C# Security programming problem

P

pei_world

Hi there,

I am using the following code to produce a encryption key for my password.
//===========================================================
password = "a password";
....
...

System.Text.UTF8Encoding enc = new System.Text.UTF8Encoding();
Rijndael crypt = Rijndael.Create();
byte[] salt = new byte[8];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(salt);
PasswordDeriveBytes pdb = new PasswordDeriveBytes(password,salt);

byte[] key = pdb.GetBytes(16);

crypt.Key = key;
crypt.IV = new byte[16];
//==================================================================
my problem is that since salt produce randomly everytime,
how does people using it to decrypt message?
Is there any way I can produce the same encrypted password
or get back original password by decrypt the key?

thank

pei
 
M

mikeb

pei_world said:
Hi there,

I am using the following code to produce a encryption key for my password.
//===========================================================
password = "a password";
....
...

System.Text.UTF8Encoding enc = new System.Text.UTF8Encoding();
Rijndael crypt = Rijndael.Create();
byte[] salt = new byte[8];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(salt);
PasswordDeriveBytes pdb = new PasswordDeriveBytes(password,salt);

byte[] key = pdb.GetBytes(16);

crypt.Key = key;
crypt.IV = new byte[16];
//==================================================================
my problem is that since salt produce randomly everytime,
how does people using it to decrypt message?
Is there any way I can produce the same encrypted password
or get back original password by decrypt the key?
Click to expand...

You need to store the salt - either with the user's 'profile' data or
with the encrypted data.

The salt is not considered a secret - it's purpose is to prevent
dictionary attacks against the hashed password.
 
C

Chad Myers

pei_world said:
Hi there,

I am using the following code to produce a encryption key for my password.
//===========================================================
password = "a password";
....
...

System.Text.UTF8Encoding enc = new System.Text.UTF8Encoding();
Rijndael crypt = Rijndael.Create();
byte[] salt = new byte[8];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(salt);
PasswordDeriveBytes pdb = new PasswordDeriveBytes(password,salt);

byte[] key = pdb.GetBytes(16);

crypt.Key = key;
crypt.IV = new byte[16];
//==================================================================
my problem is that since salt produce randomly everytime,
how does people using it to decrypt message?
Is there any way I can produce the same encrypted password
or get back original password by decrypt the key?

thank

pei
Click to expand...


Some people just hard-code the SALT as it's not really any help towards
security. If you're an NSA super-secure app developer, then maybe, but
otherwise the encryption is pretty good by itself.

-c
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Using RijndaelManaged 3
ZeroMemory 7
How comes this crypto method does not work (Rijndael) 5
Web app security 4
Simple file encryption decryption problem in C# 2
MD5 Problem 2
how to verify signature with DSACryptoServiceProvider 0
Same encryption codes cannot decrypt password from .NET 1.0 to 2.0 4

Top