Rfc2898DeriveBytes Class
Implements password-based key derivation functionality, PBKDF2, by using a pseudo-random number generator based on HMACSHA1.
Assembly: mscorlib (in mscorlib.dll)
System.Security.Cryptography.DeriveBytes
System.Security.Cryptography.Rfc2898DeriveBytes
| Name | Description | |
|---|---|---|
![]() | Rfc2898DeriveBytes(Byte[], Byte[], Int32) | Initializes a new instance of the Rfc2898DeriveBytes class using a password, a salt, and number of iterations to derive the key. |
![]() | Rfc2898DeriveBytes(String, Byte[]) | Initializes a new instance of the Rfc2898DeriveBytes class using a password and salt to derive the key. |
![]() | Rfc2898DeriveBytes(String, Byte[], Int32) | Initializes a new instance of the Rfc2898DeriveBytes class using a password, a salt, and number of iterations to derive the key. |
![]() | Rfc2898DeriveBytes(String, Int32) | Initializes a new instance of the Rfc2898DeriveBytes class using the password and salt size to derive the key. |
![]() | Rfc2898DeriveBytes(String, Int32, Int32) | Initializes a new instance of the Rfc2898DeriveBytes class using a password, a salt size, and number of iterations to derive the key. |
| Name | Description | |
|---|---|---|
![]() | IterationCount | Gets or sets the number of iterations for the operation. |
![]() | Salt | Gets or sets the key salt value for the operation. |
| Name | Description | |
|---|---|---|
![]() | CryptDeriveKey(String, String, Int32, Byte[]) | Derives a cryptographic key from the Rfc2898DeriveBytes object. |
![]() | Dispose() | When overridden in a derived class, releases all resources used by the current instance of the DeriveBytes class.(Inherited from DeriveBytes.) |
![]() | Dispose(Boolean) | Releases the unmanaged resources used by the Rfc2898DeriveBytes class and optionally releases the managed resources.(Overrides DeriveBytes.Dispose(Boolean).) |
![]() | Equals(Object) | Determines whether the specified object is equal to the current object.(Inherited from Object.) |
![]() | Finalize() | Allows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection.(Inherited from Object.) |
![]() | GetBytes(Int32) | Returns the pseudo-random key for this object.(Overrides DeriveBytes.GetBytes(Int32).) |
![]() | GetHashCode() | Serves as the default hash function. (Inherited from Object.) |
![]() | GetType() | |
![]() | MemberwiseClone() | |
![]() | Reset() | Resets the state of the operation.(Overrides DeriveBytes.Reset().) |
![]() | ToString() | Returns a string that represents the current object.(Inherited from Object.) |
Rfc2898DeriveBytes takes a password, a salt, and an iteration count, and then generates keys through calls to the GetBytes method.
RFC 2898 includes methods for creating a key and initialization vector (IV) from a password and salt. You can use PBKDF2, a password-based key derivation function, to derive keys using a pseudo-random function that allows keys of virtually unlimited length to be generated. The Rfc2898DeriveBytes class can be used to produce a derived key from a base key and other parameters. In a password-based key derivation function, the base key is a password and the other parameters are a salt value and an iteration count.
For more information about PBKDF2, see RFC 2898, "PKCS #5: Password-Based Cryptography Specification Version 2.0," available on the Request for Comments Web site. See section 5.2, "PBKDF2," for complete details.
Security Note
|
|---|
Never hard-code a password within your source code. Hard-coded passwords can be retrieved from an assembly by using the Ildasm.exe (IL Disassembler), by using a hexadecimal editor, or by simply opening up the assembly in a text editor such as Notepad.exe. |
The following code example uses the Rfc2898DeriveBytes class to create two identical keys for the TripleDES class. It then encrypts and decrypts some data using the keys.
using System; using System.IO; using System.Text; using System.Security.Cryptography; public class rfc2898test { // Generate a key k1 with password pwd1 and salt salt1. // Generate a key k2 with password pwd1 and salt salt1. // Encrypt data1 with key k1 using symmetric encryption, creating edata1. // Decrypt edata1 with key k2 using symmetric decryption, creating data2. // data2 should equal data1. private const string usageText = "Usage: RFC2898 <password>\nYou must specify the password for encryption.\n"; public static void Main(string[] passwordargs) { //If no file name is specified, write usage text. if (passwordargs.Length == 0) { Console.WriteLine(usageText); } else { string pwd1 = passwordargs[0]; // Create a byte array to hold the random value. byte[] salt1 = new byte[8]; using (RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider()) { // Fill the array with a random value. rngCsp.GetBytes(salt1); } //data1 can be a string or contents of a file. string data1 = "Some test data"; //The default iteration count is 1000 so the two methods use the same iteration count. int myIterations = 1000; try { Rfc2898DeriveBytes k1 = new Rfc2898DeriveBytes(pwd1, salt1, myIterations); Rfc2898DeriveBytes k2 = new Rfc2898DeriveBytes(pwd1, salt1); // Encrypt the data. TripleDES encAlg = TripleDES.Create(); encAlg.Key = k1.GetBytes(16); MemoryStream encryptionStream = new MemoryStream(); CryptoStream encrypt = new CryptoStream(encryptionStream, encAlg.CreateEncryptor(), CryptoStreamMode.Write); byte[] utfD1 = new System.Text.UTF8Encoding(false).GetBytes( data1); encrypt.Write(utfD1, 0, utfD1.Length); encrypt.FlushFinalBlock(); encrypt.Close(); byte[] edata1 = encryptionStream.ToArray(); k1.Reset(); // Try to decrypt, thus showing it can be round-tripped. TripleDES decAlg = TripleDES.Create(); decAlg.Key = k2.GetBytes(16); decAlg.IV = encAlg.IV; MemoryStream decryptionStreamBacking = new MemoryStream(); CryptoStream decrypt = new CryptoStream( decryptionStreamBacking, decAlg.CreateDecryptor(), CryptoStreamMode.Write); decrypt.Write(edata1, 0, edata1.Length); decrypt.Flush(); decrypt.Close(); k2.Reset(); string data2 = new UTF8Encoding(false).GetString( decryptionStreamBacking.ToArray()); if (!data1.Equals(data2)) { Console.WriteLine("Error: The two values are not equal."); } else { Console.WriteLine("The two values are equal."); Console.WriteLine("k1 iterations: {0}", k1.IterationCount); Console.WriteLine("k2 iterations: {0}", k2.IterationCount); } } catch (Exception e) { Console.WriteLine("Error: ", e); } } } }
Available since 2.0
Silverlight
Available since 2.0
Windows Phone Silverlight
Available since 7.0
Any public static ( Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.



