Sign in

Web Security: Hashing, Salting, and Encryption

Hashing

Passwords and sensitive information should never be transmitted as plain text. It can and will be stolen, no matter how many users you have on your system. A hash generates a unique fixed length output representation of a given input. A website should maintain a known secret key, and combine both the password and key to generate a scrambled output. Even if a bad actor were to acquire the hashed value of the password, they would still not be able to work out what the password is if a proper salt is used. Hashing is deterministic and therefore is not good enough on its own and not a replacement for encryption. But at a bare minimum it is a step up from transmitting raw text.

Here is an ASP.NET Core example of how to hash a string. Source: Microsoft Docs

Salting

If you notice in the code above, there is a variable called salt that is a 128 byte array. What in the world is this? Salting is the addition of unique, random characters known only to the site at the beginning of the string that you want to hash. The salt is typically then stored by the site and used when validating the hash. The reason that a salt is needed is because inputs could potentially be hashed to the same string, but since the salt is random the hashes will then be unique.

Encryption

Encryption is a function of cryptography and is similar to hashing, except encryption is designed to be undone, while hashing is not. Let’s take a look at an example of how to encrypt data in an ASP.NET c# environment. The using aes variable in the example is what is doing the encryption. Aes is a reference to the AES encryption algorithm which you can read more about here.

Here is an ASP.NET Core example of how to encrypt data. Source: Microsoft Docs

Keys

Symmetric and Asymmetric Keys are a great security practice for keeping data safe. Continuing with the above example, AES is a symmetric algorithm meaning that you need to use the same key to encrypt and decrypt the data. As with everything in this post, never store a cryptographic key in plaintext or transfer a key between machines in plain text. It’s not sage. Instead, consider using a secure key container to store any cryptographic keys. In the below example we create an EncryptionMethod object that is initialize to the URL identifies of the cryptographic algorithm used to generate the AES key.

Encrypt XML Elements with Symmetric Keys Source: Microsoft Docs

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store