none
how to use rfc2898derivebytes class in a validation-login system RRS feed

  • Question

  • I am reading a article about how to use password hashing to protect user password,and it said that use pbkdf2 algorithm will make hashing process more slow and more difficult to be cracked.I have seen the example in msdn about rfc2829derivebytes class,but i don't understand how to use this class in my case.can anyone give a simple and clear example? Thanks.
    Sunday, June 11, 2017 4:18 PM

All replies

  • Hi ya hello, 

    Thank you for posting here.

    For your question, you could refer to the following code.

     static void Main(string[] args)
            {
                // Create a byte array to hold the random value. 
                byte[] salt1 = new byte[8];
                using (RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider())
                {
                    // Fill the array with a random value.
                    rngCsp.GetBytes(salt1);
                }
                string data = "welcome";
                byte[] plainText1 = new System.Text.UTF8Encoding(false).GetBytes(data);
                EncryptRfc(plainText1, "hello", salt1);         
            }
            public static byte[] EncryptRfc(byte[] plainText, string password, byte[] salt)
            {
                var keyGen = new Rfc2898DeriveBytes(password, salt);
                var key = keyGen.GetBytes(32);
                var iv = keyGen.GetBytes(16);
    
                var cipher = new RijndaelManaged { Key = key, IV = iv };
    
                byte[] cipherText;
                using (var encryptor = cipher.CreateEncryptor())
                {
                    using (var ms = new MemoryStream())
                    {
                        using (var cs = new CryptoStream(ms, encryptor, CryptoStreamMode.Write))
                        {
                            cs.Write(plainText, 0, plainText.Length);
                            cs.FlushFinalBlock();
                            cipherText = ms.ToArray();
                        }
                    }
                }
                return cipherText;
            }

    Here are three steps for understanding.

    • derive the encryption key and IV from the password and salt.
    • create a new instance of the encryptor with the key and IV.
    • encrypt the plaintext.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, June 12, 2017 9:24 AM
    Moderator
  • I just want to save the userpassword more safe when new user registered. I don't want to use password to encrypt data,instead I want the userpassword to be encrypted.

    I thought this question again last night and I found a overloaded constructor that receive a byte array password,byte array salt,and a integer iteration parameter.

    I plan to pass the userpassword,generated salt and iteration times to the constructor of rfc2898deriveByte class,then use the getByte method to get a key,store this key into database.Is this process safe?And if this process is safe, my question become when this user try to login,how to use the key in the database to validate user identify.

    Monday, June 12, 2017 4:17 PM
  • Hi ya hello,

    For rfc2898deriveByte, it also needs a password. It implements password-based key derivation functionality.

    As I know, HashAlgorithm would be better. The password user input will be known as hash values. And the password stored in website is hash value as well. The Website check the password via compare hash values.

    It is a one way function and could not be decrypt.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, June 14, 2017 9:14 AM
    Moderator