college.

It's recently come to my attention that using MD5 or SHA as your hashing methods is not good enough.

While it does its job at hashing data, the problem is that it's just too fast.

A determined computer hacker with enough horsepower (machines) can verify passwords really fast. For example, a modern server can calculate the MD5 hash over 320MB every second.

Even worse, according to Coda Hale:

Quote

If you’re willing to spend about 2,000 USD and a week or two picking up CUDA, you can put together your own little supercomputer cluster which will let you try around 700,000,000 passwords a second. And that rate you’ll be cracking those passwords at the rate of more than one per second.


You see the problem?

BCrypt solves that problem, by using a work factor. Meaning, you decide how long it's going to take to hash data. So no matter how faster computers get, you can tweak up that factor and still hash your passwords at the speed you wish.

So how much slower you say? Coda Hale, says:

Quote

How much slower is bcrypt than, say, MD5? Depends on the work factor. Using a work factor of 12, bcrypt hashes the password 'yaaa' in about 0.3 seconds on my laptop. MD5, on the other hand, takes less than a microsecond.

So we’re talking about 5 or so orders of magnitude. Instead of cracking a password every 40 seconds, I'd be cracking them every 12 years or so.


That would put a hacker back into 1st gear.

So lets see how we can use BCrypt in a .NET application using C#.

First, create a new Visual Studio console project and add a Library Package Reference using NuGet:

Posted Image

Click the online tab, and search for BCrypt.

Posted Image

Install it, and add the using directive:

using DevOne.Security.Cryptography.BCrypt;



And here's a very simple example on how to use it:

string salt = BCryptHelper.GenerateSalt(6);
var hashedPassword = BCryptHelper.HashPassword("password", salt);

Console.WriteLine(BCryptHelper.CheckPassword("password", hashedPassword));



As you increase the size of the work factor you'll see the program takes more time exponentially. This is a miniscule nuisance to our end user, but a real wrench in the machine for the hackers.

NOTE: The library doesn't tell you this, but your work factor must be within 4 and 31 (inclusive).

How is the salt being saved? After all the salt has to be somewhere in order for it to verify a hash and a salt combination, correct? It's being appended to the salt. If you see the source code of the library, you can see:

StringBuilder rs = new StringBuilder();
rs.Append("$2");
if (minor >= 'a') {
    rs.Append(minor);
}
rs.Append('$');
if (rounds < 10) {
    rs.Append('0');
}
rs.Append(rounds);
rs.Append('$');
rs.Append(EncodeBase64(saltBytes, saltBytes.Length));
rs.Append(EncodeBase64(hashed,(bf_crypt_ciphertext.Length * 4) - 1));
return rs.ToString();



Have fun, and please use BCrypt for your applications and websites. It's safer!

3 Comments On This Entry

Page 1 of 1

janne_panne Icon

22 March 2011 - 01:02 PM
Thanks for sharing this information. I don't know much about cryptography/security so this was really helpful.

I just wonder if this would eventually create a bottleneck in an web application if there are thousands of active users. But I don't know much about web administration so not sure if slow login procedure would have that much effect on the server since each user does it only once and then they can use the website.
0

Gamegoofs2 Icon

22 March 2011 - 01:32 PM
Interesting, thanks for sharing!
0

codeprada Icon

14 April 2011 - 05:01 AM
Nice share. I always used SHA512 to do my hashing with PHP but now I'm gonna look into using BCrypt if there's such a library for PHP developers.
0
Page 1 of 1

Trackbacks for this entry [ Trackback URL ]

There are no Trackbacks for this entry

3 user(s) viewing

3 Guests
0 member(s)
0 anonymous member(s)

About Me

Posted Image


Bienvenidos! I'm a USA ex-pat living in Bolivia for the past 10 years. Web development is my forte with a heavy lean for usability and optimization. I'm fluent in both English and Spanish. I guest write for the popular Python website Python Central. Visit my website.

Categories