1

Does anyone know what type of encryption (salt+string) used by .net Indentity. Our security folks want us to use at least SHA256. I know I can override their encrption. But would rather stick with what comes out of the box if possible.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
user3590468
  • 35
  • 5

1 Answers1

0

It uses SHA1 for HMACSHA1, as it uses the standard Rfc2898DeriveBytes class if this answer is indeed correct.

Note that the use of SHA-1 for PBKDF2 is not really an issue with regard to cryptographic security. Note that SHA-1 or SHA-2 are both hash functions, not encryption.

Community
  • 1
  • 1
Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • very good! Thanks for the quick feedback and the note of irony! – user3590468 Jun 11 '14 at 13:25
  • and actually they are worth their salt... it's just poor me who should have known the difference. – user3590468 Jun 11 '14 at 13:49
  • There is something to be said to be using SHA-2 as hash function for everything. It makes it easier to validate the security for the entire project. But SHA-1 is the default for PBKDF2 and is likely not going to be a problem - at least not for retrieving relatively short key material. – Maarten Bodewes Jun 11 '14 at 14:11
  • If this answered your question, then don't forget to accept it. Or indicate why it doesn't otherwise, of course. – Maarten Bodewes Jul 03 '14 at 23:47