Price: US$29.00

Pay securely at PayPal. On the confirmation page, click Continue to product download page to download this product immediately.

Having a PayPal account is optional; if you don't want to sign up, look for the link which says Don't have a PayPal account?

Encryption Library

Code Samples

This page shows some common usage scenarios for the DotNetHelpers .NET Encryption library. Important security note: a secure connection (such as SSL on websites) should be used when dealing with passwords, credit cards, and other private information. As a general rule, avoid storing private information such as credit card numbers where possible.

Encrypting and Decrypting Credit Card Numbers

In this example, a credit card entered from a webpage is encrypted, and saved in a database. Separately, it is decrypted and displayed on screen.

In order to use the Encrypter class, you need to have a secret password. This library uses a GUID as the password as it will be globally unique and near impossible to guess. It is important that the password is kept secret, and it should be stored separately from the data it protects.

Encrypting credit card information

C#

string unencryptedData = Request.Form["creditcard"];
if (string.IsNullOrEmpty(unencryptedData))
  throw new Exception("No credit card information was specified.");

Guid password = new Guid("8174539a-3cde-446a-9b47-00456309cf62");
using (Encrypter encrypter = new Encrypter(password)) {
  string encryptedData = encrypter.Encrypt(inputString);
  SaveToDatabase(encryptedData);
}

VB

Dim unencryptedData As String = Request.Form("creditcard")
If String.IsNullOrEmpty(unencryptedData) Then
    Throw New Exception("No credit card information was specified.")
End If
Dim password As New Guid("8174539a-3cde-446a-9b47-00456309cf62")
Using encrypter As New Encrypter(password)
    Dim encryptedData As String = encrypter.Encrypt(inputString)
    SaveToDatabase(encryptedData)
End Using
 

Assuming a credit card number of "1234-5678-9812-3478", the encrypted card information may look something like "Ef7rInHVnZHHXK0NINIkOFL7AddMLd5pExFavU/4K7g=" (different passwords produce different encryption). The card number is now encrypted using the 256 bit Rijndael symmetric algorithm, as endorsed by the US National Security Agency. The only way to convert back to the original string is by knowing the password and using the following code:

Decrypting credit card information

C#

string encryptedData = GetEncryptedData();
Guid password = new Guid("8174539a-3cde-446a-9b47-00456309cf62");
using (Encrypter encrypter = new Encrypter(password)) {
  string unencryptedData = encrypter.Decrypt(inputString);
  cardLabel.Text = unencryptedData;
}

VB

Dim encryptedData As String = GetEncryptedData()
Dim password As New Guid("505ef816-8788-41cd-92cd-a0e2a8ec3466")
Using encrypter As New Encrypter(password)
    Dim unencryptedData As String = encrypter.Decrypt(inputString)
    cardLabel.Text = unencryptedData
End Using
 

Encrypting passwords using SHA1 hashes

Unlike a credit card number, it is not necessary that you are able to decrypt a password. By storing a hashed version of each user's password in a data store, you are able to be confident that even if your data store is compromised, the attackers will have no way to learn what your users' passwords are.

The way this works is by hashing each password as the user registers, for example. When the user logs in, the password they enter is hashed, and this hashed version is compared to the hashed password in the database.

The following shows how a plaintext password can be enrypted to a hashed version, and it may be part of a registration page on a website, for example:

C#

string username = Request.Form["username"];
string unencryptedPassword = Request.Form["password"];
string encryptedPassword = OneWayEncrypter.CreateHash(unencryptedPassword);
SaveToDatabase(username, encryptedPassword);

VB

Dim username As String = Request.Form("username")
Dim unencryptedPassword As String = Request.Form("password")
Dim encryptedPassword As String = OneWayEncrypter.CreateHash(unencryptedPassword)
SaveToDatabase(username, encryptedPassword)
 

When the user logs in, they similarly enter their username and password. The hashed version of the password is used to query the database using an imaginary utility method which simply checks whether or not a SQL query returns rows or not:

C#

public bool IsValidPassword(string username, string unencryptedPassword)
{
  string encryptedPassword = OneWayEncrypter.CreateHash(unencryptedPassword);
  string sql = "SELECT * FROM Customer WHERE username = '" + username + "' " 
               + "AND password = '" + password + "'";
  bool userIsSelected = Utilities.SqlReturnsRows(sql);
  return userIsSelected;
}

VB

Public Function IsValidPassword(ByVal username As String, _
        ByVal unencryptedPassword As String) As Boolean
    Dim encryptedPassword As String = OneWayEncrypter.CreateHash(unencryptedPassword)
    Dim sql As String = "SELECT * FROM Customer WHERE username = '" & username & "'" & _
                        " AND password = '" + password & "'"
    Dim userIsSelected As Boolean = Utilities.SqlReturnsRows(sql)
    Return userIsSelected
End Function
 

Note that as it is not possible to decrypt hashed text, you will not be able to give out passwords to those who have forgotten it. In this case, you will need to generate a random password (e.g. the first 6 characters from Guid.NewGuid().ToString()), save the encrypted version in the database, and send the unencrypted version to the user.

Advanced hashing options

There are several algorithms which can be used to encrypt the data, and by default the 160 bit SHA1 algorithm is used. Others, such as MD5 or the 512 bit SHA512 are also available by specifying the algorithm to use with the HashType enumeration:

C#

string plaintext = Request.Form["password"];
string encrypted = OneWayEncrypter.CreateHash(HashType.MD5, plaintext);

VB

Dim plaintext As String = Request.Form("password")
Dim encrypted As String = OneWayEncrypter.CreateHash(HashType.MD5, plaintext)
 

Hashing algorithms also use what is known as a "salt" value. When no salt is used, it is possible for attackers to take a list of encrypted words and compare them against a dictionary of common words with their default encrypted values in order to find the original values. By adding a secret 'salt' term to the start or end of each piece of plaintext when encrypting, these attack dictionaries are rendered useless. The DotNetHelpers Encryption Library uses it's own default salt, but you can still specify your own salt if you require. A good value for a salt is a GUID string, for example:

C#

string salt = "773c842a4ec944ad8d0d58f8eabadb64";
string plaintext = Request.Form["password"];
string encrypted = OneWayEncrypter.CreateHash(HashType.MD5, plaintext, salt);

VB

Dim salt As String = "773c842a4ec944ad8d0d58f8eabadb64"
Dim plaintext As String = Request.Form("password")
Dim encrypted As String = OneWayEncrypter.CreateHash(HashType.MD5, plaintext, salt)
 

Important note on algorithms and salts: whichever combination of algorithms and salts are selected, it is important that they are used consistently throughout the lifetime of your application. By changing the algorithm or salt after hashed data has already been saved in your data store, you instantly render all that data invalid, and users will not be able to log in.