none
PasswordDeriveBytes doesn't change output when Salt changes. RRS feed

  • Question

  • Our app doesn't require 'super' security; I'm just trying to implement something basic so that we don't store passwords to the application in plain text; I figured just salting the password would work fine...

     

    Here's the code:

     

    byte[] valueAsBytes = Encoding.Unicode.GetBytes(value.ToCharArray());

    byte[] saltAsBytes = Encoding.Unicode.GetBytes(Settings.Default.DefaultSalt);

     

    PasswordDeriveBytes passwordBytes = new PasswordDeriveBytes(valueAsBytes, saltAsBytes);

    TripleDESCryptoServiceProvider tripleDesProvider = new TripleDESCryptoServiceProvider();

    byte [] returnValue = passwordBytes.CryptDeriveKey("TripleDES", "SHA1", 192, tripleDesProvider.IV);

     

    ClearBytes(valueAsBytes);

    ClearBytes(saltAsBytes);

     

    return returnValue;

     

    No matter what the salt is or the IV on the 3DES, the output of CryptDerviceKey is the same for text being passed in.  It seems like if I change the salt, I should get something different back; same if I change the IV.

     

    Obviously I'm doing something wrong, but I'm a novice at the secuirty namespace and the help files are pretty obscure; in fact this code was basically pulled from the help file, but instead of creating random salt, I use a config file driven one.

     

    Thanks.

    Monday, February 11, 2008 10:05 PM