Re: Choosing encryption method?

From: Michel Gallant (neutron_at_istar.ca)
Date: 04/26/04 

Date: Mon, 26 Apr 2004 16:31:03 -0400

You are manually trying to do what password-derived symmetric
encryption already does (derives a symmetric key from hash of pswd etc..).
See comments here:
  http://www.jensign.com/JavaScience/dotnet/SimCryptNET
and details of adding extra entropy to weak passwords here:
  http://www.jensign.com/JavaScience/dotnet/SimCryptNET/indexdetails.html

- Mitch Gallant
   MVP Security

"Ayende Rahien" <Ayende@nospam.com> wrote in message news:%23slvMN8KEHA.2012@TK2MSFTNGP11.phx.gbl...
> I want to secure sensitive data (bank & money) using
> System.Security.Cryptography, my problem is what strategy to take?
>
> The requirements (in order of importance):
> 0> Has to work on Win9x (so CryptoAPI is probably out)
> 1> Has to survive client's reinstalls - moving to another computer, etc.
> 2> As secure as possible.
> 3> Datasets of a few MB.
> 4> Require resounable performance.
> 5> Data is usually text (XML data)
>
>
> At first I thought about using RjindaelManaged with a user-generated
> password.
> The way I'm doing it is SHA386 the password, grab the first 256 bits for
> key and the rest for IV, and the encrypting it.
> The question is how secure it is? I understand that using a password
> choosen by the user (and it'll have to be this) weaken the bit-range of
> the encryption, but does SHAing the password helps?
>
> I suppose I could generate a random key and use asymmertric encryption,
> but then I face the same problem, how do I survive a reinstall/moving to
> another computer?
>
> Any other suggestions would be appriciated.
>
> Thanks in advance,
> Ayende Rahien

Relevant Pages

  • Re: Unbreakable Encryption ? Scenarios - What encryption method would be best?
    ... DES is a well-known algorithm so there are good reasons to have a good ... > risk it by storing one of the best possible passwords (or encryption ... > Ok lets say there will be a secure channel but it will happen only ... > because the decrypting method yielded a plain text message and vice ...
    (sci.crypt)
  • Re: [fw-wiz] Re: Firewalls breaking stuff: [Was re: fwtk]
    ... > access to the mail server's private keys and thus the monitor can follow the ... > in a way that's more secure rather than less secure. ... for service level encryption versus VPN access. ... >> reducing bugs reduces the number of sever bugs. ...
    (Firewall-Wizards)
  • Re: Best secure surfing solution
    ... I have set up a service with companies providing secure web ... the product would have to install a keylogger. ... If we caught anyone in> IS or elsewhere in our company sniffing our communications, even if they> were encrypted, they'd get laid off or, at least, suspended. ... If e-mails are sensitive then> the sender should be using encryption. ...
    (sci.crypt)
  • Re: Best secure surfing solution
    ... I have set up a service with companies providing secure web ... the product would have to install a keylogger. ... If we caught anyone in> IS or elsewhere in our company sniffing our communications, even if they> were encrypted, they'd get laid off or, at least, suspended. ... If e-mails are sensitive then> the sender should be using encryption. ...
    (alt.computer.security)
  • Re: Symmetric encryption algorithm with group like properties
    ... >> Solutions that exist today are not as secure as they can be. ... I wouldn't expect more than PGP / GPG type encryption, ... > versions - with the key, protected by RSA encryption under a RSA public key ... > Alice needs a secure decryption mechanism to read her emails, ...
    (sci.crypt)