wwEncryption::ComputeHash

This method creates a one-way hash of an input string useful for passwords or authorization tokens using any of the following hashing algorithms:

  • MD5
  • SHA1
  • SHA256
  • SHA384
  • SHA512
  • HMACMD5
  • HMACSHA1
  • HMACSHA256
  • HMAC384
  • HMAC512.

The HMAC Versions require that you pass a hash salt value.

You can provide an optional salt to further randomize the hash. It's recommended you use a unique Salt for each hash you create, such as a user id when password hashing for example.

What you want is really what we've been talking about. The number of items in this list will get large quickly but we can still resolve all the overhead if we're careful.

o.ComputeHash(lcText, lcAlgorithm, lvHashSalt)

Return Value

Base64 encoded string of the hash

Parameters

lcText
Text to hash

lcAlgorithm
The has algorith used. Valid values include: MD5, SHA1, SHA256, SHA384, SHA512, HMACSH1, HMACSHA256, HMAC384, HMAC512

lvHashSalt
A string or binary value that is used to salt the hash. For best security use a custom salt for each value generated. For example when generating a password, salt the hash with the user ID.

For HMAC providers the HashSalt is required.

For non-HMAC providers the HashSalt is optional. If not provided only the raw Hash algorithm is applied without any salting. If a HashValue is provided a simple multi-step salting process is applied.

Remarks

The HMAC versions require a HashSalt value while it's optional for the other providers.

HMAC uses a well-known multiple rehashing algorithm to hash a salt value and applies it to the value to hash. Generally this is the most verifiably secure way to go if HMAC is supported for hash encoding and verification. Recommended Hash Algorithm

If you provide a hash value for other providers a much simpler custom hash salting algorithm is used. Using this approach requires that you always use wwEncryption for hashing and verifying the hash as it's a custom algorithm specific to wwEncryption.

If you use one of the non-HMAC providers without a HashSalt just the raw Hash algorithm without salt is applied. This can be verified by any client, that supports the hash algorithm, but hashing without salt is considered much less secure.

If at all possible use the HMAC versions. They provide best security and are universally supported by various languages and encryption tools. Use non-HMAC with custom salt for application specific hashing where both the hash creation and verification can use wwEncryption. For non-security critical hashing like verification and validation, you can use non-salted base hashes.

Example

*** Best Practice is to create Hashes with a reproducible UNIQUE Salt (like a PK or UserId):
lcPassword = "seeekrit"
loUser = GetUser("1233")
loUser.Password =  o.ComputeHash(lcPassword,"HMACSHA256",loUser.cUserId)
loUser.Save()

...

*** To check for a password
lcPassword = "seeekrit"

loUser.GetUserByUserName("1233")
if(loUser.cPassword == o.ComputeHash(lcPassword,"HMACSHA256",loUser.cUserId))
   ? "Password is valid!"
endif


*** Other Examples
?
? "Plain Hash without Salt:"
? o.ComputeHash(lcOriginal,"MD5")
? o.ComputeHash(lcOriginal,"SHA256")
? o.ComputeHash(lcOriginal,"SHA512")

?
? "Hash using explicit Salt:"
? o.ComputeHash(lcOriginal2,"MD5",lcSecretSalt)
? o.ComputeHash(lcOriginal2,"SHA256",lcSecretSalt)
? o.ComputeHash(lcOriginal2,"SHA512",lcSecretSalt)
? o.ComputeHash(lcOriginal2,"HMACSHA512",lcSecretSalt)


?
? "Hash using globally assigned salt:"
*** Set global secret key so you don't have to pass lcSecretHash
*** but still use your custom key
o.SetComputeHashSaltBytes("$$Different_Sekrit02!!")

*** Using a secret hash - you can pass string or byte[] data
? o.ComputeHash(lcOriginal2,"MD5")
? o.ComputeHash(lcOriginal2,"SHA256")
? o.ComputeHash(lcOriginal2,"SHA512")
? o.ComputeHash(lcOriginal2,"HMACSHA512")

See also:

Class wwEncryption

© West Wind Technologies, 1996-2021 • Updated: 05/08/21
Comment or report problem with topic