clarification for crypt SHA-512 algorithm (c#)

2
votes

EDIT: Sorry I forgot to mention, I'm not using the implemented sha512 crypt because as far as I can tell it doesn't involve a salt value or a specified number of rounds to compute the hash with.

Okay so I'm coding the sha-512 crypt in c# and I'm following the steps found here...

http://people.redhat.com/drepper/SHA-crypt.txt

This is my first time doing anything encryption related so I want to make sure I'm understanding the steps correctly... I don't understand c code well enough to direct translation from c to c# :/

I have assumed finishing a digest is the same as computing the hash. In this case, I've also assumed that when the steps refer to a finished digest, they are referring the the computed hash, rather than the pre-hash computed digest bytes. Correct me if I'm wrong please!

Assuming everything has been done correctly for steps 1-8, my doubts start at step 9

9. For each block of 32 or 64 bytes in the password string (excluding the terminating NUL in the C representation), add digest B to digest A

Since I'm using SHA-512, I have block sizes of 64 bytes.

Would the following code produce the desired result?

//FYI, temp = digestA from steps 1-3 (before expanding digestA for step 9)
//alt_result = computed digestB hash (64 byte hash)

for (cnt = key.Length; cnt > 64; cnt -= 64)                         //9
{
    int i = 0;
    ctx.TransformBlock(alt_result, 0, 64, digestA, temp.Length + 64 * i);
    i++;
}

If anyone can clarify that what I've stated is correct, I would appreciate it. Thanks!

2
c#encryptionsaltcryptsha512
any reason you don't want to use the built-in SHA-512 implementation ?Yahia
.NET already has a SHA512 class: msdn.microsoft.com/en-us/library/…Sani Singh Huttunen
okay, so if I were to just use the built in method, how would I implement it to work with salt and a specified number of rounds?dollardime
Salt is just appending a fixed blob in to the input of the initial hash function, and the definition of SHA-512 says it does 80 rounds internally, if you change the rounds you are not using SHA-512. What are you trying to do as a big picture that requires you to write your own SHA function?Scott Chamberlain
I'm trying to replicate an input/output file that was given to me by someone who used the sha512crypt for unix. The unix implementation states the following... "The default number of rounds for both algorithms is 5000. To ensure minimal security and stability on the other hand minimum and maximum values for N are enforced: minimum for N = 1,000 maximum for N = 999,999,999". How does a built-in 80 rounds compare?dollardime

2 Answers

3
votes

Salting is as simple as appending a fixed byte string on the end of your input string. Essentially providing a known "homegrown" transform to your input.

About the algorithm itself: you seem to be starting at a disadvantage. A neophyte, you're making a lot of "assumptions" about basic crypting terminology that even need clarification. If the CLR implementation won't work for you, I think your time would be better spent finding a good C implementation and figuring out how to integrate to that. Figuring out the interop (extern) calls to that will be far easier than diving into the intracacies of crypting, the results will be more efficient, and the knowledge you gain about native interop will be far more useful/reusable.

3
votes

I'll add some important clarification for others who might come across this later.

First: SHA512 and SHA512Crypt are two distinct algorithms for two different purposes. SHA512 is a general purpose hashing algorithm (see this). SHA512Crypt is a password storage or password based key derivation algorithm that uses SHA512 (hash) internally (see this). SHA512Crypt is based on the earlier Crypt function that used MD5 instead of SHA512.

The password storage/key generation algorithms have been specifically created to make it orders of magnitude more expensive to brute force. The typical way this is done is by iterating over the underlying hash algorithm in some fashion. However, you don't want to to this yourself... which brings us to...

Second: Do NOT write your own cryptography methods. (see this) There are tons of ways to screw it up, even if you know exactly what you are doing.

If you don't want to use the built in Rfc2898DerviceBytes due to it being based on SHA1, then you could look at bcrypt or some other public, reviewed implementation of a known cryptographic algorithms.