1

Maarten Bodewes' comments on this question, suggest that AesCryptoServiceProvider.GenerateKey() is unsafe to use for key generation.

We are currently using this method to generate cryptographically secure keys. Looking at the underlying implementation on Reference Source, GenerateKey() calls CryptGenKey in the Win32 API.

I cannot find any resources that suggest CryptGenKey is compromised. Is it safe to use this implementation?

Community
  • 1
  • 1
pixelbadger
  • 1,556
  • 9
  • 24

1 Answers1

2

GenerateKey is perfectly safe, however the implementation on the linked question is not.

You can not call Key = System.Text.Encoding.ASCII.GetString(provider.Key); to get a string from a random byte array, GetString can not be used on random binary data it is only to be used on a byte array generaded from calling ASCII.GetBytes. If you want to store the key in string format you need to use a formatting designed to store binary data like Key = Convert.ToBase64String(provider.Key);

Scott Chamberlain
  • 124,994
  • 33
  • 282
  • 431