I have been tasked with writing a new method for calculating password hashes in order to replace the old one that we don’t feel is still safe enough. I recently read the Security Driven.NET book, in which I learned that the important part is the use of a custom speed algorithm (as opposed to a simple hash), and in .NET it is recommendedPBKDF2to handle passwords. I also read that as an improvement on how ASP.NET deals with passwords, it would be nice if the resulting hash stored in the database was cryptographically bound to the user (name or identifier) using PBKDF2 to create the wizard and then use the username (or id) to create the derived key using HKDF. But then again, this is a superficial knowledge that I read from a book that I don’t have access to right now, so I can’t double-check whether my memory is written down correctly.
Also, I haven't used the .NET .NET DerivedBytes API before, so I might have done it wrong. So my question is this: am I doing this correctly in the following code? Am I using the API correctly? And is this implementation "safe enough"? Or am I doing something wrong that completely removes all security?
protected override byte[] ComputeHash(string user, string salt, string password)
{
var userBytes = user.ToBytes();
using (var pbkdf2 = new PBKDF2(MacFactories.HMACSHA512, password.ToBytes(), salt.ToBytes()))
{
var masterKey = pbkdf2.GetBytes(128);
using (var hkdf = new HKDF(MacFactories.HMACSHA512, masterKey, userBytes, userBytes))
{
return hkdf.GetBytes(64);
}
}
}
source
share