问题
I want to implement the most secure, and most reliable form of symmetric key cryptography in my application. The user should input a password to encrypt/decrypt, and that's all. For RijndaelManaged, one must enter a key and an IV. I'm not sure how to address the situation. Right now, I have the entered password being hashed by SHA256 and then being used as the key for the Rijndael. What do I use for the IV? Another password?
回答1:
You can use GenerateIV (overridden in RijndaelManaged
) to generate the IV. You can then transmit the IV along with the cyphertext. You can think of an IV as acting a bit like a salt - basically it prevents the same plaintext from being encrypted to the same cyphertext each time. Don't reuse an IV - that makes it pointless. Generate a new one for each message.
回答2:
There is a special function to get a key from a password, I believe it is safer than a Hash. You may want to look up yhe Rfc2898DeriveBytes class. It needs a
Salt
and a Password.It is an accepted practice to add the IV (and the Salt) unencrypted to the message.
If you create an instance of the Rijndaal class, it auto-generates a IV, the sender can just use that.
回答3:
Jon Skeet is correct about the IV, but you also have a problem with the way you are deriving a key.
Just using a single round of SHA256 on the plaintext password is not secure. It leaves the system open to a simple dictionary attack.
There is a class of functions that are designed to take a plaintext password and create a cipher key from them - these are "key derivation functions". You should use one of these - PBKDF2 is a good choice - to generate your key. The Rfc2898DeriveBytes
class implements PBKDF2.
The KDF will require a salt, which is randomly generated each time and included along with the cipher text (just like the IV).
来源:https://stackoverflow.com/questions/2530621/rijndaelmanaged-iv-generation