NET中使用SHA 256的PBKDF2 [英] PBKDF2 using SHA 256 in .NET

问题描述

我需要更新一些代码，这些代码使用.net Rfc2898DeriveBytes中的PBKDF2实现来哈希用户凭据. 据我了解，此功能在后台使用SHA-1.我需要更新系统密码哈希的基础哈希算法以使用SHA-256(这是客户端IT-SEC的要求).

I need to update some code that is using the PBKDF2 implementation in .Net, Rfc2898DeriveBytes to hash user credentials. It is my understanding that this function uses SHA-1 under the hood. I need to update the underlying hashing algorithm of the systems password hashing to use SHA-256 (This is a client IT-SEC requirement).

已经阅读了一些文章，似乎最好的做法是继续使用Key派生函数，但是PBKDF2不允许您指定应使用的算法，这对我来说显然是个问题.

Having done some reading it seems it is best practice to continue to to use a Key derivation function, however PBKDF2 doesn't allow you to dictate the algorithm is should use, which is obviously a problem for me.

我们的系统使用的是.NET 4.5.1，目前不是升级它的选择，并且我有理由相信，我听说过的任何新的.NET核心.dll都不包含新的实现，因此不能选择该选项. PBKDF2，可让您指定算法.

Our system is using .NET 4.5.1 and currently is not an option to upgrade that and I am reasonably confident it is not an option to reference any new .NET core .dlls that I've heard contain a new implementation of PBKDF2 that allows you to specify your algorithm.

我想不惜一切代价避免自制的实现，因为那是Crypto-Club的第一条规则吧?

I want to avoid home made implementations at all cost,s as that's the 1st rule of Crypto-Club right?

任何关于最佳实践的指南将不胜感激.

Any guidance on what is best practice would be appreciated.

谢谢

推荐答案

您可以P/调用到

You can P/Invoke to BCryptDeriveKeyPBKDF2, assuming you're on Win7+.

private static void PBKDF2(
    string password,
    byte[] salt,
    int iterationCount,
    string hashName,
    byte[] output)
{
    int status = SafeNativeMethods.BCryptOpenAlgorithmProvider(
        out SafeNativeMethods.SafeBCryptAlgorithmHandle hPrf,
        hashName,
        null,
        SafeNativeMethods.BCRYPT_ALG_HANDLE_HMAC_FLAG);

    using (hPrf)
    {
        if (status != 0)
        {
            throw new CryptographicException(status);
        }

        byte[] passBytes = Encoding.UTF8.GetBytes(password);

        status = SafeNativeMethods.BCryptDeriveKeyPBKDF2(
            hPrf,
            passBytes,
            passBytes.Length,
            salt,
            salt.Length,
            iterationCount,
            output,
            output.Length,
            0);

        if (status != 0)
        {
            throw new CryptographicException(status);
        }
    }
}

[SuppressUnmanagedCodeSecurity]
private static class SafeNativeMethods
{
    private const string BCrypt = "bcrypt.dll";
    internal const int BCRYPT_ALG_HANDLE_HMAC_FLAG = 0x00000008;

    [DllImport(BCrypt, CharSet = CharSet.Unicode)]
    [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
    internal static extern int BCryptDeriveKeyPBKDF2(
        SafeBCryptAlgorithmHandle hPrf,
        byte[] pbPassword,
        int cbPassword,
        byte[] pbSalt,
        int cbSalt,
        long cIterations,
        byte[] derivedKey,
        int cbDerivedKey,
        int dwFlags);

    [DllImport(BCrypt)]
    [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
    private static extern int BCryptCloseAlgorithmProvider(IntPtr hAlgorithm, int flags);

    [DllImport(BCrypt, CharSet = CharSet.Unicode)]
    [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
    internal static extern int BCryptOpenAlgorithmProvider(
        out SafeBCryptAlgorithmHandle phAlgorithm,
        string pszAlgId,
        string pszImplementation,
        int dwFlags);

    internal sealed class SafeBCryptAlgorithmHandle : SafeHandleZeroOrMinusOneIsInvalid
    {
        public SafeBCryptAlgorithmHandle() : base(true)
        {
        }

        protected override bool ReleaseHandle()
        {
            return BCryptCloseAlgorithmProvider(handle, 0) == 0;
        }
    }
}

这篇关于NET中使用SHA 256的PBKDF2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！