14

walking through some cryptogtaphy stuff , I saw that RNGCryptoServiceProvider has 2 methods :

link

RNGCryptoServiceProvider.GetNonZeroBytes

and 

RNGCryptoServiceProvider.GetBytes

And so I ask :

What is odd with Filling an array of bytes with a cryptographically strong sequence of random value which some (0 or more) of them are zeros ? (it is random values and apparently there wont be many zeros , and still zero is also a regular number)

why did they created the distinguishing ?

annonymously
  • 4,708
  • 6
  • 33
  • 47
Royi Namir
  • 144,742
  • 138
  • 468
  • 792

1 Answers1

17

Within the .NET framework, GetNonZeroBytes(byte[]) is used when generating PKCS#1 padding for RSA encryption, which uses 0x00 as a seperator.

Using a tool like Reflector, you can see it used in RSAPKCS1KeyExchangeFormatter.CreateKeyExchange(byte[]) to implement padding as per RFC 2313, section 8.1.2 (RFC 3218 has some nice ASCII art that demonstrates the byte layout more clearly).

GetNonZeroBytes(byte[]) could also be used to generate salt. The Cryptography StackExchange site has a similar question which suggests that avoiding 0x00 is to help with libraries and APIs that may treat the salt as a zero-terminated string, which would accidentally truncate the salt. However, unless one is using P/Invoke, this is unlikely to be a concern in .NET.

Community
  • 1
  • 1
Ashley Ross
  • 2,345
  • 2
  • 23
  • 43
  • 2
    salt is just adding difficulty to rainbow table. it can be done with GetBytes also ....right ? – Royi Namir Oct 04 '12 at 07:45
  • 1
    Correct, so long as you're sure that none of the places that use or store the salt have a problem with `0x00`. If unsure, you could always test it first with some salt that specifically contains `0x00` bytes. – Ashley Ross Oct 04 '12 at 07:47