best practices to implement hashing?

Question

I need to implement hashing (I am not referring encryption) to make some data fields (passwords or some details that do not require getting back in original format, rather only need to match in db) secure. Can you please suggest me the best practices to implement hashing. I will be using C# and SQL Server and it will be a web site.

Answer 1

OK now you've said you're protecting passwords you have some options.

The .NET framework has some built in algorithms - MD5, SHA1, SHA2. MD5 and SHA1 are considered obsolete and dangerous now, instead stick to SHA256.

For example (taken from my book)

static byte[] GenerateSaltedHash(string password, byte[] salt)
{
  byte[] plainText = Encoding.UTF8.GetBytes(password);
  HashAlgorithm algorithm = new SHA256Managed();

  byte[] plainTextWithSaltBytes = 
    new byte[plainText.Length + salt.Length];

  for (int i = 0; i < plainText.Length; i++)
  {
    plainTextWithSaltBytes[i] = plainText[i];
  }
  for (int i = 0; i < salt.Length; i++)
  {
    plainTextWithSaltBytes[plainText.Length + i] = salt[i];
  }

  byte[] hash = algorithm.ComputeHash(plainTextWithSaltBytes);            
}

Now the salt is there to stop precomputed lookups of hashes (hashing itself is not enough any more, people have precomputed hashes of dictionary words and more). But how do you get a salt? Well it's any unique value really, usually a random set of bytes.

    public byte[] GenerateSalt(int length)
    {
        salt = new byte[length];

        // Strong runtime pseudo-random number generator, on Windows uses CryptAPI
        // on Unix /dev/urandom
        RNGCryptoServiceProvider random = new RNGCryptoServiceProvider();

        random.GetNonZeroBytes(salt);

        return salt;
    }

So you'd call GenerateSalt(32) first to get the salt (32 is just an example, longer if you wish. You will need to store the salt alongside the password - you don't need to worry about protecting it at all.

Finally you'll need a compare function. When you want to check passwords you would take the user input, get the salt for that user, generate the hash for the supplied password and stored salt, and then compare. You would do this using something like

[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
public static bool ConstantCompare(byte[] array1, byte[] array2)
{
    const byte Zero = 0;
    int maxLength = array1.Length > array2.Length ? array1.Length : array2.Length;
    bool wereEqual = array1.Length == array2.Length;

    byte[] paddedArray1 = new byte[maxLength];
    byte[] paddedArray2 = new byte[maxLength];
    for (int i = 0; i < maxLength; i++)
    {
        paddedArray1[i] = array1.Length > i ? array1[i] : Zero;
        paddedArray2[i] = array2.Length > i ? array2[i] : Zero;
    }
    bool compareResult = true;
    for (int i = 0; i < maxLength; i++)
    {
        compareResult = compareResult & paddedArray1[i] == paddedArray2[i];
    }
    return compareResult & wereEqual;
}

I should, of course, point out the ASP.NET membership functions do salt and hash, so they should probably be a first point of call. No point in rolling your own if someone else has done the work.