0

Currently, I am working on a .NET application that needs encryption of the data that gets stored in a SQL Server 2008 database.

I used AES Encryption and the key is generated using a password and salt combination that are hashed using SHA1 by PasswordDeriveBytes. Now, I need to change the hash algorithm to SHA256 and as far as I know PasswordDeriveBytes accepts only MD5 and SHA1 as hash parameters. I just want to know if I can use PasswordDeriveBytes for implementing SHA256.

If not, whats the alternative inbuilt class in .NET for the same purpose? Can I implement it manually? If implementing manually is the only solution, I may need help doing that. Thanks in advance.

valyrian
  • 195
  • 1
  • 1
  • 11

1 Answers1

0

The alternative is Rfc2898DeriveBytes. It is much safer to use, especially if you require more than 20 bytes of output. It is of course not compatible with PasswordDeriveBytes. PasswordDeriveBytes is simply broken for any value over 20 bytes. Unfortunately PBKDF2 also has a drawback: it repeats all the iterations for any value over the hash size. In that case you may want to pair it with a KBKDF.

So it seems you cannot do this without reverting to an additional library. That's where Bouncy Castle may come it. It has a PBKDF2 functionality that you can simply initialize with a HMAC, which in turn you can initialize with a given hash algorithm. Please see the use of PBKDF2 in this stackoverflow question. You can simply replace the digest with Sha256Digest and you should be on your way.

Note: nothing is simple in crypto, it seems you need the bouncy source to achieve this.

Community
  • 1
  • 1
Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • It doesn't support SHA-256 either, and reading >20 bytes may be safer, but it's still a bad idea to read more than the hash size from PBKDF2. – CodesInChaos Feb 22 '13 at 09:18
  • That's exactly what I want: An algorithm that will implement what PasswordDeriveBytes does to the password and salt using SHA1, but it should go ahead with SHA256. Is there a way? – valyrian Feb 22 '13 at 11:20
  • CodesInChaos, what algorithm does Rfc2898DeriveBytes use to password + salt? I'm asking because there is no specification of the Hash Algorithm in its constructor. – valyrian Feb 22 '13 at 11:30
  • @CodesInChaos it's much safer because it doesn't at least *repeat* byte values like `PasswordDeriveBytes` does, although I agree that using a KBKDF is probably better instead (as indicated in another comment some time ago :) ). PasswordDeriveBytes is positively *broken* when used for values over 20 bytes. – Maarten Bodewes Feb 22 '13 at 11:39
  • @SalihdeenRM `Rfc2898DeriveBytes` is much more secure than `PasswordDeriveBytes`, but I agree that the M$ implementation still uses SHA-1 to implement the HMAC used. That *is* in the class specification at least. You may want to revert to e.g. Bouncy Castle for an implementation that uses other hash algorithms. Note that the type of hash used is not that much of an influence on the security of PBKDF2, so unless you have special reasons to deploy SHA-256, it should be OK. – Maarten Bodewes Feb 22 '13 at 11:42
  • 1
    `Rfc2898DeriveBytes` is PBKDF2-HMAC-SHA-1, `PasswordDeriveBytes` is PBKDF1. – CodesInChaos Feb 22 '13 at 11:47
  • I don't have any special reasons to use SHA-256 other than that I was asked to. Are you trying to suggest that as the real encryption of data is handled using AES, and SHA-1 is used only to generate a p+s combination, SHA-1 is fine inspite of the theoretical attack? (the fact behind which I was asked to change the algorithm to SHA-1 to SHA-256) – valyrian Feb 22 '13 at 11:50
  • One reason to go with SHA-256 would be to generate one key of 192 or 256 bits without requiring double the processing time. Or to generate two keys of 128 bytes (e.g. when you require an additional key to perform a MAC over a ciphertext). Amended answer for Rfc2898DeriveBytes with HMAC-SHA256 using Bouncy Castle libs. I would really recommend to move away from `PasswordDeriveBytes`, PBKDF1 is deprecated and the implementation by Microsoft is more than terrible. – Maarten Bodewes Feb 22 '13 at 11:54
  • 2
    @SalihdeenRM The collision attacks on SHA-1 do not apply to password hashing. – CodesInChaos Feb 22 '13 at 11:54
  • @SalihdeenRM a KBKDF is a key based key derivation function. You use it when you have a key seed that is already cryptographically secure. For this reason it does not need to do salting or iterations and is therefore much faster than a PBKDF, a password based key derivation function. As the output of PBKDF should be relatively secure, you can use it as an input for a KBKDF, to either expand the key (generate more bits) or to derive more keys. – Maarten Bodewes Feb 22 '13 at 11:57
  • @CodesInChaos that definitely helped. I think I shall stay with SHA-1 because I'm using it just to derive the password. – valyrian Feb 22 '13 at 12:06
  • @owlstead can you elaborate on how I can implement KBKDF and is there a Microsoft implementation for the same in .NET? – valyrian Feb 22 '13 at 12:07
  • Can't seem to find any, KDF's in general receive too little attention. It's relatively easy to implement though, HKDF and the KDF's in SP 800-108 are well described. I'm in the process of adding them into Bouncy Castle for Java (should really submit the code this weekend), C# may follow after, I don't know. For now, you may be better off using a bigger output of PBKDF2 with Bouncy when required. Note that AES-128 is pretty secure already, so if you just need a single key then you are already pretty safe from harm if you apply PBKDF1 or PBKDF2 correctly. – Maarten Bodewes Feb 22 '13 at 12:13
  • 1
    @owlstead an important distinction, the current binary release of bouncy castle for .net does not let you replace the hash algorithm, but the head of the source tree does. – jbtule Feb 22 '13 at 13:55
  • @jbtule didn't understand that, mate! – valyrian Feb 22 '13 at 15:03
  • @SalihdeenRM Explanation: you can grab the head of the source tree from the versioning system used by Bouncy C#, and compile both your code and the Bouncy library. Then it should work. It may not work when you just download the library. – Maarten Bodewes Feb 25 '13 at 02:15
  • @owlstead is Bouncy library a part of official .NET Framework? I ask this because the way to describe it makes it sound like Open Source. But .NET is not! – valyrian Feb 25 '13 at 04:24