NET中使用SHA 256的PBKDF2 [英] PBKDF2 using SHA 256 in .NET
问题描述
我需要更新一些代码,这些代码使用.net Rfc2898DeriveBytes
中的PBKDF2实现来哈希用户凭据.
据我了解,此功能在后台使用SHA-1.我需要更新系统密码哈希的基础哈希算法以使用SHA-256(这是客户端IT-SEC的要求).
I need to update some code that is using the PBKDF2 implementation in .Net, Rfc2898DeriveBytes
to hash user credentials.
It is my understanding that this function uses SHA-1 under the hood. I need to update the underlying hashing algorithm of the systems password hashing to use SHA-256 (This is a client IT-SEC requirement).
已经阅读了一些文章,似乎最好的做法是继续使用Key派生函数,但是PBKDF2不允许您指定应使用的算法,这对我来说显然是个问题.
Having done some reading it seems it is best practice to continue to to use a Key derivation function, however PBKDF2 doesn't allow you to dictate the algorithm is should use, which is obviously a problem for me.
我们的系统使用的是.NET 4.5.1,目前不是升级它的选择,并且我有理由相信,我听说过的任何新的.NET核心.dll都不包含新的实现,因此不能选择该选项. PBKDF2,可让您指定算法.
Our system is using .NET 4.5.1 and currently is not an option to upgrade that and I am reasonably confident it is not an option to reference any new .NET core .dlls that I've heard contain a new implementation of PBKDF2 that allows you to specify your algorithm.
我想不惜一切代价避免自制的实现,因为那是Crypto-Club的第一条规则吧?
I want to avoid home made implementations at all cost,s as that's the 1st rule of Crypto-Club right?
任何关于最佳实践的指南将不胜感激.
Any guidance on what is best practice would be appreciated.
谢谢
推荐答案
You can P/Invoke to BCryptDeriveKeyPBKDF2, assuming you're on Win7+.
private static void PBKDF2(
string password,
byte[] salt,
int iterationCount,
string hashName,
byte[] output)
{
int status = SafeNativeMethods.BCryptOpenAlgorithmProvider(
out SafeNativeMethods.SafeBCryptAlgorithmHandle hPrf,
hashName,
null,
SafeNativeMethods.BCRYPT_ALG_HANDLE_HMAC_FLAG);
using (hPrf)
{
if (status != 0)
{
throw new CryptographicException(status);
}
byte[] passBytes = Encoding.UTF8.GetBytes(password);
status = SafeNativeMethods.BCryptDeriveKeyPBKDF2(
hPrf,
passBytes,
passBytes.Length,
salt,
salt.Length,
iterationCount,
output,
output.Length,
0);
if (status != 0)
{
throw new CryptographicException(status);
}
}
}
[SuppressUnmanagedCodeSecurity]
private static class SafeNativeMethods
{
private const string BCrypt = "bcrypt.dll";
internal const int BCRYPT_ALG_HANDLE_HMAC_FLAG = 0x00000008;
[DllImport(BCrypt, CharSet = CharSet.Unicode)]
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
internal static extern int BCryptDeriveKeyPBKDF2(
SafeBCryptAlgorithmHandle hPrf,
byte[] pbPassword,
int cbPassword,
byte[] pbSalt,
int cbSalt,
long cIterations,
byte[] derivedKey,
int cbDerivedKey,
int dwFlags);
[DllImport(BCrypt)]
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
private static extern int BCryptCloseAlgorithmProvider(IntPtr hAlgorithm, int flags);
[DllImport(BCrypt, CharSet = CharSet.Unicode)]
[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
internal static extern int BCryptOpenAlgorithmProvider(
out SafeBCryptAlgorithmHandle phAlgorithm,
string pszAlgId,
string pszImplementation,
int dwFlags);
internal sealed class SafeBCryptAlgorithmHandle : SafeHandleZeroOrMinusOneIsInvalid
{
public SafeBCryptAlgorithmHandle() : base(true)
{
}
protected override bool ReleaseHandle()
{
return BCryptCloseAlgorithmProvider(handle, 0) == 0;
}
}
}
这篇关于NET中使用SHA 256的PBKDF2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!