0

I am using C# RijndaelManaged class for AES encryption. The key and IV are generated from input password and salt using Rfc2898DeriveBytes class. My question is, how difficult would it be to break encryption if someone obtained input password but not the salt?

SoftwareFactor
  • 8,430
  • 3
  • 30
  • 34
  • 1
    The salt is not normally considered secret information, often it is stored in the same row of a table with a encrypted blob or in the clear as part of the header of a encrypted file. I don't know if proper cryptoanalasis has been done on [RFC-2898](http://www.ietf.org/rfc/rfc2898.txt) for your described situation because it is not designed to be used that way. Also why are you generating the IV? Let the Rijndel class generate the IV and store it in the header information with the salt (the IV is not considered secret either, only the key) – Scott Chamberlain May 26 '14 at 22:46
  • 1
    Also just because you are using Rijndael [does not mean you are using AES](http://blogs.msdn.com/b/shawnfa/archive/2006/10/09/the-differences-between-rijndael-and-aes.aspx), if you are sending this data to another program you did not write to be decrypted and it is expecting real AES you may have problems if you use the wrong block size. Also if you are using a newer version of .NET you may get better performance out of [`AesCryptoServiceProvider`](http://msdn.microsoft.com/en-us/library/system.security.cryptography.aescryptoserviceprovider%28v=vs.110%29.aspx) – Scott Chamberlain May 26 '14 at 22:55
  • @ScottChamberlain this kind of scheme is used sometimes. It's considered rather safe, as long as there is a random salt included as well. The IV is best random, but if a new salt is used for each encryption, then the IV may even be set to all zero's as the derived key will change for each encryption. – Maarten Bodewes May 27 '14 at 00:25

1 Answers1

0

It would be close to impossible to retrieve the key and IV. Actually, sometimes a static, secret salt stored in source code is used in addition to the public random salt. In that way an attacker is required to get the source or runtime code in addition to the database with the salts and password hashes.

This kind of scheme does require a large enough (secret) salt, say 128 bytes. It would be best to use concatenation to create the combined public and secret salt.

Of course, it is always possible to mess up the encryption otherwise, e.g. by being vulnerable to padding oracle attacks, forgetting an authentication tag (HMAC) in addition to encryption, etc. etc. etc.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263