All geek questions in one place

How to create PBKDF2-SHA256 password hash in C # / Bouncy Castle

I need to create a password hash code PBKDF2-SHA256, but I have problems.

I downloaded the Bouncy Castle repo, but got a little stuck looking for what I was looking for in unit tests.

Found some code examples here , but this is just SHA1. The key bit of code is:

/// <summary> /// Computes the PBKDF2-SHA1 hash of a password. /// </summary> /// <param name="password">The password to hash.</param> /// <param name="salt">The salt.</param> /// <param name="iterations">The PBKDF2 iteration count.</param> /// <param name="outputBytes">The length of the hash to generate, in bytes.</param> /// <returns>A hash of the password.</returns> private static byte[] PBKDF2(string password, byte[] salt, int iterations, int outputBytes) { var pdb = new Pkcs5S2ParametersGenerator(); pdb.Init(PbeParametersGenerator.Pkcs5PasswordToBytes(password.ToCharArray()), salt, iterations); var key = (KeyParameter)pdb.GenerateDerivedMacParameters(outputBytes * 8); return key.GetKey(); }

I need to change this from SHA1 to SHA256.

From the Java documentation and this post, it looked like the following could have been done, but there is no overload in the C # library constructor.

 var pdb = new Pkcs5S2ParametersGenerator(new Sha256Derived());

Finding another article on stack overflow, I thought it was possible that it was possible, but SHA hash algorithms are not on the search list, so the following will not work.

 var bcparam = (KeyParameter)pdb.GenerateDerivedParameters("sha256", outputBytes * 8);

What do I need to do to get this job, please?

Note. If you read this and don’t know how to use Bouncy Castle, but you know another way, I will still be grateful for your help.

+5
source share
1 answer

EDIT (abridged response history deleted for brevity)

Now there is a Bouncy Castle Crypto API NuGet package that you can use. Alternatively, you can get the source directly from GitHub, which will work. I had a standard NuGet Bouncy Castle that was not updated to 1.8.1 at the time of writing.

For the benefit of search engines, here is a C # helper class for hashing. Tested on multiple threads and seems great.

 /// <summary> /// Contains the relevant Bouncy Castle Methods required to encrypt a password. /// References NuGet Package BouncyCastle.Crypto.dll /// </summary> public class BouncyCastleHashing { private SecureRandom _cryptoRandom; public BouncyCastleHashing() { _cryptoRandom = new SecureRandom(); } /// <summary> /// Random Salt Creation /// </summary> /// <param name="size">The size of the salt in bytes</param> /// <returns>A random salt of the required size.</returns> public byte[] CreateSalt(int size) { byte[] salt = new byte[size]; _cryptoRandom.NextBytes(salt); return salt; } /// <summary> /// Gets a PBKDF2_SHA256 Hash (Overload) /// </summary> /// <param name="password">The password as a plain text string</param> /// <param name="saltAsBase64String">The salt for the password</param> /// <param name="iterations">The number of times to encrypt the password</param> /// <param name="hashByteSize">The byte size of the final hash</param> /// <returns>A base64 string of the hash.</returns> public string PBKDF2_SHA256_GetHash(string password, string saltAsBase64String, int iterations, int hashByteSize) { var saltBytes = Convert.FromBase64String(saltAsBase64String); var hash = PBKDF2_SHA256_GetHash(password, saltBytes, iterations, hashByteSize); return Convert.ToBase64String(hash); } /// <summary> /// Gets a PBKDF2_SHA256 Hash (CORE METHOD) /// </summary> /// <param name="password">The password as a plain text string</param> /// <param name="salt">The salt as a byte array</param> /// <param name="iterations">The number of times to encrypt the password</param> /// <param name="hashByteSize">The byte size of the final hash</param> /// <returns>A the hash as a byte array.</returns> public byte[] PBKDF2_SHA256_GetHash(string password, byte[] salt, int iterations, int hashByteSize) { var pdb = new Pkcs5S2ParametersGenerator(new Org.BouncyCastle.Crypto.Digests.Sha256Digest()); pdb.Init(PbeParametersGenerator.Pkcs5PasswordToBytes(password.ToCharArray()), salt, iterations); var key = (KeyParameter)pdb.GenerateDerivedMacParameters(hashByteSize * 8); return key.GetKey(); } /// <summary> /// Validates a password given a hash of the correct one. (OVERLOAD) /// </summary> /// <param name="password">The original password to hash</param> /// <param name="salt">The salt that was used when hashing the password</param> /// <param name="iterations">The number of times it was encrypted</param> /// <param name="hashByteSize">The byte size of the final hash</param> /// <param name="hashAsBase64String">The hash the password previously provided as a base64 string</param> /// <returns>True if the hashes match</returns> public bool ValidatePassword(string password, string salt, int iterations, int hashByteSize, string hashAsBase64String) { byte[] saltBytes = Convert.FromBase64String(salt); byte[] actualHashBytes = Convert.FromBase64String(hashAsBase64String); return ValidatePassword(password, saltBytes, iterations, hashByteSize, actualHashBytes); } /// <summary> /// Validates a password given a hash of the correct one (MAIN METHOD). /// </summary> /// <param name="password">The password to check.</param> /// <param name="correctHash">A hash of the correct password.</param> /// <returns>True if the password is correct. False otherwise.</returns> public bool ValidatePassword(string password, byte[] saltBytes, int iterations, int hashByteSize, byte[] actualGainedHasAsByteArray) { byte[] testHash = PBKDF2_SHA256_GetHash(password, saltBytes, iterations, hashByteSize); return SlowEquals(actualGainedHasAsByteArray, testHash); } /// <summary> /// Compares two byte arrays in length-constant time. This comparison /// method is used so that password hashes cannot be extracted from /// on-line systems using a timing attack and then attacked off-line. /// </summary> /// <param name="a">The first byte array.</param> /// <param name="b">The second byte array.</param> /// <returns>True if both byte arrays are equal. False otherwise.</returns> private bool SlowEquals(byte[] a, byte[] b) { uint diff = (uint)a.Length ^ (uint)b.Length; for (int i = 0; i < a.Length && i < b.Length; i++) diff |= (uint)(a[i] ^ b[i]); return diff == 0; } }

Usage example

 public void CreatePasswordHash_Single() { int iterations = 100000; // The number of times to encrypt the password - change this int saltByteSize = 64; // the salt size - change this int hashByteSize = 128; // the final hash - change this BouncyCastleHashing mainHashingLib = new BouncyCastleHashing(); var password = "password"; // That really secure! :) byte[] saltBytes = mainHashingLib.CreateSalt(saltByteSize); string saltString = Convert.ToBase64String(saltBytes); string pwdHash = mainHashingLib.PBKDF2_SHA256_GetHash(password, saltString, iterations, hashByteSize); var isValid = mainHashingLib.ValidatePassword(password, saltBytes, iterations, hashByteSize, Convert.FromBase64String(pwdHash)); }
+7
source

Source: https://habr.com/ru/post/1241258/

More articles:


All Articles