20.12.09

MD5 and TripleDES encryption in .NET

The .NET Framework provides classes for MD5 hashing and TripleDES encryption, both of which, when used together with a good enough key, form a good cryptographic system for your application. There are a lot of scenarios one can think of where encryption can be put to good use in both Desktop and Web applications. The following code snippet provides functions for encryption and decryption using MD5 and TripleDES.

What you need to include in the usings list is System.Security.Cryptography and System.Text and you are good to go. Making the functions static is just one of the best practices.








  1. public class Utils
  2. {
  3. public static string Encrypt(string toEncrypt, string key, bool useHashing)
  4. {
  5. // Convert both strings to byte arrays - you can use encoding other than UTF8
  6. byte[] keyArray = UTF8Encoding.UTF8.GetBytes(key);
  7. byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(toEncrypt);
  8. if (useHashing)
  9. {
  10. // Hash the key
  11. MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();
  12. keyArray = hashmd5.ComputeHash(keyArray);
  13. hashmd5.Clear();
  14. }
  15. TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider
  16. {
  17. Key = keyArray,
  18. // The following line is controversial - follow the link below the snippet
  19. Mode = CipherMode.ECB,
  20. Padding = PaddingMode.PKCS7
  21. };
  22. ICryptoTransform cTransform = tdes.CreateEncryptor();
  23. // Transform and store in resultArray
  24. byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
  25. tdes.Clear();
  26. return Convert.ToBase64String(resultArray, 0, resultArray.Length);
  27. }
  28. public static string Decrypt(string toDecrypt, string key, bool useHashing)
  29. {
  30. byte[] keyArray = UTF8Encoding.UTF8.GetBytes(key);
  31. byte[] toDecryptArray = Convert.FromBase64String(toDecrypt);

  32. if (useHashing)
  33. {
  34. MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();
  35. keyArray = hashmd5.ComputeHash(keyArray);
  36. hashmd5.Clear();
  37. }
  38. TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider
  39. {
  40. Key = keyArray,
  41. Mode = CipherMode.ECB,
  42. Padding = PaddingMode.PKCS7
  43. };

  44. ICryptoTransform cTransform = tdes.CreateDecryptor();
  45. byte[] resultArray = cTransform.TransformFinalBlock(toDecryptArray, 0, toDecryptArray.Length);
  46. tdes.Clear();
  47. return UTF8Encoding.UTF8.GetString(resultArray);
  48. }
  49. }



FYI, here is the controversy.
As you can see, both functions are quite similar except for precisely 2 lines. The Clear() function on both occasions are required because MD5CryptoServiceProvider and TripleDESCryptoServiceProvider classes are "managed wrappers around unmanaged resources". Putting the Encrypt and Decrypt functions to use in your application would look like this:

  1. string encrypted = Utils.Encrypt("Password", "Key", true);
  2. string original = Utils.Decrypt(encrypted, "Key", true);


Just make sure that you use the same key in both the lines, wherever the lines may be (they may be in two different applications referencing a common dll containing these functions) and the same hashing parameter as well. Happy encryption!

1 comment:

  1. I think exposing the KEY in code is again a security lapse even after using encryption !!!

    We can use an additional class or say an Extension class(a new feature in .Net Framework 3.5) which can come to the rescue here. The additional class can reside the key in this case.


    Regards,
    G.

    ReplyDelete