I am trying to build an application where security and encryption is a high concern.
I am using Visual Studio 2022 and VB.NET 6.0 (I searched for 3 days now and couldn't find something up to date, all what I found is an out dated and not related to VB 6.0 and Visual Studio 2022)
I created a form that contains Email and Password Textboxes.
I am also running MySQL Server 8.0.29 with SSL enabled on local host using Xampp
This is the concern part of my code:
Dim salt As String = "temp salt" ' Can I use salt based on some PC hardware serial number?
cmd.Parameters.Add("@pwd", MySqlDbType.VarString).Value = SHA512Hasher.Base64Hash(Password.Text,salt)
And here is my hashing class:
Public Class SHA512Hasher
Private Sub New()
' Prevent instantiation
End Sub
Public Shared Function Base64Hash(ByVal clearText As String) As String
Dim hashedBytes As Byte() = computeHash(clearText)
Return Convert.ToBase64String(hashedBytes)
End Function
Public Shared Function Base64Hash(ByVal clearText As String, ByVal salt As String) As String
Return Base64Hash(salt & clearText)
End Function
Public Shared Function HexHash(ByVal clearText As String) As String
Dim hashedBytes As Byte() = computeHash(clearText)
' Build the hex string by converting each byte.
Dim hexString As New System.Text.StringBuilder()
For i As Int32 = 0 To hashedBytes.Length - 1
hexString.Append(hashedBytes(i).ToString("X2")) ' Use "x2" for lower case
Next
Return hexString.ToString()
End Function
Public Shared Function HexHash(ByVal clearText As String, ByVal salt As String) As String
Return HexHash(salt & clearText)
End Function
Private Shared Function computeHash(ByVal clearText As String) As Byte()
Dim encoder As New Text.UTF8Encoding()
#Disable Warning SYSLIB0021 ' Type or member is obsolete (how to fix its obsolete?)
Dim sha512hasher As New System.Security.Cryptography.SHA512Managed()
#Enable Warning SYSLIB0021 ' Type or member is obsolete
Return sha512hasher.ComputeHash(encoder.GetBytes(clearText))
End Function
End Class
The function is working and I am able to store hashed password in MySQL; But I want to know, is this secure enough? Can the password generated by this function decrypted?
Also,
Can I use instead the function in this link to build a secure password storage in MySQL? Which one is accepted?
And how to use/call the function stated in previous link from a different form in case I want to encrypt some data?
Thank you
CodePudding user response:
This solution worked for me like charm:
Imports System.Security.Cryptography
Imports System.Text
Public Module hashing
Public Function PWDhash(ByVal password As String)
Using sha512Hash As SHA512 = SHA512.Create()
Return GetHash(sha512Hash, password)
End Using
End Function
Private Function GetHash(ByVal hashAlgorithm As HashAlgorithm, ByVal input As String) As String
' Convert the input string to a byte array and compute the hash.
Dim data As Byte() = hashAlgorithm.ComputeHash(Encoding.UTF8.GetBytes(input))
' Create a new Stringbuilder to collect the bytes
' and create a string.
Dim sBuilder As New StringBuilder()
' Loop through each byte of the hashed data
' and format each one as a hexadecimal string.
For i As Integer = 0 To data.Length - 1
sBuilder.Append(data(i).ToString("x2"))
Next
' Return the hexadecimal string.
Return sBuilder.ToString()
End Function
' Verify a hash against a string.
Public Function VerifyHash(hashAlgorithm As HashAlgorithm, input As String, hash As String) As Boolean
' Hash the input.
Dim hashOfInput As String = GetHash(hashAlgorithm, input)
' Create a StringComparer an compare the hashes.
Dim comparer As StringComparer = StringComparer.OrdinalIgnoreCase
Return comparer.Compare(hashOfInput, hash) = 0
End Function
End Module
This is how to hash:
Dim HashedPWD As String = PWDhash("password here")
This is how to verify:
Dim IsPWDCorrect As Boolean = VerifyHash(sha512Hash, "password here", "password hash from DB")
It works on VB.Net Core 6.0
The length of the hash is 128 Byte.