By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,780 Members | 1,549 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,780 IT Pros & Developers. It's quick & easy.

Using RijndaelManaged

P: n/a
I need to store some password on a text file. I was trying to use
some kind of encryption to encrypt the password from plain text. I
found the code below off the web, which works great.

But the problem is, I need to specify both the "password" (which is an
encryption key I assume) and the salt. What will be the best way to
generate and store them? Right now I just hard code the key and salt,
but I am concerned about the security.

public static String Encrypt(String data, String password)
{
if (data == null)
throw new ArgumentNullException("data");
if (password == null)
throw new ArgumentNullException("password");
byte[] encBytes =
EncryptData(Encoding.UTF8.GetBytes(data), password,
PaddingMode.ISO10126);
return Convert.ToBase64String(encBytes);

}

public static byte[] EncryptData(byte[] data, String password,
PaddingMode paddingMode)
{
if (data == null || data.Length == 0)
throw new ArgumentNullException("data");
if (password == null)
throw new ArgumentNullException("password");
PasswordDeriveBytes pdb = new
PasswordDeriveBytes(password, Encoding.UTF8.GetBytes("Salt"));
RijndaelManaged rm = new RijndaelManaged();
rm.Padding = paddingMode;
ICryptoTransform encryptor =
rm.CreateEncryptor(pdb.GetBytes(16), pdb.GetBytes(16));
using (MemoryStream msEncrypt = new MemoryStream())
using (CryptoStream encStream = new
CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
{
encStream.Write(data, 0, data.Length);
encStream.FlushFinalBlock();
return msEncrypt.ToArray();
}
}

May 14 '07 #1
Share this Question
Share on Google+
3 Replies


P: n/a
On 14 May 2007 12:27:48 -0700, melon <el*****@gmail.comwrote:
>I need to store some password on a text file.
Not a good idea if you can possible avoid it. If the password is for
your own application then you may only need to store a hash of the
password, rather than the password itself. If the password is for
entry into another application then you do have to store it.
>I was trying to use some kind of encryption to encrypt the password
from plain text. I found the code below off the web, which works great.

But the problem is, I need to specify both the "password" (which is an
encryption key I assume) and the salt.
If you are encrypting something then you will need a key to encrypt
and decrypt it - that is indeed what "password" is. Salt is just a
random string, though at first glance it looks more like an
Initialisation Vector (IV) than salt.

http://en.wikipedia.org/wiki/Initialization_vector

http://en.wikipedia.org/wiki/Salt_(cryptography)
>What will be the best way to
generate and store them? Right now I just hard code the key and salt,
but I am concerned about the security.
As you have noticed, there is an infinite regress of keys to decrypt
keys to decrypt keys... One solution is System.Security.SecureString.
It is not perfect, but it does store you password in encrypted form
without getting into an infinite regress. The major issue is getting
your password back out again if you need it, you have to use something
like Marshal.SecureStringToBSTR and unmanaged memory to extract the
password.

rossum
>
public static String Encrypt(String data, String password)
{
if (data == null)
throw new ArgumentNullException("data");
if (password == null)
throw new ArgumentNullException("password");
byte[] encBytes =
EncryptData(Encoding.UTF8.GetBytes(data), password,
PaddingMode.ISO10126);
return Convert.ToBase64String(encBytes);

}

public static byte[] EncryptData(byte[] data, String password,
PaddingMode paddingMode)
{
if (data == null || data.Length == 0)
throw new ArgumentNullException("data");
if (password == null)
throw new ArgumentNullException("password");
PasswordDeriveBytes pdb = new
PasswordDeriveBytes(password, Encoding.UTF8.GetBytes("Salt"));
RijndaelManaged rm = new RijndaelManaged();
rm.Padding = paddingMode;
ICryptoTransform encryptor =
rm.CreateEncryptor(pdb.GetBytes(16), pdb.GetBytes(16));
using (MemoryStream msEncrypt = new MemoryStream())
using (CryptoStream encStream = new
CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
{
encStream.Write(data, 0, data.Length);
encStream.FlushFinalBlock();
return msEncrypt.ToArray();
}
}
May 15 '07 #2

P: n/a
melon wrote:
I need to store some password on a text file. I was trying to use
some kind of encryption to encrypt the password from plain text. I
found the code below off the web, which works great.

But the problem is, I need to specify both the "password" (which is an
encryption key I assume) and the salt. What will be the best way to
generate and store them? Right now I just hard code the key and salt,
but I am concerned about the security.
I think you can live with the fixed salt. The core problem is
the password.

The .NET EXE can be decompiled and a hardcoded password be
revealed in 10 seconds.

The simplest solution is to have the user enter the password.

Arne
May 19 '07 #3

P: n/a
rossum wrote:
Salt is just a
random string, though at first glance it looks more like an
Initialisation Vector (IV) than salt.
> PasswordDeriveBytes pdb = new
PasswordDeriveBytes(password, Encoding.UTF8.GetBytes("Salt"));
> ICryptoTransform encryptor =
rm.CreateEncryptor(pdb.GetBytes(16), pdb.GetBytes(16));
No.

bytes = f(password, salt)
key = bytes
iv = bytes

Arne

May 19 '07 #4

This discussion thread is closed

Replies have been disabled for this discussion.