SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    Resident OCD goofball! bronze trophy Serenarules's Avatar
    Join Date
    Dec 2002
    Posts
    1,911
    Mentioned
    26 Post(s)
    Tagged
    0 Thread(s)

    Question SQL DataType Question

    I have the following function:

    ProtectedFunction Encrypt(ByVal sourceValue AsString) AsString

    Dim encoder As UTF8Encoding = New UTF8Encoding
    Dim hasher As System.Security.Cryptography.SHA256CryptoServiceProvider = New System.Security.Cryptography.SHA256CryptoServiceProvider

    Return Convert.ToBase64String(hasher.ComputeHash(encoder.GetBytes(sourceValue)))

    EndFunction

    :and it affects some values I am putting in the db. What sql datatype and length should I use? nvarchar(256)? or something else...

  2. #2
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Personally, I'd skip the convert to base64 and just store it as a binary(32).

    PS: I should also note the following:
    a) even if you want to convert to text, you are still looking at a fixed field length.
    b) Where is the salt?
    c) SHA256 isn't encryption, it is hashing. Big difference.

  3. #3
    Resident OCD goofball! bronze trophy Serenarules's Avatar
    Join Date
    Dec 2002
    Posts
    1,911
    Mentioned
    26 Post(s)
    Tagged
    0 Thread(s)
    Good points. The above was simplified for posting. But the thing is, the value is being stored in several places, a lot of which are purely text based. So I thought if I just made the initial generation output a string, it would cut down on extra code later in calls to convert.

    Just curious though, I knew I was just hashing really, but I'm not sure how to go about actually doing a one-way encrypt. Could you point me in the right direction?

  4. #4
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    That makes sense then. You still can use a fixed-length field here as the hash will always be the same length.

    Hashing is one-way encryption; a distinct value maps to another predictable value, but you can't take the predictable value and divine the distinct value. Well, without rainbow tables anyhow.

  5. #5
    Resident OCD goofball! bronze trophy Serenarules's Avatar
    Join Date
    Dec 2002
    Posts
    1,911
    Mentioned
    26 Post(s)
    Tagged
    0 Thread(s)
    Ok, so I was doing it correctly then. Each user has their own salt, stored in their record, and is of System.Guid type, which is generated when the user initially registers. So when I validate, I get a list(of UserRecord) back from my UserProvider.GetUserByUsername() function, I just loop through and check (should only be one record due to constraint on Username). I figured a Guid would be harder to guess than using something like Username as a salt, and I didn't want a hardcoded salt that was the same for everybody.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •