Generación SHA1 en .net4

I reused some old code and come saw that I had been using this code to generate a SHA1 hash.

HashAlgorithm sha = new SHA1CryptoServiceProvider();
return sha.ComputeHash((new UnicodeEncoding()).GetBytes(password.Trim()));

When I use the following code to generate a SHA1-hash I do not end up with the same hash as when I test with, for example, http://gtools.org/tool/sha1-hash-generator/

Cual es la correcta?

¿Estoy haciendo algo mal aquí?

preguntado el 08 de noviembre de 11 a las 13:11

2 Respuestas

Most likely a difference in encoding. You're using UTF-16. Try using UTF-8.

Just confirmed that this site uses UTF-8. But their code is broken for certain characters, such as ', because they put their input through sql escaping.

But hashing a password with plain SHA-1 is almost never the correct choice. In most cases, such as storing passwords used for login to your site you should use a proper password hashing functions, such as PBKDF2, bcrypt or scrypt with an appropriate salt.

PBKDF2 is implemented in .net in the Rfc2898DeriveBytes (clase)

respondido 08 nov., 11:17

Make that "an unseeded single application of SHA-1 is almost never..." - Richard

Thanks for the input! Is that also the case when only running it over SSL? - Nueva Jersey.

@nj. SSL is irrelevant in this context, since the passwords are stored hashed in the db, to protect against a stolen db. The password sent over the network should not be hashed, but protected with SSL. - CódigosInChaos

Example of SHA-1 salting:

return Convert.ToBase64String(
    new HMACSHA1(
        Encoding.UTF8.GetBytes(salt))
    .ComputeHash(
        Encoding.UTF8.GetBytes(input)));

respondido 08 nov., 11:17

My understanding is that this function is designed as a MAC. Which in turn means that it is fast. You need to use an iteration scheme to slow it down, which is exactly what PBKDF2 does. - CódigosInChaos

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.