rijndaelmanaged

I have 2 websites: one written in classic asp and another written in ASP.NET (1.1 framework). Both applications use a login mechanism to validate user credentials based on a shared database table. Up to now passwords are stored in a 1-way MD5 hash, meaning people must be given a new generated password if they lose the old one. I now want to change this and make the passwords decryptable. I found this Rijndael code to use with classic asp: http://www.frez.co.uk/freecode.htm#rijndael But I cannot find the same solution for ASP.NET. I tried this, but it gives me different encryption and

I am using the AES methods here: http://msdn.microsoft.com/en-us/library/system.security.cryptography.rijndaelmanaged.aspx I want to have a string value that I will convert to byte array and pass it to the AES encrypt method. How many characters should the string be to produce the correct byte array size that the method expects? static byte[] encryptStringToBytes_AES(string plainText, byte[] Key, byte[] IV) { // Check arguments. if (plainText == null || plainText.Length <= 0) throw new ArgumentNullException("plainText"); if (Key == null || Key.Length <= 0) throw new ArgumentNullException("Key"

I want to implement the most secure, and most reliable form of symmetric key cryptography in my application. The user should input a password to encrypt/decrypt, and that's all. For RijndaelManaged, one must enter a key and an IV. I'm not sure how to address the situation. Right now, I have the entered password being hashed by SHA256 and then being used as the key for the Rijndael. What do I use for the IV? Another password? You can use GenerateIV (overridden in RijndaelManaged ) to generate the IV. You can then transmit the IV along with the cyphertext. You can think of an IV as acting a bit

I'm using Rijndael to encrypt some sensitive data in my program. When the user enters an incorrect password, most of the time a CryptographicException is thrown with the message "Padding is invalid and cannot be removed.". However, with very small probability, the CryptStream does not throw an exception with the wrong password, but instead gives back an incorrectly decrypted stream. In other words, it decrypts to garbage. Any idea how to detect/prevent this? The simplest way I can think of would be to put a "magic number" at the start of the message when encrypting, and check if it's still