[RESOLVED] PasswordDeriveBytes warning

[Radjesh Klauke]

Hi,

I'm trying to decrypt a file with the following code:

vb.net Code:

Function DecryptAES(ByVal CipherText As String, ByVal password As String, ByVal salt As String) As String
        Dim HashAlgorithm As String = h_alg
        Dim PasswordIterations As Integer = 2
        Dim InitialVector As String = iv
        Dim KeySize As Integer = 256
 
        If (String.IsNullOrEmpty(CipherText)) Then
            Return ""
        End If
 
        Dim InitialVectorBytes As Byte() = Encoding.ASCII.GetBytes(InitialVector)
        Dim SaltValueBytes As Byte() = Encoding.ASCII.GetBytes(sa)
        Dim CipherTextBytes As Byte() = Convert.FromBase64String(CipherText)
        Dim DerivedPassword As PasswordDeriveBytes = New PasswordDeriveBytes(pn, SaltValueBytes, HashAlgorithm, PasswordIterations)
 
        '  here is where the warning occurs
        Dim KeyBytes As Byte() = DerivedPassword.GetBytes(CInt(KeySize / 8))
        
        '  etc....
    End Function

Code:

Warning 1 'Public Overrides Function GetBytes(cb As Integer) As Byte()' is obsolete:
 'Rfc2898DeriveBytes replaces PasswordDeriveBytes for deriving key material from a password
and is preferred in new applications.'.

Anyone knows how to do this properly?

[jmcilhinney]

Did you read the documentation for the Rfc2898DeriveBytes class?

[Radjesh Klauke]

Yeah, but it was all chinese to me at the moment. I do saerch before asking by the way.

[jmcilhinney]

I've never used either but from a couple of minutes looking at the doco it looks to be almost exactly the same as what you already have. The class constructor is overloaded but basically takes a password, salt and iteration count and then you call GetBytes.

[Radjesh Klauke]

Already tried something alike, but I think I have to take a little time away from it and try later. Been trying to fix this for a long time.

[jmcilhinney]

It seems relatively straightforward to me. When a user registers you create a key generator with the password, the length of the salt you want and the number of iterations to perform, then save the generated salt and key to the database:

vb.net Code:

Private Sub registerButton_Click(sender As System.Object, e As System.EventArgs) Handles registerButton.Click
    Dim salt As Byte()
    Dim key As Byte()
 
    Register(passwordTextBox.Text, salt, key)
 
    'Save salt and key to database.
End Sub
 
Private Sub Register(password As String, ByRef salt As Byte(), ByRef key As Byte())
    'Create a key generator for the password with a 16-byte salt value that uses 10 iterations.
    Using generator As New Rfc2898DeriveBytes(password, 16, 10)
        'Get the generated salt.
        salt = generator.Salt
 
        'Get a 32-byte key.
        key = generator.GetBytes(32)
    End Using
End Sub

When the user logs on you get the salt and the key from that database, generate a key from the provided password and salt and see if it matches the stored value:

vb.net Code:

Private Sub logonButton_Click(sender As System.Object, e As System.EventArgs) Handles logonButton.Click
    'Get salt and key from database.
    Dim salt As Byte()
    Dim key As Byte()
 
    If Logon(passwordTextBox.Text, salt, key) Then
        'The logon was successful.
    End If
End Sub
 
Private Function Logon(password As String, salt As Byte(), expectedKey As Byte()) As Boolean
    'Create a key generator for the password with the specified salt value that uses 10 iterations.
    Using generator As New Rfc2898DeriveBytes(password, salt, 10)
        'Get a 32-byte key.
        Dim actualKey = generator.GetBytes(32)
 
        'Compare the actualKey to the expectedKey.
        For i = 0 To actualKey.GetUpperBound(0)
            If actualKey(i) <> expectedKey(i) Then
                'No match
                Return False
            End If
        Next
 
        'Match found
        Return True
    End Using
End Function