.net implementation of bcrypt
Asked Answered
M

6

118

Does anyone know of a good implementation of bcrypt, I know this question has been asked before but it got very little response. I'm a bit unsure of just picking an implementation that turns up in google and am thinking that I may be better off using sha256 in the System.Security.Cryptography namespace, at least then I know it's supported! What are you thoughts?

Mirellamirelle answered 16/5, 2009 at 21:56 Comment(0)
K
58

It sounds like you are looking for BCrypt.net:

BCrypt.net is an implementation of OpenBSD's Blowfish-based password hashing code, described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazières. It is a direct port of jBCrypt by Damien Miller, and is thus released under the same BSD-style license. The code is fully managed and should work with any little-endian CLI implementation -- it has been tested with Microsoft .NET and Mono.

Kaylyn answered 16/5, 2009 at 22:2 Comment(10)
Yes, that was the one I found with Google also. Do you use it, or do you know if it's widely used?Mirellamirelle
Haven't used BCrypt, but judging from references from other internet sites, it looks like this implementation is really good. However, unless you have a pressing need to use BCrypt specifically, why not just go with the built-in SHA256 or SHA512?Kaylyn
The reason I thought about using BCrypt was because of this article matasano.com/log/958/… and it claimed BCrypt is the way to go.Mirellamirelle
Roger that. That article is the same reason I gooogled bcrypt for .NET and came to this question on stackoverflow. Specifically, from the article, you shouldn't use SHA256 or SHA512 because those are both optimized for SPEED, and a password generating hash should be SLOW, or TAKE A LONG TIME.Eudiometer
Just wanted to add a note that if you are using BCrypt.net on Windows Server 2008 you'll need to name it something other than BCrypt.dll or it will conflict with the new Windows API in Vista that calls functions in a 'bcrypt.dll', so if you have Bcrypt.net as Bcrypt.dll in your web app bin/ directory Windows won't be able to find the correct dll and you will get some cryptic errors.Vinni
Note: The following reason on why to use bCrypt (for those interested). codahale.com/how-to-safely-store-a-passwordLindsy
Article moved: chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow- tables-what-you-need-to-know-about-s.htmlApolitical
Note that this library was last updated in 2007, while the Codeplex links from Ryan Emerle and Maksym Kozlenko's answers was last updated November 2013.Conrad
Link's broke...Lyndell
here for anyone from the future like me: github.com/BcryptNet/bcrypt.netHeddy
P
25

BCrypt.Net seems to be a most popular library at this moment

http://bcrypt.codeplex.com/

Here is an example how to use it for hashing password:

[TestMethod]
    public void BCryptTest()
    {
        const string password = "PASSWORD";
        const int workFactor = 13;

        var start = DateTime.UtcNow;
        var hashed = BCrypt.Net.BCrypt.HashPassword(password, workFactor);
        var end = DateTime.UtcNow;

        Console.WriteLine("hash length is {0} chars", hashed.Length);
        Console.WriteLine("Processing time is {0} with workFactor {1}", end - start, workFactor);
        Console.WriteLine("Hashed password: {0} ", hashed);
        Console.WriteLine("correct password {0}", BCrypt.Net.BCrypt.Verify("PASSWORD", hashed));
        Console.WriteLine("incorrect password {0}", BCrypt.Net.BCrypt.Verify("PASSWORd", hashed));
    }

Sample output:

hash length is 60 chars
Processing time is 00:00:01.0020000 with workFactor 13
Hashed password: $2a$13$iBqdG7ENBABEargiyzGlTexPsmviF/qrFxUZB2zce7HKF6MoBNhEq 
correct password True
incorrect password False
Pill answered 19/11, 2012 at 23:56 Comment(0)
E
23

You can find an updated implementation of BCrypt for .Net here: http://bcrypt.codeplex.com/

Exterminate answered 17/12, 2010 at 15:38 Comment(0)
E
6

I needed a BCrypt implementation when moving something from PostgreSQL (which has pg_crypto) to SQLite (which doesn't), so I wrote my own. Seeing from this message I'm not the only one needing this, I've decided to slap a license on it and release it. The URL is:

http://zer7.com/software.php?page=cryptsharp

The Blowfish implementation behind it is a port of Bruce Schneier's public domain C implementation, and succeeds on all the official test vectors.

The BCrypt code I wrote myself based on the spec. I also created a PHP script which generates random passwords of length 0 to 100 and salts, crypts them, and outputs them to a test file. The C# code matches these 100% of the time so far. You are welcome to use the script and test this yourself.

The library also includes PBKDF2 code which works for any HMAC as opposed to .Net's SHA-1-only implementation (added today -- I'm intending to do SCrypt in C# soon and that requires PBKDF2 with HMAC-SHA256). You could make yourself a scheme based on this too, if you wanted.

Exceed answered 22/1, 2011 at 7:29 Comment(0)
R
0

Wrong answer, please see below

All "Cng" (Cryptography Next Generation) postfixed algorithms in the .Net Framework now use bcrypt. E.g. SHA256Cng.


Actually the MS BCrypt (BestCrypt) does not refer to the one based on the Blowfish cipher - thank you, RobbyD, for the comment.
Will not delete the answer, just in case anyone else makes the same confusion.

Radish answered 29/8, 2018 at 9:10 Comment(1)
BCrypt in that context refers to a Microsoft PR name BestCrypt. See #9712068 for more details.Jackfruit
I
-2

Have you tried this MS BCryptCreateHash C++ function perhaps?? Seems to be present from Windows Server 2008 and Windows Vista.

Also, you can probably check the following MS C# BCryptNative.cs class too perhaps.

Illuminism answered 26/8, 2015 at 20:4 Comment(1)
see #9712068 - the windows bcrypt stuff is not related to bcrypt.Goulash

© 2022 - 2024 — McMap. All rights reserved.