PASSWORD HASHING METHODS AND ALGORITHMS ON THE .NET PLATFORM
Article Sidebar
Main Article Content
Abstract
Web applications, which are widely used to provide services and collect information, have become a major target for attackers, especially with the emergence of government services that process sensitive data. The .NET software platform, popular for developing web applications, includes built-in hashing algorithms (HA) and key generation functions (KDF) to protect passwords. However, these were developed over two decades ago for different levels of threats. More modern alternatives, such as Bcrypt, Scrypt, and Argon2, offer improved protection against modern GPU, ASIC, and FPGA attacks, but require third-party implementation. Given the critical role of password protection in protecting user information, this research investigates the effectiveness of various hashing mechanisms on the .NET platform, which is an urgent need for securing modern web applications. The subject of study in the article is the features of hashing algorithms built-in and available in the libraries of the .NET software platform for password protection as the main aspect of user authentication. The purpose of the work is to compare and analyse the hashing algorithms built-in and available in the libraries of the .NET software platform for password protection as the main aspect of user authentication. Objectives: to review built-in algorithms such as MD5, SHA and PBKDF2, as well as third-party implementations of modern key derivation functions such as Bcrypt, Scrypt and Argon2, and to investigate their performance and cryptographic strength. Methods used: This included measuring hashing speeds for different password sets and analysing attack resistance using tools such as Hashcat and data from independent security research. The results show that while built-in algorithms such as MD5 and SHA256 are fast, they do not provide protection against modern threats such as rainbow table attacks and GPU-accelerated brute-force attempts. PBKDF2, which is standard in ASP.NET Core Identity, provides better security but is vulnerable to attacks using specialised hardware. Among the modern algorithms, Argon2 demonstrated the best balance of security and performance, providing protection against GPU, ASIC, and FPGA-based attacks. Conclusions. The study concluded that Argon2 is the recommended algorithm for password hashing on the .NET platform, while Bcrypt is a suitable alternative for legacy applications. PBKDF2 with a high number of iterations can still provide strong protection. A promising direction for further research may be to determine whether modern memory-intensive key derivation functions can be used to improve password security in .NET applications.
Article Details
References
Dotsenko, N., Chumachenko, I., Galkin, A., Kuchuk, H. and Chumachenko, D. (2023), “Modeling the Transformation of Configuration Management Processes in a Multi-Project Environment”, Sustainability (Switzerland), Vol. 15(19), 14308, doi: https://doi.org/10.3390/su151914308
Yaloveha, V., Orlova, T., Podorozhniak, A., Kuchuk, H. and Gorbulik, V. (2023), “Modern Applications of High-Resolution Multispectral EuroPlanet Dataset”, 2023 IEEE 4th KhPI Week on Advanced Technology, KhPI Week 2023 - Conference Proceedings, doi: https://doi.org/10.1109/KhPIWeek61412.2023.10312851
Pittalia, Prashant P. (2019), “A comparative study of hash algorithms in cryptography”, International Journal of Computer Science and Mobile Computing, vol. 8, is. 6, pp. 147–152, available at: https://ijcsmc.com/docs/papers/June2019/V8I6201928.pdf
Datsenko, S., and Kuchuk, H. (2023), “Biometric authentication utilizing convolutional neural networks”, Advanced Information Systems, vol. 7, no. 2, pp. 67–73, doi: https://doi.org/10.20998/2522-9052.2023.2.12
Bowne, S. (2018), Hands-On Cryptography with Python: Leverage the power of Python to encrypt and decrypt data, Packt Publishing Ltd, 100 p., available at: https://github.com/PacktPublishing/Hands-On-Cryptography-with-Python
Rezanov, B. And Kuchuk, H. (2022), Fast Two-Factor Authentication Method in Systems With a Centralized User's Database, 2022 IEEE 4th KhPI Week on Advanced Technology, KhPI Week 2022 - Conference Proceedings, 03-07 October 2022, Code 183771, doi: https://doi.org/10.1109/KhPIWeek57572.2022.9916491
Singh, A., Jain, M. and Goyal, S. (2022), “A 3-Lock based Password Hashing Algorithm”, 2022 IEEE Conference on Interdisciplinary Approaches in Technology and Management for Social Innovation, IATMSI 2022, doi: https://doi.org/10.1109/IATMSI56455.2022.10119411
Pise, A.A., Singh, S., Hemachandran, K., Pise, G.S. and Imuede, J. (2024), “Utilizing Asymmetric Cryptography and Advanced Hashing Algorithms for Securing Communication Channels in IoT Networks Against Cyber Espionage”, Journal of Cybersecurity and Information Management, vol. 13(1), pp. 46–59, doi: https://doi.org/10.54216/JCIM.130105
Kuchuk, N., Mozhaiev, O., Semenov, S., Haichenko, A., Kuchuk, H., Tiulieniev, S., Mozhaiev, M., Davydov, V., Brusakova, O. and Gnusov, Y. (2023), “Devising a method for balancing the load on a territorially distributed foggy environment”, Eastern-European Journal of Enterprise Technologies, vol. 1(4 (121), pp. 48–55, doi: https://doi.org/10.15587/1729-4061.2023.274177
Menezes, A.J., van Oorschot, P.C. and Vanstone, S.A. (1997), Handbook of Applied Cryptography, 1st ed., CRC Press, doi: https://doi.org/10.1201/9780429466335
Semenov, S., Zhang, M., Mozhaiev, O., Onishchenko, Y. and Kuchuk, H. (2023), “Construction of a model of steganographic embedding of the UAV identifier into ADS-B data”, Eastern-European Journal of Enterprise Technologies, vol. 5(4(125)), pp. 6–16, doi: https://doi.org/10.15587/1729-4061.2023.288178
Catalin, C. (2019), “A quarter of major CMSs use outdated MD5 as the default password hashing scheme”, ZDNet, available at: https://www.zdnet.com/article/a-quarter-of-major-cmss-use-outdated-md5-as-the-default-password-hashing-scheme
(1995), FIPS Publication 180-1: Secure Hash Standard, National Institute of Standards and Technology (NIST), available at: https://csrc.nist.gov/pubs/fips/180-1/final
Bai, E., Jiang, X.-Q. and Wu, Y. (2022), “Memory-Saving and High-Speed Privacy Amplification Algorithm Using LFSR-Based Hash Function for Key Generation”, Electronics (Switzerland), vol. 11(3), 377, doi: https://doi.org/10.3390/electronics11030377
(2002), FIPS Publication 180-2: Secure Hash Standard, National Institute of Standards and Technology (NIST), available at: https://csrc.nist.gov/files/pubs/fips/180-2/final/docs/fips180-2.pdf
Haunts, S. (2019), “Safely Storing Passwords”, Applied Cryptography in .NET and Azure Key Vault, Apress Berkeley, CA, Berkeley, doi: https://doi.org/10.1007/978-1-4842-4375-6_5
Tyagi, K., Yadav, S. K. and Singh, M. (2021), “Novel cryptographic approach to enhance cloud data security”, Journal of Physics: Conference Series, vol. 1998, no. 1: 3rd International Conference on Smart and Intelligent Learning for Information Optimization, 9-10 July 2021, Hyderabad, India, IOP Publi, doi: https://doi.org/10.1088/1742-6596/1998/1/012022
Alwen, J., Chen, B., Pietrzak, K., Reyzin, L. and Tessaro, S. (2017), “Scrypt Is Maximally Memory-Hard”, Advances in Cryptology – EUROCRYPT 2017, vol 10212, Springer, Cham, doi: https://doi.org/10.1007/978-3-319-56617-7_2
Prasol, I. and Yeroshenko, O. (2023), “Modeling and estimating the model adequacy in muscle tissue electrical stimulator designing”, Radioelectronic and Computer Systems, vol. 2(106), pp. 18–26,doi: https://doi.org/10.32620/reks.2023.2.02
Fedorchenko, V., Prasol, I. and Yeroshenko, O. (2021), “Information Technology For Identification Of Electric Stimulating Effects Parameters”, CEUR Workshop Proceedings, pp. 189-195, available at: https://ceur-ws.org/Vol-3200/paper26.pdf
Petrovska, I. and Kuchuk, H. (2023), “Adaptive resource allocation method for data processing and security in cloud environment”, Advanced Information Systems, vol. 7(3), pp. 67–73, doi: https://doi.org/10.20998/2522-9052.2023.3.10
Kuchuk, H. and Malokhvii, E. (2024), “Integration of IOT with Cloud, Fog, and Edge Computing: A Review”, Advanced Information Systems, vol. 8(2), pp. 65–78, doi: https://doi.org/10.20998/2522-9052.2024.2.08
(2023), Are Your Passwords in the Green?, available at: https://www.hivesystems.io/blog/are-your-passwords-in-the-green
(2023), Bcrypt password cracking extremely slow? Not if you are using hundreds of FPGAs!, available at: https://scatteredsecrets.medium.com/bcrypt-password-cracking-extremely-slow-not-if-you-are-using-hundreds-of-fpgas-7ae42e3272f6
(2023), What Is a Hash Function in Cryptography?, A Beginner’s Guide,. available at: https://www.thesslstore.com/blog/what-is-a-hash-function-in-cryptography-a-beginners-guide/