How to decrypt a string encrypted with HMACSHA1?

Just to expand on Jon's answer, because you're probably wondering what the point is of encrypting something that you can't decrypt - HMAC-SHA1 is, as Jon said, a hash. The string produced does not contain the original information, even in encrypted form... It's just a sequence of bytes.

The beauty of the hash however is that any sort of change you might make in the string will almost certainly result in a change in the hash result, and the hash result tends to be fairly small. For this reason, hashs are often used to ensure that a piece of information has not been tampered with.

For instance,

I want to send Jon here a message - and I want him to be confident that one of his mates hasn't changed the message prior to his reading it. I can't just take the hash of my message and send that along, because all a trouble causer would have to do is replace the message with one of their own, and provide an appropriate hash...

However, if I supply my message with a hash not of the message itself, but rather of the message with a few specific extra bytes that John and I have agreed on in advance, the trouble maker is defeated. Jon knows to add the extra bytes (commonly known as salting the hash) before he hashes my message, but the trouble causer doesn't - so if he changes the message, even though he works out his own hash, Jon can see that something is amiss...

Encyryption / Hashes are a fiddly business, and I've barely scratched the surface myself - but I thought this might give you a simple example of what hashes are used for...

Another very common use is for maintaining site membership information - people don't store the password, but rather the hash of the password. This means that even if someone manages to nick your user data, they are not able to use it to log into your system.

Martin


HMAC-SHA1 is a one-way hash, not a bidirectional encryption algorithm. You can't decrypt it. I don't have time to provide full encryption code here - it's a complicated topic, but Barry Dorrans' "Beginning ASP.NET Security" would give you a good starting point. (Only some of it is ASP.NET-specific.) You could also watch his DDD talk on the topic.


A simple one-way hash explaination as to why people would want to do it.

Lets say you have a user account with the username John and password Doe. You store the hash of the following string.

First name, your favorite number, and their selected password

for example: hash= myHash("john7@password")

             now hash = "qk239qa*@$)(*84509053903" or whatever

Now that hash is secure and cant be reversed back to figure out what your favorite number is in most cases. To check if the hash is the right one for logging in, you'd re-hash the supplied input (name,your number or w/e, password) and if you get the same exact hash, its a valid deal. wo0t isnt it completely simple!

--should I use the same key to re-hash my data?