July 18, 2018
Hot Topics:

Cryptographic Solutions for .NET Developers: Hashing and Encryption

  • July 27, 2007
  • By Jani Järvinen
  • Send Email »
  • More Articles »

Hashing as a Way to Store Secrets

Now that you know the basics of encrypting and decrypting data, let me fulfill my promise of talking about hashing. So, where would these hash functions be useful?

Hash functions have two important applications: First, they can be used to store secrets (for example, passwords); and secondly, they can be used to check whether a message has been modified during transmission or storage.

Assume you have a web application that allows users to log in with an e-mail address and password. You could store these credentials in an SQL database, but storing the password directly isn't a very good practice. Instead of the user's password, you could store the hash of that password in the database. Then, when the user logs in, you would compute a hash of the provided password, and compare it to the one stored in the database. If they match, the password is valid. Remember, this works because only one input can become the hashed value. This very feature of hashes can also be used to detect transmission errors, for example.

Storing the hash instead of the password thus gives you a large advantage. Even if somebody would get their hands on the database data, the attacker wouldn't be able to know the original password. Although storing the hashed password in the database is a good way to improve security, it is also a double-edged sword: If you wanted to provide your user an "I Forgot My Password" type of function, you too cannot recover the original password back from the hash only.

Two of the most important hash algorithms are called MD5 and SHA. The .NET Framework supports both of these algorithms, and I'm providing a sample application called MD5Hash to show how the MD5 algorithm can be used. The example application is a command-line application, similar to the previously discussed RC2Encrypt and RC2Decrypt applications.

Hashing with the System.Security.Cryptography.MD5 Class

Just as with the encryption algorithms, the .NET hash algorithm implementations also have their home in the System.Security.Cryptography namespace. Using hash algorithms is simple. You would first create an instance of a hash class, and then call its ComputeHash method. This method is overloaded, and by default takes either a byte array or a stream object as input.

Here are few lines of code from the sample application:

private static void CalculateMD5Hash(string literal)
   // step 1, calculate MD5 hash from literal given as input
   MD5 md5 = MD5.Create();
   byte[] byteBuffer = System.Text.Encoding.ASCII.GetBytes(literal);
   byte[] hash = md5.ComputeHash(byteBuffer);

   // step 2, convert byte array to hexadecimal string
   string hashHex = ByteArrayToHexString(hash);
   Console.WriteLine("The MD5 has for the literal "" +
                     literal + "" is:");

Given an input string (literal) such as "abc", this method would write the following hash to the screen:


Calculating a hash from a stream, such as a FileStream, is equally simple. The above code can stay basically the same, except for the ComputeHash call:

FileStream input = new FileStream(filename, FileMode.Open);
MD5 md5 = MD5.Create();
byte[] hash = md5.ComputeHash(input);

In the case of the MD5 algorithm, the returned byte array is always 16 bytes (128 bits) in length. To convert this array to a hexadecimal string, you can use the following method:

private static string ByteArrayToHexString(byte[] hash)
   StringBuilder sb = new StringBuilder();
   for (int i = 0; i < hash.Length; i++)
   return sb.ToString();

Notice how the byte type's ToString method is used with the "X2" format string. If you want lower-case hexadecimal numbers (A to F), simply specify "x2" instead.


In this article, you've seen how two basic cryptograph functions, encryption and hashing, can be used to improve the security of your applications. Although cryptography is a complex field of computer science, using the implementation classes in .NET Framework is quite straightforward.

I've tried to provide simple and easy-to-follow examples in C#, and you can use the code as basic building blocks in your own applications. And, even if you would use Visual Basic .NET or even Delphi.NET from Borland/CodeGear, the same classes are at your disposal.

Good luck with improving the security of your applications!

About the Author:

Jani Järvinen is a software development trainer and consultant in Finland. He is a Microsoft C# MVP and has written dozens of magazine articles and published two books about software development. He is a group leader of a Finnish software development expert group at ITpro.fi. His frequently updated blog can be found at http://www.saunalahti.fi/janij/. You can send him mail by clicking on his name at the top of the article.

Page 3 of 3

Comment and Contribute


(Maximum characters: 1200). You have characters left.



Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that developer.com may send you developer offers via email, phone and text message, as well as email offers about other products and services that developer believes may be of interest to you. developer will process your information in accordance with the Quinstreet Privacy Policy.


Thanks for your registration, follow us on our social networks to keep up-to-date