Posted by : Michael Mortensen Wednesday, April 24, 2013

At some point you will eventually find the need to implement a way of either verifying or securing part of your data with the use of cryptographic hash functions. Luckily .NET offers a comprehensive set of classes for this task found in the System.Security.Cryptography namespace.

What is a cryptographic hash function? Well, for a meaningful explanation do refer to this Wikipedia article and afterwards think of it as a digital fingerprint (or checksum if you prefer).

Like i said, .NET offers a comprehensive set of classes to accommodate the need for hashing, and although simple to work with out-of-the-box, it can be rather cumbersome in the long run as you have to remember which algorithm type to use, create a byte array and last but not least; remember to dispose your object afterwards. This is one of the reasons why I introduced the static HashUtility class; to ease the usage while offering a flexible way of hashing your objects.

The overloads taking either a string or a string array in the above mentioned class, all uses UTF-16 as the backing encoding by design, where as most online hashing generators uses UTF-8. However, this can easily be overridden by using of the many overloads of the ComputeHash method.

Supported hash algorithm types per April 24th 2013 is:

  • MD5 (default)
  • SHA-1
  • SHA-256
  • SHA-384
  • SHA-512
  • RIPEMD-160
  • CRC-32

Let's get on with the show; in Figure 1 you can see an example of a simple PasswordHashExample class that will use a SHA256 hash algorithm using UTF-8 for backing encoding, where Figure 2 show an equally simple test method that uses this class. Figure 3 shows the output of the test.

public class PasswordHashExample
    public PasswordHashExample()
        this.PasswordSalt = StringUtility.CreateRandomString(32);

    public string PasswordHash { get; private set; }

    public string PasswordSalt { get; set; }

    public void SetPassword(string password)
        this.PasswordHash = this.ComputePassword(password, this.PasswordSalt);

    public bool ValidatePassword(string password)
        return this.PasswordHash.Equals(this.ComputePassword(password, this.PasswordSalt));

    private string ComputePassword(string password, string salt)
        return HashUtility.ComputeHash(new string[] { password, salt }, HashAlgorithmType.SHA256, Encoding.UTF8);
Figure 1: A simple class to show a potential usage of the HashUtility class

public class PasswordHashExampleTest
    public void TestPassword()
        string password = "mySuperStr0ngP@ssword!";
        PasswordHashExample example = new PasswordHashExample();
        Debug.WriteLine("Password is: {0}", password as object);
        Debug.WriteLine("Salt is: {0}", example.PasswordSalt as object);
        Debug.WriteLine("Hashed password is: {0}", example.PasswordHash as object);
Figure 2: An equally simple test method that utilizes the class in Figure 1

Debug Trace:
Password is: mySuperStr0ngP@ssword!
Salt is: FWoyWJxrK6cqS9lL5EFzPp5EMKoGFteP
Hashed password is: 95dae249a69c67654868a59077fae296a532aef39332c919975de5b1e69a60a6
Figure 3: The output of the test in Figure 2

As you can see, the usage is very simple and the only thing you need to consider is the encoding should you choose to use one of the overloads where a string or an array of strings needs hashing. Since all strings in .NET "per se" is UTF-16 encoded, this is also the default here; but only for the string overloads.

I hope you liked this little sneak preview into the HashUtility class. Happy coding.

{ 2 comments... read them below or Comment }

  1. nice post and all the best

    this is my blog

    1. Hi Prasad,

      Thank you for your comment; your site looks interesting - I hope over time we can pick some pearls of wisdom from one another.

      Cheers :-)


Popular Post

Google+ Followers

© 2008-2013 MuchMore. All rights reserved.. Powered by Blogger.

© 2008-2013 MuchMore. All rights reserved.
Powered by Blogger
Designed by Johanes Djogan