pbkdf2

I've a function GetPassword , that returns a SecureString type. When I pass this secure string to Rfc2898DeriveBytes to generate a key, Visual Studio shows an error. My limited knowledge tells me that it is because Rfc2898DeriveBytes accepts only a string and not a secure string. Is there a workaround to this? //read the password from terminal Console.Write("Insert password"); securePwd = myCryptography.GetPassword(); //dont know why the salt is initialized like this byte[] salt = new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0xF1, 0xF0, 0xEE, 0x21, 0x22, 0x45 }; try { //PBKDF2

As there have been significant advances in the cryptoanalysis of SHA1 it's supposed to be phased out in favor of SHA2 ( wikipedia ). For use as underlying hash function in PBKDF2, however, it's basically used as a PRNG. As such it should be still secure to use SHA1 as hash for PBKDF2, right? None of the currently known weaknesses on SHA-1 has any impact on its security when used in HMAC, a fortiori when used in PBKDF2. For that matter, MD5 would be fine too (but not MD4). However, SHA-1 is not good for public relations: if, in 2011, you use SHA-1, then you must prepare yourself to have to

After the linkedin password hash leak, I've been looking at our password hashing. We using Django 1.4 which uses PBKDF2, which is great and a step up from the previous SHA1. However I'm curious how easily one could brute force that. I'm looking at our password complexity rules, and am wondering how fast it'd take to do (say) 8 length lower case ascii letters. This guide to cracking the LinkedIn password hash, has someone doing 430 million sha1 hashes per second on a GPU. http://erratasec.blogspot.ie/2012/06/linkedin-vs-password-cracking.html What kinda speeds would you get for PBKDF2? Does

I'm using PBKDF2 , but this applies equally to BCrypt. Hashing a password with a reasonable number of iterations can easily block for 0.5 seconds. What is a lightweight way to take this out of process? I'm reluctant to setup something like Celery or Gearman just for this operation. You could use a thread. This will not block tornado. Say that you have a handler that hashes passwords. Then the two relevant methods might look like this: import threading def on_message(self, message): # pull out user and password from message somehow thread = threading.Thread(target=self.hash_password, args=(user

I want to utilize the PBKDF2 algorithm with SHA1 HMAC (based on this answer). How can I utilize this through the crypto library? I started by looking at man openssl , but the openssl passwd command ( man page ) only supports a small handful of algorithms. Looking at the crypto documentation, the evp module has an EVP_BytesToKey method. Careful selection of the parameters will provide a PKCS#5 PBKDF1 compatible implementation. However, new applications should not typically use this (preferring, for example, PBKDF2 from PCKS#5). Which brings me back to my original question, how do I utilize

I'm trying to understand some C#-code, I have been handed, which deals with cryptography, and specifically uses PasswordDeriveBytes from System.Security.Cryptography . In the .NET docs , it says that PasswordDeriveBytes uses "an extension of the PBKDF1 algorithm" which is later in the document specified as "the PKCS#5 v2.0 standard", which is PBKDF2 (as far as I can tell). Everywhere on the net I've found (including here on Stack Exchange), though, everyone says "use Rfc2898DeriveBytes, cause Password* is deprecated and uses PBKDF1". But the only difference in the docs at msdn.microsoft.com