PasswordDeriveBytes doesn't change output when Salt changes. RRS feed

  • Question

  • Our app doesn't require 'super' security; I'm just trying to implement something basic so that we don't store passwords to the application in plain text; I figured just salting the password would work fine...


    Here's the code:


    byte[] valueAsBytes = Encoding.Unicode.GetBytes(value.ToCharArray());

    byte[] saltAsBytes = Encoding.Unicode.GetBytes(Settings.Default.DefaultSalt);


    PasswordDeriveBytes passwordBytes = new PasswordDeriveBytes(valueAsBytes, saltAsBytes);

    TripleDESCryptoServiceProvider tripleDesProvider = new TripleDESCryptoServiceProvider();

    byte [] returnValue = passwordBytes.CryptDeriveKey("TripleDES", "SHA1", 192, tripleDesProvider.IV);





    return returnValue;


    No matter what the salt is or the IV on the 3DES, the output of CryptDerviceKey is the same for text being passed in.  It seems like if I change the salt, I should get something different back; same if I change the IV.


    Obviously I'm doing something wrong, but I'm a novice at the secuirty namespace and the help files are pretty obscure; in fact this code was basically pulled from the help file, but instead of creating random salt, I use a config file driven one.



    Monday, February 11, 2008 10:05 PM