How to decrypt a string encrypted with HMACSHA1?

Question

I'm an encryption novice trying to pass some values back and forth between systems. I can encrypt the value, but can't seem to figure out how to decrypt on the other end. I've created a simple Windows Forms application using VB.NET. Trying to input a value and a key, encrypt and then decrypt to get the original value. Here's my code so far. Any help greatly appreciated. Thanks.

Imports System
Imports System.IO
Imports System.Security.Cryptography
Imports System.Text

Public Class Form1

    Private Sub btnEncode_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnEncode.Click
        Dim hmacsha1 As New HMACSHA1(Encoding.ASCII.GetBytes(txtKey.Text))
        Dim hashValue As Byte() = hmacsha1.ComputeHash(Encoding.ASCII.GetBytes(txtValue.Text))
        txtResult.Text = BytesToHexString(hashValue)
        hmacsha1.Clear()
    End Sub

    Private Sub btnDecode_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnDecode.Click
        '???
    End Sub

    Private Function BytesToHexString(ByVal bytes As Byte()) As String
        Dim output As String = String.Empty
        Dim i As Integer = 0
        Do While i < bytes.Length
            output += bytes(i).ToString("X2")
            i += 1
        Loop
        Return output
    End Function
End Class

Answer 1

HMAC-SHA1 is a one-way hash, not a bidirectional encryption algorithm. You can't decrypt it. I don't have time to provide full encryption code here - it's a complicated topic, but Barry Dorrans' "Beginning ASP.NET Security" would give you a good starting point. (Only some of it is ASP.NET-specific.) You could also watch his DDD talk on the topic.

Answer 2

I agree with Jon, but notice that Jon spots one of Barrys errors in that video.

Answer 3

Just to expand on Jon's answer, because you're probably wondering what the point is of encrypting something that you can't decrypt - HMAC-SHA1 is, as Jon said, a hash. The string produced does not contain the original information, even in encrypted form... It's just a sequence of bytes.

The beauty of the hash however is that any sort of change you might make in the string will almost certainly result in a change in the hash result, and the hash result tends to be fairly small. For this reason, hashs are often used to ensure that a piece of information has not been tampered with.

For instance,

I want to send Jon here a message - and I want him to be confident that one of his mates hasn't changed the message prior to his reading it. I can't just take the hash of my message and send that along, because all a trouble causer would have to do is replace the message with one of their own, and provide an appropriate hash...

However, if I supply my message with a hash not of the message itself, but rather of the message with a few specific extra bytes that John and I have agreed on in advance, the trouble maker is defeated. Jon knows to add the extra bytes (commonly known as salting the hash) before he hashes my message, but the trouble causer doesn't - so if he changes the message, even though he works out his own hash, Jon can see that something is amiss...

Encyryption / Hashes are a fiddly business, and I've barely scratched the surface myself - but I thought this might give you a simple example of what hashes are used for...

Another very common use is for maintaining site membership information - people don't store the password, but rather the hash of the password. This means that even if someone manages to nick your user data, they are not able to use it to log into your system.

Martin