Fabulous Adventures In Coding

Eric Lippert's Blog

Do not use string hashes for security purposes

A recent question I got about the .NET CLR's hashing algorithm for strings is apropos of our discussion from January on using salted hashes for security purposes. (If you missed it, you can read it here: Part One, Part Two, Part Three and Part Four).  The question was basically "my database of password hashes doesn't seem to work with .NET v2.0, what's up with that?"

To make a long story short, the answer is UNDER NO CIRCUMSTANCES SHOULD YOU USE THE .NET STRING HASH ALGORITHM (that is, String.GetHashCode()) FOR SECURITY PURPOSES. That is not what it was designed for. If it hurts when you do that then stop doing it!

The slightly longer version goes like this. Suppose you want to store some secrets in a database, but you only need to be able to confirm that the user knows the secret. As I discussed in my series on salted hashes, a hash is a commonly used tool for this task because a cryptographic hash has some nice properties. Namely, it is a fixed number of bits (in the 100's of bits range), small changes to input produce huge changes in output, and it is very difficult to go from the hash back to the original secret. Another nice property that I didn't call out in my earlier article is that there are industry-standard hash algorithms where you can be reasonably guaranteed that any two implementations will produce the same results when given the same set of bits.

The .NET CLR string hash algorithm has none of these nice properties, and therefore is completely unsuitable for a cryptographic hash function. Specifically:

  • The string hash algorithm was designed to be blindingly fast rather than hard to run backwards, so it is likely that a mathematically astute attacker will be able to rapidly deduce facts about the input knowing only the hash.
  • Worse, being only 32 bits, using brute force to find a message that produces a given hash becomes doable in an afternoon with a PC rather than a trillion years.
  • Finally, the string hash algorithm is not an industry standard and is not guaranteed to produce the same behaviour between versions. And in fact it does not. The .NET 2.0 CLR uses a different algorithm for string hashing than the .NET 1.1 CLR. If you are saving .NET 1.1 CLR hash values in a database then you will not be able to match them when you upgrade to 2.0. The hash algorithm was specifically NOT designed to be forward/backward compatible and we called that out in the documentation because we knew that it probably would not be. Unlike last week, I have no problem whatsoever with making breaking changes when we call out in the documentation that you cannot rely on version-to-version identical output for a function.

So please don't do that; you're just asking for a world of hurt if you do. Use SHA1 or MD5 or some other algorithm designed for that purpose. (Yes, I know that weaknesses have been discovered in these algorithms, but they are still orders of magnitude better than a hash designed for hash table balancing!)
Published Monday, October 24, 2005 7:00 AM by Eric Lippert

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Jonas Grumby said:

Wow. It never even dawned on me that someone might do that. And this was someone who had read your series? Talk about understanding just enough to get it completely wrong.
October 24, 2005 11:47 AM
 

Eric K. said:

Soo... what is the supposedly-painless alternative that we should be using instead?

Roll our own algorithm and hope it behaves according to standards?

Buy a third-part component?

Hope we don't need standard behavior and don't expect upgrades?
October 24, 2005 12:03 PM
 

Brian Delahunty said:

>Soo... what is the supposedly-painless alternative that we should be using instead?
>Roll our own algorithm and hope it behaves according to standards?
>Buy a third-part component?
>Hope we don't need standard behavior and don't expect upgrades?

Plenty of standard hashing algos built into .NET... look in the System.Security.Cryptography namespace in 1.1 and you'll find the following (plus a few more):

System.Security.Cryptography.MACTripleDES
System.Security.Cryptography.HMACSHA1
System.Security.Cryptography.MD5CryptoServiceProvider
System.Security.Cryptography.SHA1Managed
System.Security.Cryptography.SHA256Managed
System.Security.Cryptography.SHA384Managed
System.Security.Cryptography.SHA512Managed
October 24, 2005 12:49 PM
 

G. Dog said:

I think there is some confusion here and you should probably point out WHICH methods specifically you are talking about.

I think you are talking about calling GetHashCode() on a string, is that right? If so then I understand this post... But it appears as in the question by Eric K. that you may be referring to some OTHER hashing methods when you say "the .NET string hashing algorithm" (a very vague statement).

Please clarify...?
October 24, 2005 12:59 PM
 

Jonas Grumby said:

G. Dog: Follow the last link in the article.
October 24, 2005 1:29 PM
 

Eric Lippert said:

* no, this was clearly not someone who had read my articles -- this was from a customer who had developed their own customer-secret hashing system. The question just got to me at random from a PSS guy.

* The alternative you should be using instead is exactly what I said -- use SHA1 or MD5 or some other industry-standard algorithm designed for security purposes. Make your own educated judgment as to what algorithm suits your purposes based on the characteristics of your problem and the algorithm in question.

* Yes, I am talking about String.GetHashCode. I apologize for the unclear text; I've clarified it.

October 24, 2005 2:08 PM
 

Gabe said:

Is there some way, then (possibly using Reflection) to get the old behavior?

I can easily imagine a situation where somebody has persisted a hash table (caching web pages with the filename being the URL's hash value in base64) and would want to keep the same behavior after upgrading to Whidbey.
October 26, 2005 4:50 PM
 

Eric Lippert said:

Reflection isn't going to help you -- reflection just turns early-bound calls into late-bound calls, it doesn't change what the call does.

If you are in this unfortunate predicament, the best advice I can give you is to get the Rotor sources, look up the string hash function, and re-implement it in the managed language of your choice. Then start using your now-stable library function rather than String.GetHashCode.

October 26, 2005 5:49 PM
 

Lance Fisher said:

One of my favorite function names:

System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile()
October 27, 2005 7:07 PM
 

protected virtual void jaysonBlog { said:

It’s funny how breaking changes actually…well, break stuff sometimes.  I’ve had...
February 26, 2006 12:22 AM
 

Elbie said:

If I understand correctly, the weaknesses in MD5 and SHA-1 are with respect to collisions, not preimages, and as long as those hashing algorithms remain preimage resistant, then there's really no problems with continuing to use them.
March 14, 2006 4:34 PM
 

Reinhard said:

Gabe: there is a way to get the old functionality:

http://aspalliance.com/1218_NET_String_Hashing_The_Hidden_Knot.all

October 22, 2008 7:18 PM

Leave a Comment

(required) 
(optional)
(required) 

  
Enter Code Here: Required
Submit

About Eric Lippert

Eric Lippert is a senior developer on the Microsoft C# compiler team. Before that he worked on the framework of Visual Studio Tools For Office. Before that, he worked on the compilers, runtimes and tools for VBScript, JScript, Windows Script Host and other Microsoft Scripting technologies. He lives in Seattle and spends his free time editing books about programming languages, playing the piano, and trying to keep his tiny sailboat upright in Puget Sound.

This Blog

Syndication

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker