I need to update some code that is using the PBKDF2 implementation in .Net, Rfc2898DeriveBytes to hash user credentials.
It is my understanding that this function uses SHA-1 under the hood. I need to update the underlying hashing algorithm of the systems password hashing to use SHA-256 (This is a client IT-SEC requirement).
Having done some reading it seems it is best practice to continue to to use a Key derivation function, however PBKDF2 doesn't allow you to dictate the algorithm is should use, which is obviously a problem for me.
Our system is using .NET 4.5.1 and currently is not an option to upgrade that and I am reasonably confident it is not an option to reference any new .NET core .dlls that I've heard contain a new implementation of PBKDF2 that allows you to specify your algorithm.
I want to avoid home made implementations at all cost,s as that's the 1st rule of Crypto-Club right?
Any guidance on what is best practice would be appreciated.
Thanks
I'll tell you what I would do: I would take the source of the newest (not exactly the newest because it uses Span<>... Just a little older :-) ) of Rfc2898DeriveBytes from the corefx github
You'll need the full code of:
plus two methods (GenerateRandom and WriteInt) from
Then you'll have some calls to SR.*something* that you'll have to replace to some messages like "some error", plus a SR.Format that you have to replace with string.Format.
Then you'll have (nearly) the newest version of Rfc2898DeriveBytes that has a constructor that accepts as a parameter HashAlgorithmName.SHA256.
This should be the end result: https://ideone.com/lb2Qya
I had the bad idea of putting the source code in the namespace My.System... bad bad idea... I had to prefix global:: to all the namespaces :-(