33

How to generate Rijndael KEY and IV using a passphrase? The key length must be in 256 bits.

Filburt
  • 17,626
  • 12
  • 64
  • 115
Predator
  • 1,267
  • 3
  • 17
  • 43
  • 3
    What language are you using? Which library? – uvesten Jun 26 '11 at 09:08
  • 2
    Thanks for all responses. My upvote for all. – Predator Jul 02 '11 at 09:50
  • 1
    Don't do this; learn how an IV actually works. See my response on the chosen answer for why this is an abysmal idea. – Rushyo Sep 24 '13 at 17:42
  • @Rushyo - Is Alex Aza's answer sufficient? My guess is that the reason for this question is that the ASP.Net Rijndael constructor expects both a key and an IV. – Spongeboy Sep 25 '13 at 03:56
  • 3
    @Spongeboy Nope. The fundamental premise of the question is wrong. You don't generate an IV from the same source as the key. You generate a _unique_ IV with no relationship to the key every time you encrypt a message, then include that IV with that message. It is impossible to both answer this question and provide a working solution as the question is based on false premises. – Rushyo Sep 25 '13 at 12:25
  • 1
    @Spongeboy In the case of C#, you can call the GenerateIV() method to get an appropriate IV. Then once you've encrypted the plaintext, add the IV as the first 16 bytes of the ciphertext. When you decrypt the ciphertext, pluck off the first 16 bytes and use those as the IV when decrypting. – Rushyo Sep 25 '13 at 12:32
  • Note: The above assumes Rijndael with a 128-bit block size (AES standard) in CBC mode. It's different if you change any of those factors. – Rushyo Sep 25 '13 at 12:59

6 Answers6

62

I think you are looking for password-based key derivation. There is Rfc2898DeriveBytes class that implements it.

Rfc2898DeriveBytes takes a password, a salt, and an iteration count, and then generates keys through calls to the GetBytes method.

RFC 2898 includes methods for creating a key and initialization vector (IV) from a password and salt. You can use PBKDF2, a password-based key derivation function, to derive keys using a pseudo-random function that allows keys of virtually unlimited length to be generated. The Rfc2898DeriveBytes class can be used to produce a derived key from a base key and other parameters. In a password-based key derivation function, the base key is a password and the other parameters are a salt value and an iteration count.

For more information about PBKDF2, see RFC 2898, "PKCS #5: Password-Based Cryptography Specification Version 2.0,".

Example:

public static byte[] CreateKey(string password)
{
    var salt = new byte[] { 1, 2, 23, 234, 37, 48, 134, 63, 248, 4 };

    const int Iterations = 9872;
    using (var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, salt, Iterations))
        return rfc2898DeriveBytes.GetBytes(32);
}

You can use DeriveBytes in any symmetric algorithm, not just Rijndael.
Example:

public static SymmetricAlgorithm InitSymmetric(SymmetricAlgorithm algorithm, string password, int keyBitLength)
{
    var salt = new byte[] { 1, 2, 23, 234, 37, 48, 134, 63, 248, 4 };

    const int Iterations = 234;
    using (var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, salt, Iterations))
    {
        if (!algorithm.ValidKeySize(keyBitLength))
            throw new InvalidOperationException("Invalid size key");

        algorithm.Key = rfc2898DeriveBytes.GetBytes(keyBitLength / 8);
        algorithm.IV = rfc2898DeriveBytes.GetBytes(algorithm.BlockSize / 8);
        return algorithm;
    }
}

private static byte[] Transform(byte[] bytes, Func<ICryptoTransform> selectCryptoTransform)
{
    using (var memoryStream = new MemoryStream())
    {
        using (var cryptoStream = new CryptoStream(memoryStream, selectCryptoTransform(), CryptoStreamMode.Write))
            cryptoStream.Write(bytes, 0, bytes.Length);
        return memoryStream.ToArray();
    }
}

Usage:

public static void Main()
{
    using (var rijndael = InitSymmetric(Rijndael.Create(), "TestPassword", 256))
    {
        var text = "Some text to encrypt";
        var bytes = Encoding.UTF8.GetBytes(text);

        var encryptedBytes = Transform(bytes, rijndael.CreateEncryptor);
        var decryptedBytes = Transform(encryptedBytes, rijndael.CreateDecryptor);

        var decryptedText = Encoding.UTF8.GetString(decryptedBytes);
        Debug.Assert(text == decryptedText);
    }
}

Make sure you change salt and iterations parameters.

Alex Aza
  • 76,499
  • 26
  • 155
  • 134
  • Do you need to pass in a random salt for each usage of this method? Can you do this instead: Use a constant salt, just like in your example, but derive the IV separately, using a different password. For example, if you had a User record, could you derive the IV from a constant salt and the User's ID? That would avoid having to store the salt somewhere, and you could instead rely on existing data (in this one case) – John B Jan 30 '12 at 22:01
  • As mentioned in @Rushyo's comment on the question, the IV should not be derived from the password, rather, call GenerateIV, then pre-pend this to the encrypted string. – Spongeboy Sep 26 '13 at 00:54
44

This is plug and play code that I found on internet. It just works:

using System.IO;
using System.Security.Cryptography;

private static readonly byte[] SALT = new byte[] { 0x26, 0xdc, 0xff, 0x00, 0xad, 0xed, 0x7a, 0xee, 0xc5, 0xfe, 0x07, 0xaf, 0x4d, 0x08, 0x22, 0x3c };

public static byte[] Encrypt(byte[] plain, string password)
{
    MemoryStream memoryStream;
    CryptoStream cryptoStream;
    Rijndael rijndael = Rijndael.Create();
    Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);
    rijndael.Key = pdb.GetBytes(32);
    rijndael.IV = pdb.GetBytes(16);
    memoryStream = new MemoryStream();
    cryptoStream = new CryptoStream(memoryStream, rijndael.CreateEncryptor(), CryptoStreamMode.Write);
    cryptoStream.Write(plain, 0, plain.Length);
    cryptoStream.Close();
    return memoryStream.ToArray();
}

public static byte[] Decrypt(byte[] cipher, string password)
{
    MemoryStream memoryStream;
    CryptoStream cryptoStream;
    Rijndael rijndael = Rijndael.Create();
    Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);
    rijndael.Key = pdb.GetBytes(32);
    rijndael.IV = pdb.GetBytes(16);
    memoryStream = new MemoryStream();
    cryptoStream = new CryptoStream(memoryStream, rijndael.CreateDecryptor(), CryptoStreamMode.Write);
    cryptoStream.Write(cipher, 0, cipher.Length);
    cryptoStream.Close();
    return memoryStream.ToArray();
}
Alex Aza
  • 76,499
  • 26
  • 155
  • 134
Pan Pizza
  • 1,034
  • 2
  • 12
  • 20
  • Ok, I award bounty to new user as encouragement – Predator Jul 02 '11 at 09:50
  • 19
    @Gens - I always believed that the best answer should be chosen, the answer that is the most useful for all the users. I spent quite a lot of time for making reusable API and examples. While you make it encouraging for new users, it is absolutely unfair and discouraging for old ones. – Alex Aza Jul 02 '11 at 16:45
  • 5
    Regarding the lines- rijndael.Key = pdb.GetBytes(32); rijndael.IV = pdb.GetBytes(16); Does this mean the IV is just the first half of the Key? Does this have security implications? – Spongeboy Jul 24 '12 at 06:22
  • 1
    @Spongeboy Yes. I suspect it is possible to establish the original key by doing an attack to determine the IV which, if determined (and bear in mind Rijndael doesn't treat the IV as being secret), would allow a brute-force attack against the original password/salt combination (just keep plugging values until you get that IV). – Rushyo Sep 24 '13 at 17:49
  • 9
    This doesn't even begin to touch on the problems with using the same IV repeatedly. Don't do this. Every time you re-use an IV, a kitty's entropy rapidly increases at an alarming rate. – Rushyo Sep 24 '13 at 17:51
  • 1
    Also, if it is the first half of the key (will check in a second), then recovering the IV would reduce the problem of getting the rest of the key by 17 *million* *trillion* times. EDIT: FWIW no, it isn't. However, that doesn't automatically mean you can't potentially recover half of the key from it anyway. – Rushyo Sep 24 '13 at 17:55
  • Could bother to comment rather than just post a piece of code. – Eugene Mayevski 'Callback Sep 26 '13 at 06:11
  • 1
    Do not reuse the IV!!! Create a new one and append it to the ciphertext – rollsch Sep 03 '17 at 06:44
  • above code throws an error :"Length of the data to decrypt is invalid" – Vishal Prajapati Jun 07 '18 at 07:19
9

The IV must be random (doesn't need to be an unpredictable random, just random enough that they won't be reused).

As to generating the key from the password, you are looking for a key derivation function for which nowadays there are at least three good choices (PBKDF2, bcrypt, scrypt), using a non iterated hash as a previous poster suggests more often than not leads to insecure systems.

Also use AES nor Rijndael, that's not exactly the same thing. Using a Rijndael combination not part of AES could be an inter-operability nightmare later, and the security of those functions combination isn't well studied anyway.

Bruno Rohée
  • 3,436
  • 27
  • 32
4

IV must be random (you usually pass it together with the encrypted data), and the key can be derived in a number of ways: simply pad the password to the length of the key (if the password is shorter than 32 characters) or (which is more reliable) derive a key by using SHA2 hashing algorithm or use some more sophisticated way.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • 2
    Don't ever pad the password. Don't use String input as a key. Don't use SHA2. Use a key derivation algorithm, such as PKBDF2, which is specifically designed for this problem. Also, be sure to read the label (RTFM) before you use a key derivation algorithm. – Rushyo Sep 30 '13 at 12:22
  • 2
    @Rushyo don't ever make so all-embracing statements. – Eugene Mayevski 'Callback Sep 30 '13 at 13:33
  • Because playing guessing games and hoping things are going to work with cryptographic algorithms has been proven to be such a good idea? May as well pray to the Machine God and recant the holy sacred rites for all the engineering sense that makes. There are very well defined methodologies for key derivation. The fact that people use home-brew nonsense means I get a paycheck as a hacker but that doesn't make it good engineering. – Rushyo Sep 30 '13 at 17:04
  • Hmm. Just had a look at 'BlackBox'. I can see you're a big fan of the DIY approach. GL with that! – Rushyo Sep 30 '13 at 17:41
1

Use this Rfc2898DeriveBytes Class.

Word of advise though, your security level has dropped/limited by the passphrase length/strength. So, don't do it.

user774411
  • 1,749
  • 6
  • 28
  • 47
0

Other answers contain way more information. The answer to this question where you only want to generate the key and IV given a passphrase use:

        // use something more random in real life
        var salt =  new byte[]{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};

        string password = "my-password";
        Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, salt);
        var key = pdb.GetBytes(32);
        var iv = pdb.GetBytes(16);
Tono Nam
  • 34,064
  • 78
  • 298
  • 470