How to encrypt and decrypt string to base64?

Question

Good day to all, I am new to vb.net programming. I wanted to encrypt and decrypt user passwords, I came up with the code below.

 Imports System.Security.Cryptography
 Imports System.Text

 Public Class UPdatePass

   Dim DES As New TripleDESCryptoServiceProvider
   Dim MD5 As New MD5CryptoServiceProvider

 Function Encrypt(StringInput As String, Key As String) As String
    DES.Key = MD5Hash(Key)
    DES.Mode = CipherMode.ECB
    Dim buffer As Byte() = ASCIIEncoding.ASCII.GetBytes(StringInput)
    Return Convert.ToBase64String(DES.CreateEncryptor().TransformFinalBlock(buffer, 0, buffer.Length))
End Function

 Function Decrypt(EncryptedString As String, Key As String) As String
    DES.Key = MD5Hash(Key)
    DES.Mode = CipherMode.ECB
    Dim Buffer As Byte() = Convert.FromBase64String(EncryptedString)
    Return ASCIIEncoding.ASCII.GetString(DES.CreateDecryptor().TransformFinalBlock(Buffer, 0, Buffer.Length))
End Function

Function MD5Hash(value As String) As Byte()
    Return MD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(value))
End Function

End Class

When I execute the code and decrypt, I get this error message.

An unhandled exception of type 'System.Security.Cryptography.CryptographicException' occurred in mscorlib.dll Additional information: Length of the data to decrypt is invalid.

I hope anyone can help me with this. Thank you!

This is actually so wrong I don't know where to begin. You shouldn't be using md5 hashes, you shouldn't be using 3DES to store passwords, and you should never be checking passwords by 'decrypting' them. Start over with your research. Look at salted hashes. PBKDF2 is a popular choice. I don't mean to be harsh, but it's easy to make mistakes in the security field and you would be no wiser to the vulnerabilities you've left without someone pointing them out. I would suggest that even if this is solely a learning exercise, then it's worth taking the time to learn properly. — PaulG, Apr 19 '16 at 09:21
You should "encrypt" the entered password and compare it with the "encrypted" password you have stored against the user. Never "decrypt". What you actually have here though is hashing — Matt Wilko, Apr 19 '16 at 09:24
The word 'encrypt' shouldn't be used at all when talking about passwords. It should be 'hash' which is fundamentally different to encryption. This article seems ok for further research from a quick skim over: http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right — PaulG, Apr 19 '16 at 09:35
**Never use [ECB mode](http://crypto.stackexchange.com/q/14487/13022)**. It's deterministic and therefore not semantically secure. You should at the very least use a randomized mode like [CBC](http://crypto.stackexchange.com/q/22260/13022) or [CTR](http://crypto.stackexchange.com/a/2378/13022). It is better to authenticate your ciphertexts so that attacks like a [padding oracle attack](http://crypto.stackexchange.com/q/18185/13022) are not possible. This can be done with authenticated modes like GCM or EAX, or with an [encrypt-then-MAC](http://crypto.stackexchange.com/q/202/13022) scheme. — Artjom B., Apr 19 '16 at 18:19
**Don't use Triple DES nowadays.** It only provides at best 112 bit of security even if you use the largest key size of 192 bit. If a shorter key size is used, then it only provides 56 or 57 bits of security. AES would be faster (processors have a special AES-NI instruction set) and even more secure with the lowest key size of 128 bit. There is also a practical limit on the maximum ciphertext size wtih 3DES. See [Security comparsion of 3DES and AES](http://security.stackexchange.com/q/26179/45523). — Artjom B., Apr 19 '16 at 18:20
You should never encrypt your user's passwords. You need to use hashing instead with some strong ones being PBKDF2, bcrypt, scrypt and Argon2. Since hash functions are one-way function, you won't be able to "decrypt" the hashes. In order to authenticate your user, you can run the password through the hash function again in order to compare with the hash that is stored in the database. See more: [How to securely hash passwords?](http://security.stackexchange.com/q/211/45523) — Artjom B., Apr 19 '16 at 18:20
@PaulG Encrypting passwords may make perfect sense if you're storing it only to pass is to someone else afterwards. Think of a password manager for example, those can never hash its secrets, otherwise they're lost. Hashing makes sense when you want a password only to authenticate it yourself, which is the case more often than not. — Alejandro, Nov 25 '16 at 00:28

score 0 · Answer 1 · answered Apr 19 '16 at 10:00

0

Your code works fine for me. check if the key you are entering for encryption is the same as the decryption

answered Apr 19 '16 at 10:00

R.You

565
3
15

3

This isnt an answer, it should be added as a comment. – David Wilson May 15 '16 at 12:16

How to encrypt and decrypt string to base64?

1 Answers1