Re: Choosing encryption method?
From: Shawn Farkas (shawnfa_at_online.microsoft.com)
Date: 04/26/04
- Next message: Dave Taylor: "Security in a Windows app"
- Previous message: Michel Gallant: "Re: Choosing encryption method?"
- In reply to: Michel Gallant: "Re: Choosing encryption method?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Apr 2004 21:20:26 GMT
I've also just written a blog entry about generating a key from a password using some .NET classes:
http://blogs.msdn.com/shawnfa/archive/2004/04/14/113514.aspx
-Shawn
http://blogs.msdn.com/shawnfa
-- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- >From: "Michel Gallant" <neutron@istar.ca> >References: <#slvMN8KEHA.2012@TK2MSFTNGP11.phx.gbl> >Subject: Re: Choosing encryption method? >Date: Mon, 26 Apr 2004 16:31:03 -0400 >Lines: 41 >X-Priority: 3 >X-MSMail-Priority: Normal >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 >Message-ID: <ur8j018KEHA.1388@TK2MSFTNGP09.phx.gbl> >Newsgroups: microsoft.public.dotnet.security >NNTP-Posting-Host: hse-ottawa-ppp235796.sympatico.ca 64.230.70.135 >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:5853 >X-Tomcat-NG: microsoft.public.dotnet.security > >You are manually trying to do what password-derived symmetric >encryption already does (derives a symmetric key from hash of pswd etc..). >See comments here: > http://www.jensign.com/JavaScience/dotnet/SimCryptNET >and details of adding extra entropy to weak passwords here: > http://www.jensign.com/JavaScience/dotnet/SimCryptNET/indexdetails.html > >- Mitch Gallant > MVP Security > >"Ayende Rahien" <Ayende@nospam.com> wrote in message news:%23slvMN8KEHA.2012@TK2MSFTNGP11.phx.gbl... >> I want to secure sensitive data (bank & money) using >> System.Security.Cryptography, my problem is what strategy to take? >> >> The requirements (in order of importance): >> 0> Has to work on Win9x (so CryptoAPI is probably out) >> 1> Has to survive client's reinstalls - moving to another computer, etc. >> 2> As secure as possible. >> 3> Datasets of a few MB. >> 4> Require resounable performance. >> 5> Data is usually text (XML data) >> >> >> At first I thought about using RjindaelManaged with a user-generated >> password. >> The way I'm doing it is SHA386 the password, grab the first 256 bits for >> key and the rest for IV, and the encrypting it. >> The question is how secure it is? I understand that using a password >> choosen by the user (and it'll have to be this) weaken the bit-range of >> the encryption, but does SHAing the password helps? >> >> I suppose I could generate a random key and use asymmertric encryption, >> but then I face the same problem, how do I survive a reinstall/moving to >> another computer? >> >> Any other suggestions would be appriciated. >> >> Thanks in advance, >> Ayende Rahien > > >
- Next message: Dave Taylor: "Security in a Windows app"
- Previous message: Michel Gallant: "Re: Choosing encryption method?"
- In reply to: Michel Gallant: "Re: Choosing encryption method?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
