7

I can't find a way of specifying the hashing algorithm used by the PBKDF2 (the Rfc2898DeriveBytes class) implementation in C# System.Security.Cryptography.

It seems to be just SHA1. Am I missing something? I was hoping to use PBKDF2-SHA256.

Barn Monkey
  • 103
  • 1
Foo Party
  • 171
  • 1
  • 2
  • 1
    Why do you prefer PBKDF2-SHA256? The technical benefits are rather small, even PBKDF2-MD5 isn't broken yet. The main benefit I see is PR. – CodesInChaos Sep 06 '12 at 14:31
  • How is PBKDF2-MD5 not considered broken? That's insanity. – Foo Party Sep 06 '12 at 15:21
  • 4
    Why do you consider it broken? I wouldn't recommend using it, but I'm not aware of any faster than brute-force attack on it. MD5's pre-image resistance is still pretty strong, certainly much stronger that almost all passwords. – CodesInChaos Sep 06 '12 at 15:37
  • 1
    MD5 is considered insecure due to collision attacks and extension attacks. – Foo Party Sep 06 '12 at 15:47
  • 3
    Extension attacks apply equally to SHA-2. But neither length extensions, nor collisions are relevant to password hashing. For password hashing only first pre-images are relevant, and MD5 is still quite strong in that regard. There is no practical attack faster than simply guessing the password against PBKDF-2-MD5. – CodesInChaos Sep 06 '12 at 15:51
  • You may be correct that the known issues with MD5 don't currently apply to password hashes (although it's close enough to be considered a broken algorithm), but the point of the hash is to make it computationally expensive to brute, and MD5 is computationally cheap. – Foo Party Sep 06 '12 at 16:23
  • 2
    @FooParty SHA1 and SHA2 are about as cheap. It's the PBKDF2 part that makes it computationally expensive. You need a preimage-resistant hash in PBKDF2, and MD5 is ok for that. – Gilles 'SO- stop being evil' Sep 06 '12 at 16:36
  • 1
    @FooParty That's why PBKDF2 takes a work factor. If you tune this parameter so that hashing on the legitimate system takes equally long for PBKDF2-MD5 and PBKDF2-SHA-256, then MD5 being cheap isn't very relevant anymore. There are much bigger gains by switching to scrypt or bcrypt which reduce the advantage of specialized hardware over the legitimate system. – CodesInChaos Sep 06 '12 at 16:36
  • I guess I'm missing some bit of information on what makes PBKDF2 special other than being FIPS certified. – Foo Party Sep 06 '12 at 17:41
  • @FooParty PBKDF2 isn't the only secure way to hash a password using standard functions (SHA1, MD5, etc.). What's important is that **it's reasonably secure at all** -- which is more than you can say about most methods people come up with. – Brendan Long Sep 21 '12 at 21:24

1 Answers1

3

Have a look at this blog post: the author has apparently observed the same lack of SHA-256 support in the Rfc2898DeriveBytes class of .NET, and set out to write his own code. (I have not looked at that code and cannot vouch for its quality.)

Otherwise, it would not be too hard to reimplement PBKDF2 with HMAC/SHA-256, following the description of RFC 2898, section 5.2. .NET includes an implementation of HMAC/SHA-256.

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475