admin管理员组文章数量:1395024
using (var pbkdf2 = new Rfc2898DeriveBytes(
m_Password,
l_saltBytes,
Convert.ToInt32(ConstantFatcorString),
HashAlgorithmName.SHA256))
{l_bytes = pbkdf2.GetBytes(32);}
I am using .NET framework 4.8. Can anyone help with a supporting link?
SaltString=test; ConstantFatcorString=1000;
using (var pbkdf2 = new Rfc2898DeriveBytes(
m_Password,
l_saltBytes,
Convert.ToInt32(ConstantFatcorString),
HashAlgorithmName.SHA256))
{l_bytes = pbkdf2.GetBytes(32);}
I am using .NET framework 4.8. Can anyone help with a supporting link?
SaltString=test; ConstantFatcorString=1000;
1 Answer
Reset to default 1How are you converting your salt to a byte array? If using UTF8 (like the below):
var l_saltBytes = Encoding.UTF8.GetBytes("test");
the result will be 4 bytes long - so this is expected - the salt needs to be bigger than 8 bytes. The salt is used with the password to create keys. If the salt is fewer than 8 bytes then it doesn't add enough randomness to the generated keys, so the result is very vulnerable to brute force attacks due to lack of entropy.
Page 5 of the RFC spec explains this in some detail:
https://www.rfc-editor./rfc/rfc2898.txt
Note the section:
1. It is difficult for an opponent to precompute all the keys
corresponding to a dictionary of passwords, or even the most
likely keys. If the salt is 64 bits long, for instance, there
will be as many as 2^64 keys for each password. An opponent is
thus limited to searching for passwords after a password-based
operation has been performed and the salt is known.
So even though this is an example, it talks about 64 bits long (there are 8 bits in a byte), and this has been taken as a sensible minimum within Rfc2898DeriveBytes.
A good salt needs to be at least this length, and should be random. Guids are quite often used (you can generate one using Guid.NewGuid().ToString() but will obviously need to save it to validate the password) - so to get your code working try using something like that - but it is by design that the salt must be at least 8 bytes in length.
The following works:
static void Main(string[] args)
{
string ConstantFatcorString = "1000";
var m_Password = "this is my passowrd";
var l_saltBytes = Encoding.UTF8.GetBytes("testtest");
byte[] l_bytes = null;
using (var pbkdf2 = new Rfc2898DeriveBytes(
m_Password,
l_saltBytes,
1000,
HashAlgorithmName.SHA256))
{
l_bytes = pbkdf2.GetBytes(32);
}
}
Please ensure you use a more sensible value for salt though for the reasons given :)
本文标签: cRfc2898DeriveBytes giving error salt is not at least eight bytesStack Overflow
版权声明:本文标题:c# - Rfc2898DeriveBytes giving error salt is not at least eight bytes - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744107627a2591138.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
salt is not at least eight bytes. I mean, I am not sure what to say to you other than "you really should read the error message". I mean it tells you what you have done wrong, quite clearly. Your salt needs to be, and I quote, at least 8 bytes. – mjwills Commented Mar 27 at 7:56