With the release of Real Studio 2012r2, we can take the wraps off our new Crypto module. This module provides access to additional hashing algorithms SHA-1, SHA-256, and SHA-512, as well as keyed hashing functions HMAC and PBKDF2.
The language reference for the Crypto module is available at http://docs.realsoftware.com/index.php/Crypto, but I'll give you an overview of everything it does right here.
The Crypto.Hash function provides you access to the simplest hashing. You pass in a MemoryBlock and any of the Crypto.Algorithm values, and get back a binary hash. For users familiar with our MD5 function, the code Crypto.Hash("password",Crypto.Algorithm.MD5) and MD5("password") both return identical results.
There are also convenience functions Crypto.MD5, Crypto.SHA1, Crypto.SHA256, and Crypto.SHA512, if you don't need the flexibility the Crypto.Hash function provides.
Hash-Based Message Authentication Code (HMAC)
Crypto.HMAC works much like Crypto.Hash, except that it requires one additional parameter: a key. In simplest terms, HMAC produces hashes that are "stronger" than non-HMAC hashes. A very common use of HMAC is to add a "salt" value to a password. Rather than simply applying the salt to the beginning or end of the password before sending it to MD5, you can use the salt as the key and produce a stronger hash.
For example, this code:
Const Password = "password"
Const Key = "key"
Dim PlainHash As String = EncodeHex(Crypto.Hash(Key + Password,Crypto.Algorithm.MD5)
Dim HMACHash As String = EncodeHex(Crypto.HMAC(Key,Password,Crypto.Algorithm.MD5))
PlainHash = 084201E2889684A768A54EA3B0E05D6D
HMACHash = A95669C550C0C9CC91EF29A91873CA4F
To a human, those results appear very similar. To a computer, the HMACHash will be harder to break.
Password-Based Key Derivation Function 2 (PBKDF2)
Building upon HMAC, PBKDF2 is even more secure, simply because it is much slower. In fact, it is as slow as you want it to be. The Crypto.PBKDF2 function adds two parameters: Iterations and Length. Iterations is the number of loops the function will make, which essentially means the greater the iterations, the slower the function. Length is the number of bytes you want the desired hash to be.
Following up on the earlier example, we can run a the same values through PBKDF2 at 1,000 iterations and retrieve a 16 byte hash:
Dim PBKDF2Hash As String = EncodeHex(Crypto.PBKDF2(Key,Password,1000,16,Crypto.Algorithm.MD5))
Produces the hash 1C0792068A80FD07931CD4A86C001D27
Now here's the beauty of PBKDF2. On my machine, the plain MD5 hash took 0.02ms. The HMAC-MD5 hash took 0.03ms. The PBKDF2-MD5 took 1.22ms. This means my computer could brute force the HMAC-MD5 at a rate of about 30,000 hashes per second. But the PBKDF2 could only achieve about 1,000 hashes per second. Every computer is different, of course. But regardless, being 30 times slower is still quite valuable.