Maarten Bodewes' comments on this question, suggest that AesCryptoServiceProvider.GenerateKey()
is unsafe to use for key generation.
We are currently using this method to generate cryptographically secure keys. Looking at the underlying implementation on Reference Source, GenerateKey()
calls CryptGenKey
in the Win32 API.
I cannot find any resources that suggest CryptGenKey
is compromised. Is it safe to use this implementation?