1

Currently i am using salt to encrypt the password.

public static SaltedHash Create(string password) 
        {
            string salt = _createSalt();
            string hash = _calculateHash(salt, password);
            return new SaltedHash(salt, hash);
        }

private static string _createSalt() 
        {
            byte[] r = _createRandomBytes(SALT_LENGTH);
            return Convert.ToBase64String(r);
        }
private static byte[] _createRandomBytes(int len) 
        {
            byte[] r = new byte[len];
            new RNGCryptoServiceProvider().GetBytes(r);
            return r;
        }
private static string _calculateHash(string salt, string password) 
        {
            byte[] data = _toByteArray(salt + password);
            byte[] hash = _calculateHash(data);
            return Convert.ToBase64String(hash);
        }
private static byte[] _toByteArray(string s) 
        {
            return System.Text.Encoding.UTF8.GetBytes(s);
        }
private static byte[] _calculateHash(byte[] data) 
        {
            return new SHA1CryptoServiceProvider().ComputeHash(data);
        }
/// <summary>
        /// This method verifies a password from a SaltedHash class.
        /// <param name="password">The password to verity</param>
        /// <returns>Boolean</returns>
        /// </summary>
        public bool Verify(string password) 
        {
            string h = _calculateHash(_salt, password);
            return _hash.Equals(h);
        }
/// <summary>
        /// This method creates a SaltedHash object from a salt and hash value. 
        /// <param name="salt">Salt value</param>
        /// <param name="hash">Hash value</param>
        /// <returns>SaltedHash class</returns>
        /// </summary>
        public static SaltedHash Create(string salt, string hash) 
        {
            return new SaltedHash(salt, hash);
        }

Now encryption is fine. Now using the same technique i want to decrypt the password.

How to do this ? Thanks.

Eric J.
  • 147,927
  • 63
  • 340
  • 553
Bokambo
  • 4,204
  • 27
  • 79
  • 130
  • You should not convert your salt to a base 64 string. You are reducing the possible characters in your salt to 65 instead of 256. That will weaken the effect of your salt considerably. You have to convert your password to a byte array and then apply the binary salt. – Sefe Nov 15 '17 at 09:19

1 Answers1

9

You are not encrypting the password, you are hashing it.

The idea of a hash is that it is a one-way function where it is computationally cheap to create a hash from original text, but computationally expensive to start with a hash and end up with plain text that would create that hash value.

Although there are various attacks to break SHA1 (your hash algorithm), there is no straightforward approach to "decrypt" the hashed value ("decrypt" in quotes means to find an input value that would correspond to the salted, hashed output value).

If you really do want to encrypt text, look into algorithms such as AES (also supported by the .NET framework).

Eric J.
  • 147,927
  • 63
  • 340
  • 553
  • 1
    A short but great article on hashing versus encryption can be found [here](http://enterprisefeatures.com/2011/08/what%E2%80%99s-the-difference-between-hashing-and-encryption/comment-page-1/) as well in case the OP needs a better understanding of the difference. – Leon Newswanger Feb 01 '13 at 06:28