0

When the System.Security.Cryptography.Aes.Create(algorithmName) method is called, a new key and IV are generated. Are these good enough to use?

Old Geezer
  • 14,854
  • 31
  • 111
  • 198

1 Answers1

3

Those values are safe to use. The whole purpose of frameworks like this one is to make the generation of cryptographically random values easier. Aes.Create() is also used in the sample code

Additionally, the documentation describes Aes.Create():

Creates a cryptographic object that is used to perform the symmetric algorithm.

This library is maintained by Microsoft, I think it is safe to say their values are "safe" to use.

DoesData
  • 6,594
  • 3
  • 39
  • 62
  • What I am asking is that `Create` generates a `key` that is random enough to be used. I am planning to use a different key/IV for every message. – Old Geezer Nov 16 '18 at 16:27
  • 1
    Yes those values are safe to use. They are cryptographically generated. If they weren't the entire library would be useless. – DoesData Nov 16 '18 at 16:42
  • 1
    Yes, Microsoft .Net cryptography is generally secure by default, and can be trusted: you should use it rather than trying to generate values your own way. .Net cryptography is a big step forward from older languages like Java. I'm planning a blog on the evolution of cryptographic APIs that covers exactly this topic. – TheGreatContini Nov 16 '18 at 19:52
  • @TheGreatContini That's very opinionated. I think both languages have their advantages and disadvantages. I don't see any reasons for this kind of remark given the topic. – Maarten Bodewes Nov 17 '18 at 23:23