2

I am right now taking a class named Applied Cryptography and our final project is to create a password hashing method using at least one existing algorithm and then add additional steps to make it harder to decrypt.

I am using SHA1 in a Console Application in c#.

The user input is hashed using SHA-1. For each byte of the resulting hash I compute the Fibonacci series of the byte value as int, and append it to a string, if it is positive. If it is not, I append 0.

The result of the Fibonacci computation is hashed using SHA-1 once more.

This is my code so far

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;

namespace Proyecto
{
    class Program
    {
        static void Main(string[] args)
        {
            string str = Console.ReadLine();
            StringBuilder fibo = new StringBuilder();            
            string result1, result2;
            result1 = GetSHA1(str);
            for (int i = 0; i < GetSHA1(str).Length; i++) fibo.Append((Fibonacci(result1[i]) > 0) ? Fibonacci(result1[i]) : 0);
            result2 = GetSHA1(fibo.ToString());
            Console.WriteLine(result1);
            Console.WriteLine(fibo);
            Console.WriteLine(result2);
            Console.ReadLine();
        }

        public static int Fibonacci(int n)
        {
            int a = 0;
            int b = 1;
            // In N steps compute Fibonacci sequence iteratively.
            for (int i = 0; i < n; i++)
            {
                int temp = a;
                a = b;
                b = temp + b;
            }
            return a;
        }

        public static string GetSHA1(string str)
        {
            SHA1 sha1 = SHA1Managed.Create();
            ASCIIEncoding encoding = new ASCIIEncoding();
            byte[] stream = null;
            StringBuilder sb = new StringBuilder();
            stream = sha1.ComputeHash(encoding.GetBytes(str));
            for (int i = 0; i < stream.Length; i++) sb.AppendFormat("{0:x2}", stream[i]);
            return sb.ToString();
        }
    }
}

I want to know if the additional Fibonacci round improves the strength of the function as a password hashing function, and if not, if you can give me some suggestions.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
Yatiac
  • 121
  • 1

1 Answers1

4

Ignore the integer overflow issue I mentioned in a comment, for a moment.

I don't see how this adds any security.

For all $n>2$, the function you are calling Fibonacci is one-to-one, and since $n<256$, you could easily build a lookup table without much memory to invert the function.

Therefore, to break this, all one has to do is invert the Fibonacci related stuff (not too hard), then attempt to break the SHA-1 hash. So, it isn't much harder than just breaking the SHA-1 hash by itself.

if not, if you can give me some suggestions

Well, that would just take all the fun out of your class, now wouldn't it. That said, look into functions like PBKDF2 and bcrypt to see how they make things harder.

The integer overflow issue could make it harder to invert the function. Though, likely not in a cryptographically secure manner. But to really say no, it doesn't add security, I'd have to check how the integer overflow problem manifests itself.

mikeazo
  • 39,117
  • 9
  • 118
  • 183