tags:

views:

304

answers:

2
Q: 

C# HMAC Implementation Problem

I want my application to encrypt a user password, and at one time password will be decrypted to be sent to the server for authentication. A friend advise me to use HMAC. I wrote the following code in C#:

System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();
byte[] key = encoding.GetBytes("secret");
HMACSHA256 myhmacsha256 = new HMACSHA256(key);
byte[] hashValue = myhmacsha256.ComputeHash(encoding.GetBytes("text"));
string resultSTR = Convert.ToBase64String(hashValue);
myhmacsha256.Clear();

How to decode the password (resultSTR, in this case)?

Thanks.

+3  A: 

An HMAC (Hashed Message Authentication Code) is not encryption, it's hash function (in this case SHA-256) plus some secret key. It's lossy, there is no way to derive the plaintext from the HMAC.

If you want to encrypt some secret data, you should consider using the ProtectedData class instead. More infom including sample code at http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx

Michael Howard-MSFT  2010-03-26 21:46:35
How do you send ProtectedData to a server?
dtb  2010-03-26 22:07:46
Assuming the computers are in the same domain, you can simply send the blob returned by ProtectedData and have the same account decrypt the blob. it's all seamless :)one of the design goals of the Data Protection API (DPAPI) in Windows, is to have a blob sit naked on the Internet and still be protected. :)
Michael Howard-MSFT  2010-03-30 13:50:05
A: 

If there is no way to derive the plaintext from the HMAC. Then Why we use it?

S Jahan  2010-10-20 07:49:15
Not everything within the realm of cryptography deals with taking an opaque blob of bytes and retrieving plaintext from them. HMAC is used to give us assurance that data has not been tampered with. See http://en.wikipedia.org/wiki/HMAC
Damien_The_Unbeliever  2010-10-20 08:36:05

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?