4

I have made a website, in which on login I am using pbkdf2_sha256 for password hashing. I have used salt also. I want to make a simple software just for the experience, I want to login into the c# software using same credentials as saved by the website. I have seen Rfc2898DeriveBytes I guess it only takes 2 arguments (password, salt in integer). But what about iterations I have specified on the website?

Anyone, please guide me how to make a login in c# (WPF) application and use pbkdf2_sha256 to create a hash and to verify the password.

I have seen a code given on stacksoverflow.com.

var salt = "FbSnXHPo12gb";
var password = "geheim";

var interactions = 12000;


using (var hmac = new HMACSHA256())
{
    var df = new Pbkdf2(hmac, password, salt, interactions);
    Console.WriteLine(Convert.ToBase64String(df.GetBytes(32)));
}

I used this also but it is giving error in var df = new Pbkdf2(hmac, password, salt, interactions); Pbkdf2 could not found.

my code 

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows;
using System.Windows.Controls;
using System.Windows.Data;
using System.Windows.Documents;
using System.Windows.Input;
using System.Windows.Media;
using System.Windows.Media.Imaging;
using System.Windows.Navigation;
using System.Windows.Shapes;
using MySql.Data.MySqlClient;
using System.IO;
using System.Security.Cryptography;


namespace login
{

    /// <summary>
    /// Interaction logic for MainWindow.xaml
    /// </summary>
    public partial class MainWindow : Window
    {

        public MainWindow()
        {
            InitializeComponent();
        }

        private void login_Click(object sender, RoutedEventArgs e)
        {

            var salt = "FbSnXHPo12gb";
            var password = "geheim";
            var interactions = 12000;


            using (var hmac = new HMACSHA256())
            {
                var df = new Pbkdf2(hmac, password, salt, interactions);
                Console.WriteLine(Convert.ToBase64String(df.GetBytes(32)));
            }

            string myConnection = "datasource=localhost;port=3306;username=root;password=abcde12345 ; database=finalproject";
            MySqlConnection myConn = new MySqlConnection(myConnection);
            MySqlCommand SelectCommand = new MySqlCommand("select * from login where Username='" + this.username.Text + "' and Password='" + this.password.Password + "';", myConn);
            MySqlDataReader myReader;
            myConn.Open();
            myReader = SelectCommand.ExecuteReader();
            int count = 0;
            while (myReader.Read())
            {
                count = count + 1;
            }
            if (count == 1)
            {
                MessageBox.Show("Hello");

            }

            else
            {

                MessageBox.Show("Wrong username and password");
            }
            myConn.Close();
        }
    }
}

So please tell me which hashing algorithm I should use on the server which is good for a password. I have read about bcrypt and scyrpt. Are they good for password hashing? Actually, I am not decrypting I am only hashing password in software and then comparing hash stored on server with the hash generated in software

please help me. Sorry for mistakes.

Improve this question
5
  • Maybe I'm mistaked but isn't "Pbkdf2" all in lower case? probably could mean the reason it didn't found it. Commented Sep 5, 2017 at 20:11
  • 1
    The particularly PBKDF2 implementation you're referencing is only available in .NET Core, not in the full .NET framework. To use PBKDF2 in the framework, you're looking for System.Security.Cryptography.Rfc2898DeriveBytes instead. It does have a ctor overload that allows you to specify the number of iterations. Commented Sep 5, 2017 at 22:58
  • Xander is right. Rfc2898DeriveBytes is the class you want. Either that or search for a NuGet package that implements an Argon2 binding, as Argon2 is the current state-of-the-art. Commented Sep 5, 2017 at 23:52
  • Actually, I am not decrypting I am only hashing password in software and then comparing hash stored on server with the hash generated in software. Commented Sep 6, 2017 at 4:50
  • System.Security.Cryptography.Rfc2898DeriveBytes this is a namespace, I have used this but the error remains the same. Commented Sep 6, 2017 at 4:52

2 Answers 2

Reset to default
4

The Pbkdf2 class you found elsewhere on StackOverflow is not part of .NET, so to use it you'd need to obtain the library it's in.

In order to do PBKDF2 with (HMAC-)SHA-2-256, you would need at least .NET Core 2.0 or .NET Framework 4.7.2.

Either way you need to turn your salt into bytes. Since it's a multiple of 4 characters I'm going to assume it's base64:

byte[] saltBytes = Convert.FromBase64String(salt);
byte[] derived;

.NET Framework (2.0+) (HMAC-SHA-1):

using (var pbkdf2 = new Rfc2898DeriveBytes(password, saltBytes, interactionCount))
{
    derived = pbkdf2.GetBytes(32);
}

.NET Core (2.0+), .NET Framework (4.7.2+) (using HMAC-SHA-2-256):

using (var pbkdf2 = new Rfc2898DeriveBytes(
    password,
    saltBytes,
    interactionCount,
    HashAlgorithmName.SHA256))
{
    derived = pbkdf2.GetBytes(32);
}

If you need to use something other than (HMAC-)SHA-1 in .NET Framework you'll need to upgrade to 4.7.2.

API Docs:

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

I am using salt like " fQ6x8I****** " . I got an idea from ur post, can you tell me which references to add to make the code working. If you could type a little program just to generate pbkdf2_sha256 hash for the demonstration that will be really helpful to me. I am new to this. @@@@ Thanks for reply it was really helpfull@@@@
I tried the code you have given I am getting error Error CS1729 'Rfc2898DeriveBytes' does not contain a constructor that takes 4 arguments
You need to be using .NET Core 2.0 and compiling against the netcoreapp20 TFM to use the new 4-argument constructor.
Sorry, I am new to it........ is .Net Core 2.0 is a NuGet package? ...........and what it means compiling against the netcoreapp20?... ok got it .net core 2.0 is a.net version am i right?...thanks for reply
i installed .Net core 2.0 .......but is not showing any options in the menu where i can change my .NET framework version (properties of my project). Is it available for WPF applications? If it is then ho to use it. i have less time to complete it please help. @@@@@@@@@@thank you@@@
|
1

Well, there is a fully working example here in MSDN.

But, if your purpose is really hash a password, I would not advise you to do it like that.

There is no need to decrypt your passwords.

It's much easier and safer if you just use the SHA256 algorithm. All you need to do is store the hashed password in your database and when someone attempt to login into your website you will hash the given password and compare with the value stored in your database.

Doing this you have a one way encryption, so there is no way to decrypt your passwords.

Why? If your application have been hacked, the attackers can't decrypt the stored passwords so they can't login.

There is a example on how to hash using SHA256 here. Really, it's much easier.

Improve this answer

3 Comments

PBKDF2 does result in a hash. SHA256 is much too fast, and not suitable for hashing passwords.
So please tell me which hashing algorithm I should use on the server which is good for a password. I have read about bcrypt and scyrpt. Are they good for password hashing?
actually, my hashing is a combination of pbkdf2_sha256 its on particularly one algorithm, I guess.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.