You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Utils.cs leverages the Rfc2898DeriveBytes class for key derivation. The constructor used appears to be:
public Rfc2898DeriveBytes (byte[] password, byte[] salt, int iterations)
This constructor, and any that leverage a default iteration count and/or hash algorithm, are marked as 'obsolete' as of .NET 7. The constructor leverages Sha1 with an iterations count of 1000.
Given events like the LastPass hack/breach, are there plans to update this module to leverage a newer constructor with a higher iteration count and non-deprecated hash algorithm?
I mainly write Powershell, with no experience writing C# but it seems like the 3 sections that use the Rfc2898DeriveBytes constructor could be updated to look more like this:
using (var derivedBytes = new Rfc2898DeriveBytes(
password: passWordData,
salt: /// Key bytes variable
iterations: 600000,
hashalgorithmname: HashAlgorithm))
where 'HashAlgorithm' is a previously defined variable containing 'HashAlgorithmName.SHA256'. Or hard code it in each construction of the Rfc2898DeriveBytes class. At the time of writing SHA256 or SHA512 with a work factor of 600,000 and 210,000 iterations respectively is the recommended defaults by OWASP.
The text was updated successfully, but these errors were encountered:
Summary of the new feature / enhancement
Utils.cs leverages the Rfc2898DeriveBytes class for key derivation. The constructor used appears to be:
This constructor, and any that leverage a default iteration count and/or hash algorithm, are marked as 'obsolete' as of .NET 7. The constructor leverages Sha1 with an iterations count of 1000.
Given events like the LastPass hack/breach, are there plans to update this module to leverage a newer constructor with a higher iteration count and non-deprecated hash algorithm?
Proposed technical implementation details (optional)
I mainly write Powershell, with no experience writing C# but it seems like the 3 sections that use the Rfc2898DeriveBytes constructor could be updated to look more like this:
where 'HashAlgorithm' is a previously defined variable containing 'HashAlgorithmName.SHA256'. Or hard code it in each construction of the Rfc2898DeriveBytes class. At the time of writing SHA256 or SHA512 with a work factor of 600,000 and 210,000 iterations respectively is the recommended defaults by OWASP.
The text was updated successfully, but these errors were encountered: