Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rfc2898DeriveBytes obsolete constructor #102

Open
grey0ut opened this issue Aug 9, 2023 · 0 comments
Open

Rfc2898DeriveBytes obsolete constructor #102

grey0ut opened this issue Aug 9, 2023 · 0 comments

Comments

@grey0ut
Copy link

grey0ut commented Aug 9, 2023

Summary of the new feature / enhancement

Utils.cs leverages the Rfc2898DeriveBytes class for key derivation. The constructor used appears to be:

public Rfc2898DeriveBytes (byte[] password, byte[] salt, int iterations)

This constructor, and any that leverage a default iteration count and/or hash algorithm, are marked as 'obsolete' as of .NET 7. The constructor leverages Sha1 with an iterations count of 1000.

Given events like the LastPass hack/breach, are there plans to update this module to leverage a newer constructor with a higher iteration count and non-deprecated hash algorithm?

Proposed technical implementation details (optional)

I mainly write Powershell, with no experience writing C# but it seems like the 3 sections that use the Rfc2898DeriveBytes constructor could be updated to look more like this:

    using (var derivedBytes = new Rfc2898DeriveBytes(  
        password: passWordData,  
        salt: /// Key bytes variable  
        iterations: 600000,  
        hashalgorithmname: HashAlgorithm))  

where 'HashAlgorithm' is a previously defined variable containing 'HashAlgorithmName.SHA256'. Or hard code it in each construction of the Rfc2898DeriveBytes class. At the time of writing SHA256 or SHA512 with a work factor of 600,000 and 210,000 iterations respectively is the recommended defaults by OWASP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant