Using RijndaelManaged

M

melon

I need to store some password on a text file. I was trying to use
some kind of encryption to encrypt the password from plain text. I
found the code below off the web, which works great.

But the problem is, I need to specify both the "password" (which is an
encryption key I assume) and the salt. What will be the best way to
generate and store them? Right now I just hard code the key and salt,
but I am concerned about the security.

public static String Encrypt(String data, String password)
{
if (data == null)
throw new ArgumentNullException("data");
if (password == null)
throw new ArgumentNullException("password");
byte[] encBytes =
EncryptData(Encoding.UTF8.GetBytes(data), password,
PaddingMode.ISO10126);
return Convert.ToBase64String(encBytes);

}

public static byte[] EncryptData(byte[] data, String password,
PaddingMode paddingMode)
{
if (data == null || data.Length == 0)
throw new ArgumentNullException("data");
if (password == null)
throw new ArgumentNullException("password");
PasswordDeriveBytes pdb = new
PasswordDeriveBytes(password, Encoding.UTF8.GetBytes("Salt"));
RijndaelManaged rm = new RijndaelManaged();
rm.Padding = paddingMode;
ICryptoTransform encryptor =
rm.CreateEncryptor(pdb.GetBytes(16), pdb.GetBytes(16));
using (MemoryStream msEncrypt = new MemoryStream())
using (CryptoStream encStream = new
CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
{
encStream.Write(data, 0, data.Length);
encStream.FlushFinalBlock();
return msEncrypt.ToArray();
}
}
 
R

rossum

I need to store some password on a text file.
Click to expand...
Not a good idea if you can possible avoid it. If the password is for
your own application then you may only need to store a hash of the
password, rather than the password itself. If the password is for
entry into another application then you do have to store it.
I was trying to use some kind of encryption to encrypt the password
from plain text. I found the code below off the web, which works great.

But the problem is, I need to specify both the "password" (which is an
encryption key I assume) and the salt.
Click to expand...
If you are encrypting something then you will need a key to encrypt
and decrypt it - that is indeed what "password" is. Salt is just a
random string, though at first glance it looks more like an
Initialisation Vector (IV) than salt.

http://en.wikipedia.org/wiki/Initialization_vector

http://en.wikipedia.org/wiki/Salt_(cryptography)
What will be the best way to
generate and store them? Right now I just hard code the key and salt,
but I am concerned about the security.
Click to expand...
As you have noticed, there is an infinite regress of keys to decrypt
keys to decrypt keys... One solution is System.Security.SecureString.
It is not perfect, but it does store you password in encrypted form
without getting into an infinite regress. The major issue is getting
your password back out again if you need it, you have to use something
like Marshal.SecureStringToBSTR and unmanaged memory to extract the
password.

rossum
public static String Encrypt(String data, String password)
{
if (data == null)
throw new ArgumentNullException("data");
if (password == null)
throw new ArgumentNullException("password");
byte[] encBytes =
EncryptData(Encoding.UTF8.GetBytes(data), password,
PaddingMode.ISO10126);
return Convert.ToBase64String(encBytes);

}

public static byte[] EncryptData(byte[] data, String password,
PaddingMode paddingMode)
{
if (data == null || data.Length == 0)
throw new ArgumentNullException("data");
if (password == null)
throw new ArgumentNullException("password");
PasswordDeriveBytes pdb = new
PasswordDeriveBytes(password, Encoding.UTF8.GetBytes("Salt"));
RijndaelManaged rm = new RijndaelManaged();
rm.Padding = paddingMode;
ICryptoTransform encryptor =
rm.CreateEncryptor(pdb.GetBytes(16), pdb.GetBytes(16));
using (MemoryStream msEncrypt = new MemoryStream())
using (CryptoStream encStream = new
CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
{
encStream.Write(data, 0, data.Length);
encStream.FlushFinalBlock();
return msEncrypt.ToArray();
}
}
Click to expand...
 
?

=?ISO-8859-1?Q?Arne_Vajh=F8j?=

melon said:
I need to store some password on a text file. I was trying to use
some kind of encryption to encrypt the password from plain text. I
found the code below off the web, which works great.

But the problem is, I need to specify both the "password" (which is an
encryption key I assume) and the salt. What will be the best way to
generate and store them? Right now I just hard code the key and salt,
but I am concerned about the security.
Click to expand...

I think you can live with the fixed salt. The core problem is
the password.

The .NET EXE can be decompiled and a hardcoded password be
revealed in 10 seconds.

The simplest solution is to have the user enter the password.

Arne
 
?

=?ISO-8859-1?Q?Arne_Vajh=F8j?=

rossum said:
Salt is just a
random string, though at first glance it looks more like an
Initialisation Vector (IV) than salt.
Click to expand...

No.

bytes = f(password, salt)
key = bytes
iv = bytes

Arne
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Encrypt/Decrypt with varying key size 3
Complete code that works with MemoryStream but not with FileStream 1
what's wrong with this code?, getting lot of \0\0\0 11
Data decryption issue 8
Cryptography 0
Can't seem to figure out using cryptography classes 1
How comes this crypto method does not work (Rijndael) 5
ZeroMemory 7

Top