Q:
I want to ask if there is a class for encrypting and decrypting a string , i search through the net ,, and i find some but they are less secure or have some problems in completing the process :
one of the classes i found before is :
public static string Encrypt(string text)
{
try
{
key = Encoding.UTF8.GetBytes(stringKey.Substring(0, 8));
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
Byte[] byteArray = Encoding.UTF8.GetBytes(text);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream,des.CreateEncryptor(key, IV), CryptoStreamMode.Write);
开发者_运维百科 cryptoStream.Write(byteArray, 0, byteArray.Length);
cryptoStream.FlushFinalBlock();
return Convert.ToBase64String(memoryStream.ToArray());
}
catch (Exception ex)
{
string message = ex.Message;
}
return string.Empty;
}
public static string Decrypt(string text)
{
try
{
key = Encoding.UTF8.GetBytes(stringKey.Substring(0, 8));
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
Byte[] byteArray = Convert.FromBase64String(text);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream,
des.CreateDecryptor(key, IV), CryptoStreamMode.Write);
cryptoStream.Write(byteArray, 0, byteArray.Length);
cryptoStream.FlushFinalBlock();
return Encoding.UTF8.GetString(memoryStream.ToArray());
}
catch (Exception ex)
{
string message = ex.Message;
}`
some of comments about this class is:
Encoding.UTF8.GetBytes is a very bad and unsafe way to get a Key from a password.
http://www.codinghorror.com/blog/2010/12/the-dirty-truth-about-web-passwords.html
- other problems
i search about a class to accomplish the encryption and decryption without those problems,,if there are any modification or enhancement to this class to avoid those problems and make it more secure ,it will be great.
if there are other classes which are tested and used for long time to make sure of its stability ,it will be great..
That code is nowhere good enough for passwords.
Let me quote Jeff's words from the Coding Horror article you linked to:
You should never, ever store user passwords. If you do, you're storing passwords incorrectly. Always store the salted hash of the password -- never the password itself! It's so easy, even members of Mensa er .. can't .. figure it out.
Passwords should not be stored in a way that they can be retrieved. It does not matter if you encrypt it. Encryption is a two-way process. You must do some one-way transformation that you cannot recover the original password from it. Like Jeff suggests, use hashing with salt. In order to verify passwords, you apply the same one-way process to the input and compare with the value you stored. You never recover the stored password to compare with the input.
You could have a look at the System.Security.Cryptography namespace, the .NET framework offers plenty of options.
http://msdn.microsoft.com/en-us/library/system.security.cryptography.aspx
精彩评论