How to hash passwords with a salt in .NET

In this post we learnt about using hashing in .NET. We also saw one of its basic functions in the same post which is message verification. In this post we saw how hashing coupled with a random key can be used for message authentication.

We also mentioned another common usage of hashing which is password storage. A password should never be stored as clear text in your system. Instead we save its hash value and when a user enters a password in a login field then we compare the hashed values instead of the plain string passwords. However, a simple one-way hash is generally still not good enough.

Read more of this post

Using HMACs to authenticate a hash in .NET

In this post we learnt about using hashing in .NET. Hashes provide a one-way encryption of a message where the hash value ideally cannot be “unhashed”, i.e. we cannot build the original string from it. A hash or message digest helps us verify whether the message has been tampered with by a third party after it was sent to us.

We can take a step further and add an extra layer of security on our hashes. After all a message and its hash could originate from anyone. How can we verify the authenticity of the message as well? That’s where Hashed Message Authentication Codes, also called HashMACs or HMACs enter the picture.

Read more of this post

Hashing messages using various hash algorithms in .NET

A hash of a message can be viewed as its unique identifier. A series of bytes, such as a string, can be converted into hash, also called a message digest. A message digest is also a byte array that can be converted into a base 64 string for better readability. There are various hashing algorithms out there that can calculate the hash of a message. Ideally each algorithm should produce a different digest for each message, i.e. “Hello world” should yield a different hash from what “H3llo world” produces. I.e. a single change in the byte sequence will change the resulting hash. Also, it should be impossible to calculate the original message from a hash. Therefore hashing is a one-way cryptographic operation.

Read more of this post

Generate truly random cryptographic keys using a random number generator in .NET

The well-known System.Random class lets us generate random numbers quickly. However, the values provided by System.Random are not truly random. Instead, they are pseudo-random. The return values should only be used in case true randomness is not that important, such as in the classic number-guessing game. In case you need a random value to be used in cryptography such as a cryptographic key in symmetric and asymmetric encryption then System.Random is not an acceptable option.

Read more of this post

How to calculate the message digest in Java

A message digest is an important concept in cryptography. A digest is an array of bytes created by a hashing formula. It is used to make sure that some digital information has not been tampered with. In a sense it is a footprint of an object, such as a file. If someone modifies the file then the footprint also changes. Then we know that the file has been changed. Another word for a message digest is checksum. There are various hashing algorithms to perform the calculation. SHA-256 and MD5 are the most common ones.

For an example you can check out the Apacha log4j2 download page here. You’ll see a column called “checksum” for various files. If you click on one of those you’ll see the MD5 hash of the file in a relatively human readable form, such as “31826c19fff94790957d798cb1caf29a”.

Java and other popular programming languages have built-in classes to construct a message digest. Let’s see an example from Java.

Say we have a file called data.txt in the C:\Tmp folder. Data.txt contains a single line “Hello world”. The following code snippet will build the message digest of the file:

    FileInputStream inputStream = new FileInputStream(new File("c:\\Tmp\\data.txt"));
    MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
    try (DigestInputStream digestInputStream = new DigestInputStream(inputStream, sha256))
        while ( != -1)
            //do nothing, let the digest stream go through the file input stream
    byte[] checksum = sha256.digest();


catch (NoSuchAlgorithmException | IOException exception)

We ask the SHA-256 hashing algorithm to hash the file using DigestInputStream. We let the digest input stream read in the byte content of the file. We finally print the digest in two different forms: a base 64 and a hexadecimal string. My data.txt file gives the following checksums:


We can also look at the MD5 checksum like on the references Apache download page. Just replace the “SHA-256” string with “MD5”. The same sample file yields the following values:


View all posts related to Java here.

Using client certificates in .NET part 9: working with client certificates in OWIN/Katana III


In the previous post we added a couple of components necessary to add client certificate authentication into the OWIN middleware chain. We haven’t yet put the elements to work though. That is the main topic of this post which will finish this series. We’ll also run a couple of tests.

Have the demo application open in Visual Studio in administrator mode.

Read more of this post

Using client certificates in .NET part 8: working with client certificates in OWIN/Katana II


In the previous post we started adding the necessary OWIN-related libraries to our Web API project: a couple of NuGet libraries and the Startup class. We publish our application to the local IIS and it doesn’t allow us to break the code within Startup.cs. We’ll soon see that we can still debug the OWIN components further down the call stack.

In this post we’ll add the necessary elements to a client certificate based authentication in .NET MVC with OWIN.

Read more of this post

Using client certificates in .NET part 7: working with client certificates in OWIN/Katana


In the previous post we accomplished a couple of things. First we secured our demo Web API website with a client certificate. Second we enabled client certificates for it so that IIS doesn’t just ignore them. Finally we saw that the client certificate is also picked up in the customers controller when sent in code in a web request.

In this post we’ll start discussing how to add client certificate handling as an OWIN middleware component.

Make sure you open the demo Web API project in Visual Studio as an administrator.

Read more of this post

Using client certificates in .NET part 6: setting up client certificates for local test usage


In the previous post we investigated how to attach a client certificate to the web request and how to extract it in a controller. We faced an issue that by default client certificates are ignored by IIS so we couldn’t actually read the certificate.

We’ll solve that problem in this post.

Read more of this post

Using client certificates in .NET part 5: working with client certificates in a web project


In the previous post we looked at a couple pf examples on how to work with digital certificates in C# code. In particular we saw how to load certificates from a certificate store, how to search for and how to validate one.

In this post we’ll go through how to attach a client certificate to a web request and how to extract it in a .NET Web API 2 project.

Read more of this post

Elliot Balynn's Blog

A directory of wonderful thoughts

Software Engineering

Web development

Disparate Opinions

Various tidbits

chsakell's Blog


Once Upon a Camayoc

Bite-size insight on Cyber Security for the not too technical.

%d bloggers like this: