C#,encryption , and generating a key

  • Thread starter Thread starter David
  • Start date Start date
D

David

Does anyone have a good method for generating an encryption key, used
by the .net system, from a key phrase entered by the user. Eg. That
will allow the user to enter the same value and get the same key?

Thanks
 
Try the PasswordDeriveBytes class.
That's your easiest bet. Of course, you could do it manually, but getting
the algorithm down to where you could mitigate some of the dictionary and
cryptanalysis attacks is tricky.

-Rob Teixeira [MVP]
 
Rob Teixeira said:
Try the PasswordDeriveBytes class.
That's your easiest bet. Of course, you could do it manually, but getting
the algorithm down to where you could mitigate some of the dictionary and
cryptanalysis attacks is tricky.

-Rob Teixeira [MVP]
Click to expand...

To do this manually, you would use SHA-1 and do the following

EncryptionKey = SHA-1(SHA-1(Supplied Passphrase) || Supplied Passphrase)

Why use SHA-1 twice? Unfortunately, SHA-1 (and MD5 for that matter) are
susceptible to message extension attacks. It's not obvious how one would you
use a message extension attack on a passphrase construction but that's not
the point. It's a known weakness so it's best to eliminate it anyway because
someone much smarter than you might work out how to use message extension in
your system.

Simon.
 
While this approach is strongER, it is still suseptable to dictionary
attacks. This is why strong password-derived algorithms usually take seed
values in addition to the passphrase, use keyed hashes (instead of an
unkeyed hash like SHA), and run through several iterations using derived
feedback, or run through several iterations of a feistel network-type
algorithm.

-Rob Teixeira [MVP]
 
Back
Top