I have only looked at encryption for a few days now, but MD5 encryption seems pretty simple, so I decided to put together some notes on it and put it here in case anyone else needed it.
Basically MD5 encryption works one way, so you can encrypt a piece of data, but not decrypt it. Sound kinda pointless? Actually, no, it's quite handy for username/password databases where you will need to save the encrypted data, then check it against what someone has input into, for example, a TextBox. So if you join a website that you need to log into, for example a brilliant programming site called /dream.in.code (visit it here: www.dreamincode.net), you would create your username and password, which is then encrypted and saved in a database. then, when you visit the site, you type in your username/password, these get encrypted, and the encrypted data is checked against the encrypted data saved in the database. If it matches, you are logged in, if it does not, chances are it will complain at you about it.
So how do we go about encrypting information? Well, first of all, you will need to import a few namespaces. Put this code above the Public Class Form1 line.
Imports System.Security.Cryptography Imports System.Text
System.Security.Cryptography imports all of the information VB need to run the MD5 encryption, and System.Text provides UTF8 support.
Ok, our next step is the declarations. Put this code in the 'Submit' button of your form.
Dim strText As String = TextBox1.Text Dim bytHashedData As Byte() Dim encoder As New utf8encoding() Dim md5Hasher As New MD5CryptoServiceProvider
These variables are:
strText = The text string you wish to encrypt (eg. password)
bytHashedData = The same text string after encryption. This is no longer in string format, but rather it is a byte array.
encoder = This is a name for the UTF8Encoding method. This is what converts the string into byte format.
md5Hasher = This is the method which actually encrypts the byte array (from encoder) into a different byte array.
This is the line of code you will need to encrypt the information.
bytHashedData = md5Hasher.ComputeHash(encoder.GetBytes(strText))
The data stored as the variable bytHashedData is what would be saved in the database as your 'password'.
As I mentioned near the beginning, MD5 is one-way encryption, so you cannot decrypt the data once it is converted. This means that if you later go to log into /dic, for example, you would type your password in, and by the time it comes back to your PC to log you in or ask for a correct password, the word you typed into the box has been encrypted itself (using exactly the same code as shown above), then compared to what you saved in the database as your original password. Obviously, if it returns a match, you are logged in, if it does not, you are not logged in.
I do not have code for this bit, but it is exactly like checking a database for any information. The main thing you have to remember when implementing this, is that the data stored in the database is saved in Byte format, not String.
one last thing to mention. MD5 does have one glaring weakness, unless the user goes for obscure passwords. Someone wanting access to your account can use a dictionary search on your username (basically they work their way through a dictionary testing words to see if they can find your password). Not a problem for people with weird passwords, but could cause problems for people with normal words. This is where a little trick called salting comes in. The way salting works is you add some additional information to the password before encrypting it. This could be a user ID, or even the username. Like this:
bytHashedData = md5Hasher.ComputeHash(encoder.GetBytes(strText & txtUserName.Text))
This is a simple, yet effective way to avoid dictionary attacks
If you have any questions or comments about this tutorial, please post here and I will get back to you with an answer.
This post has been edited by Bort: 09 October 2008 - 08:15 AM