[RESOLVED] PasswordDeriveBytes warning
Hi,
I'm trying to decrypt a file with the following code:
vb.net Code:
Function DecryptAES(ByVal CipherText As String, ByVal password As String, ByVal salt As String) As String
Dim HashAlgorithm As String = h_alg
Dim PasswordIterations As Integer = 2
Dim InitialVector As String = iv
Dim KeySize As Integer = 256
If (String.IsNullOrEmpty(CipherText)) Then
Return ""
End If
Dim InitialVectorBytes As Byte() = Encoding.ASCII.GetBytes(InitialVector)
Dim SaltValueBytes As Byte() = Encoding.ASCII.GetBytes(sa)
Dim CipherTextBytes As Byte() = Convert.FromBase64String(CipherText)
Dim DerivedPassword As PasswordDeriveBytes = New PasswordDeriveBytes(pn, SaltValueBytes, HashAlgorithm, PasswordIterations)
' here is where the warning occurs
Dim KeyBytes As Byte() = DerivedPassword.GetBytes(CInt(KeySize / 8))
' etc....
End Function
Code:
Warning 1 'Public Overrides Function GetBytes(cb As Integer) As Byte()' is obsolete:
'Rfc2898DeriveBytes replaces PasswordDeriveBytes for deriving key material from a password
and is preferred in new applications.'.
Anyone knows how to do this properly?
Re: PasswordDeriveBytes warning
Did you read the documentation for the Rfc2898DeriveBytes class?
Re: PasswordDeriveBytes warning
Yeah, but it was all chinese to me at the moment. I do saerch before asking by the way.
Re: PasswordDeriveBytes warning
I've never used either but from a couple of minutes looking at the doco it looks to be almost exactly the same as what you already have. The class constructor is overloaded but basically takes a password, salt and iteration count and then you call GetBytes.
Re: PasswordDeriveBytes warning
Already tried something alike, but I think I have to take a little time away from it and try later. Been trying to fix this for a long time.
Re: PasswordDeriveBytes warning
It seems relatively straightforward to me. When a user registers you create a key generator with the password, the length of the salt you want and the number of iterations to perform, then save the generated salt and key to the database:
vb.net Code:
Private Sub registerButton_Click(sender As System.Object, e As System.EventArgs) Handles registerButton.Click
Dim salt As Byte()
Dim key As Byte()
Register(passwordTextBox.Text, salt, key)
'Save salt and key to database.
End Sub
Private Sub Register(password As String, ByRef salt As Byte(), ByRef key As Byte())
'Create a key generator for the password with a 16-byte salt value that uses 10 iterations.
Using generator As New Rfc2898DeriveBytes(password, 16, 10)
'Get the generated salt.
salt = generator.Salt
'Get a 32-byte key.
key = generator.GetBytes(32)
End Using
End Sub
When the user logs on you get the salt and the key from that database, generate a key from the provided password and salt and see if it matches the stored value:
vb.net Code:
Private Sub logonButton_Click(sender As System.Object, e As System.EventArgs) Handles logonButton.Click
'Get salt and key from database.
Dim salt As Byte()
Dim key As Byte()
If Logon(passwordTextBox.Text, salt, key) Then
'The logon was successful.
End If
End Sub
Private Function Logon(password As String, salt As Byte(), expectedKey As Byte()) As Boolean
'Create a key generator for the password with the specified salt value that uses 10 iterations.
Using generator As New Rfc2898DeriveBytes(password, salt, 10)
'Get a 32-byte key.
Dim actualKey = generator.GetBytes(32)
'Compare the actualKey to the expectedKey.
For i = 0 To actualKey.GetUpperBound(0)
If actualKey(i) <> expectedKey(i) Then
'No match
Return False
End If
Next
'Match found
Return True
End Using
End Function