Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

May 15, 2012

Towards more secure password hashing in ASP.NET

A couple of weeks ago I was remotely involved in a discussion on password hashing in .NET with @thorsheim, @skradel, and @troyhunt. (Follow them if you're on Twitter). The background for the discussion was that password hashing using MD5/SHA-1/SHA-256 isn't quite the state of the art anymore. All the recent password breaches have triggered recommendations to make password cracking harder. The algorithms that are usually recommended are PBKDF2 (Password based key derivation function), bcrypt, or scrypt. So which of these should you choose if you're working with .NET?

I'm a conservative guy. Cryptographic algorithms are very hard to get right, as there's all sorts of things that can go wrong when you implement them. Consequently, I prefer to use whatever is available in the .NET framework. That's because Microsoft have crypto-experts on staff, and they've also pioneered the SDL which means you should expect high quality implementations of their (security critical) software. So it's really a trust thing. At the time of writing, PBKDF2 is the only algorithm of the three mentioned that's readily available in the framework. You probably see where this is leading: bcrypt and scrypt are disqualified in my book. When it comes to cryptographic functions, stick with the framework! PBKDF2 is the best alternative for now.

Following the discussion on Twitter, @skradel shared a library where he had wrapped the built-in PBKDF2 as a HashAlgorithm. That way, PBKDF2 (through his wrapper) could easily be used by other parts of the framework, such as the SqlMembershipProvider. It really was an elegant solution. He blogged about it in: Strong Password Hashing for ASP.NET, you should check it out (@thorsheim was so delighted that he had to blog about it too :).

When you're dealing with PBKDF2, you'll see that it takes a couple of parameters. @skradel's already chosen some reasonable defaults in his implementation so it's all hidden and taken care of there. But if you were to implement this yourself and explain to someone how you chose those parameters, what then?

I couldn't find much guidance on the Internet so I started digging into the PBKDF2 standard to find out more.

PBKDF2 parameters
The PBKDF2 is backed by H-MAC-SHA-1 which is a keyed hash function (see HMAC). The supplied password is used as the key, while the salt is used as the input text, concatenated with a block identifier. The whole idea behind PBKDF2 is to introduce a drastic increase in the workload for a password cracker. In the default setup, H-MAC-SHA-1 is run a 1 000 times to generate the output for a password. This is a negligible workload when you're checking that a user entered the correct password. However, for an attacker running an offline attack with a password cracker that needs to try millions of passwords the extra workload really adds up and slows down the attack significantly.

Next, there are a couple of things to take into consideration when implementing PBKDF2 password.
  • It requires a salt that's at least 64 bit (8 bytes)
  • You can select a number of iterations (1 000 is the default)
  • You must choose how many bytes to output
  • You need to be sure you encode your passwords correctly (remember how not to hash?)
So, how long should the salt be? I have found almost no guidance on the length of the salt, except for a note on the Rainbow table article on Wikipedia. Considering that the salt's only job is to introduce uniqueness to the calculation and that it's not a secret, I cannot see why a 64-bit salt should not get the job done. Do note that the SqlMembershipProvider uses 128-bit salts, and that's also what's used in bcrypt. So you might just do like the big boys do and go with a 128-bit salt. What's more important is how you generate a salt. You should use a cryptographic RNG for that. I've included an example at the very end of the code samples that does exactly that.

You'll also need to decide on how many iterations to use for the calculation — and now we're getting to the core of the issue. The number of iterations dictate the workload, which is the whole point of using PBKDF2 to begin with. So the recommended setting is: "as high as possible." To maximize this you'll have to test how many iterations you can run before it would become a noticeable delay for the user and hence start to effect the user experience negatively. This of course depends on the hardware you're running so you'll probably need to do some benchmarking here.

Then there's how many bytes to output. The standard gives us some useful hints here:
Thus, even if a long derived key consisting of several pseudorandom function outputs is produced from a key, the effective search space for the derived key will be at most 160 bits. Although the specific limitation for other key sizes depends on details of the HMAC construction, one should assume, to be conservative, that the effective search space is limited to 160 bits for other key sizes as well.
There it is. You'd want the largest effective key space, nothing more, nothing less. That means that you should generate 160-bit (20 bytes) of output. Remember that the security is still bound by the randomness of the passwords used. Password entropy is often used as a term to describe the complexity involved in guessing a password. Have a look at that last link, and you'll see that to have the "guessability" of the passwords match the limits to PBKDF2's output (i.e. 160-bit password entropy), users would have to choose truly random passwords that where 27 characters long, assuming you accepted alphanumeric case sensitive passwords (a-z,A-Z,0-9). As you probably know, users tend to select passwords that are not very random and that are much shorter. So rest assured that it's the passwords that will be killing you here, not the security of PBKDF2.

Rounding of, I have to remind you to use a proper character encoding when translating the passwords to bytes that can be input to the PBKDF2 function (see the sample code). If you feel like giving the passwords' ASCII bytes to PBKDF2, go read How not to hash passwords in .NET instead. That's really important.

And remember also, PBKDF2 is NOT a silver bullet. The RFC puts it quite well:
Password-based cryptography is generally limited in the security that it can provide, particularly for methods [...] where off-line password search is possible. While the use of salt and iteration count can increase the complexity of attack [...], it is essential that passwords are selected well, and relevant guidelines [...] should be taken into account. It is also important that passwords be protected well if stored.
So there. That was my advice on how to set up PBKDF2 when used to hash passwords. If you have anything to add to this please leave a comment. I'd appreciate that.

Appendix: A demonstrational PBKDF2 implementation.
To figure out how PBKDF2 actually works, I implemented it. Here's the source code, which maps rather directly to the steps outlined in the RFC. I wrote it for demonstrational purposes, so it's not optimized or anything. So I hope it's understandable.

Disclaimer: DON'T use this PBKDF2 implementation for anything other than demo purposes. As I demonstrated earlier in this post, PBKDF2 is available in the .NET framework, you should use that instead.

using System;
using System.Text;
using System.Security.Cryptography;
using System.IO;

namespace PBKDF2Example
{
    class PBKDF2_demo
    {

        static void Main(string[] args)
        {
            var enc = Encoding.GetEncoding(Encoding.UTF8.CodePage,
                new EncoderExceptionFallback(),
                new DecoderExceptionFallback());
            var password = enc.GetBytes("passwordPASSWORDpassword");
            var salt = enc.GetBytes("saltSALTsaltSALTsaltSALTsaltSALTsalt");
            var iterations = 4096;
            var keylength = 25;

            var result = PBKDF2(password, salt, iterations, keylength);
            Console.WriteLine(BitConverter.ToString(result));
            Console.ReadLine();

        }

        static byte[] PBKDF2(byte[] password,
            byte[] salt,
            int iterations,
            int derivedKeyLength)
        {

            var hashLength = 0;

            using (var hmac = new HMACSHA1())
            {
                hashLength = hmac.HashSize / 8;
            }

            //Our number of blocks
            var length = (int)Math.Ceiling(
                ((decimal)derivedKeyLength) / ((decimal)hashLength));

            var derivedKey = new byte[derivedKeyLength];
            using (var ms = new MemoryStream())
            {
                for (int blockIndex = 1; blockIndex <= length; blockIndex++)
                {
                    var block = CalculateBlock(password, salt,
                        iterations, blockIndex);
                    ms.Write(block, 0, block.Length);
                }
                ms.SetLength(derivedKeyLength);
                return ms.ToArray();
            }

        }

        static byte[] CalculateBlock(byte[] password,
            byte[] salt,
            int iterations,
            int blockIndex)
        {
            var blockBytes = BitConverter.GetBytes(blockIndex);
            if (BitConverter.IsLittleEndian)
                Array.Reverse(blockBytes, 0, blockBytes.Length);

            byte[] u1;
            using (var hmac = new HMACSHA1(password))
            {
                var firstInput = new byte[salt.Length + blockBytes.Length];
                Array.Copy(salt, firstInput, salt.Length);
                Array.Copy(blockBytes, 0, firstInput,
                    salt.Length, blockBytes.Length);
                u1 = hmac.ComputeHash(firstInput);
            }

            byte[] lastvalue = u1;
            byte[] newvalue;
            byte[] result = u1;
            for (int i = 1; i < iterations; i++)
            {
                using (var hmac = new HMACSHA1(password))
                {
                    newvalue = hmac.ComputeHash(lastvalue);
                    for (int j = 0; j < newvalue.Length; j++)
                        result[j] = (byte)(newvalue[j] ^ result[j]);
                    lastvalue = newvalue;
                }
            }
            return result;
        }

        //Returns 128-bit salt
        static byte[] GetNewSalt()
        {
            var salt = new byte[16];
            using (var rng = RNGCryptoServiceProvider.Create())
            {
                rng.GetBytes(salt);
                return salt;
            }

        }

    }
}

69 comments:

  1. 64-bits is fine for a salt value. The point of salts/uniqueness is to prevent an attacker from being able to simultaneously attack several hashes with the same salt. With random 64-bit salt values, there would have to about 5 billion hashes (slightly more than 2^32) on average before two would have the same salt value.

    ReplyDelete
    Replies
    1. Escorts Goa prepare to play a game of seduction with girls during which there are high chances of you winning. We have the superfine call girl services in Goa gettable for your pleasure.

      If you need someone who may need the capacity to you getting amazing delight then it's only our Lucknow call girl service. Here you bought complete dose of adult entertainment and romance within the sort of sexy and strikingly beautiful escort Lucknow.

      Delete
  2. Great article. I just used something similar recently.

    ReplyDelete
  3. Nice, if you would prefer to use HMACSHA256 or HMACSHA512 instead of the HMACSHA1 in the ageing PBKDF2 standard then I recommend taking a look at this open source API:

    https://sourceforge.net/projects/pwdtknet/

    ReplyDelete
  4. I must say, I'm impressed that you still managed to come up with a pretty workable way to incorporate a password out of the PBKDF2 standard; that would be helpful for programmers who still haven't worked out using the newer systems.

    ReplyDelete
  5. View this page to know how to track cell phone without installing spying application.

    ReplyDelete
  6. The factor of salts/forte is to prevent an attacker from being able to concurrently assault numerous hashes with the same salt. The younger development business enterprise primarily based in Master Thesis Writing Service USA, owned and managed through Vicky who has a very good quantity of enjoying in facts technology, control, and other related fields.

    ReplyDelete
  7. This is a really helpful article. It helped me gain more amount of knowledge. I must I have read a lot of articles on this topic but this one caters to my queries in the best way.
    Sql server dba online training

    ReplyDelete
  8. For those seeking Custom Nursing Essay Writing Service that are 100% original we have plagiarism software that the company utilizes to confirm the level of originality even when offering nursing case study writing services.

    ReplyDelete
  9. Just stumbled across your blog and was instantly amazed with all the useful information that is on it. Great post, just what i was looking for and i am looking forward to reading your other posts soon!
    Software testing online training
    Software testing certification training
    Software testing online course
    Software testing training course

    ReplyDelete
  10. just make it bit longer. harder to remember but more secure
    john | easybuilder.pro

    ReplyDelete
  11. ไม่อยากพลาดโอกาศดีๆต้องมาเล่นเกมยิงปลาได้เงินจริงที่นี่เท่านั้น
    https://www.slot1234.com/เกมยิงปลาออนไลน์

    ReplyDelete
  12. My Prepaid Centers is the only site that creates the best and the most useful card activation service which make you benefit from the activation in your card with just one minute challenge.You can easily fill out the basic information about your myprepaidcenter card and as soon you take a look again to the site your card will get activated.

    ReplyDelete
  13. A secure password is very important to us because through this we can secure our data and save from hackers and if we do not manage it, we can lose our data which can be stolen by hackers. So, always use strong password so that we can save our personal content. Coursework writing services.

    ReplyDelete
  14. your blog are really helpful for all testers and beginners.this all provided knowledge are unique than other testing blog. Performance Testing Framework are lovely explain.keep updating,Thanks
    Software Testing Training in Chennai | Software Testing Training in Anna Nagar | Software Testing Training in OMR | Software Testing Training in Porur | Software Testing Training in Tambaram | Software Testing Training in Velachery

    ReplyDelete
  15. By - downloading a new antibodies to any persevering, It helps that individual (Coach Outlet Clearance Sale) body's defense mechanisms deal with the problem since improve their potential for recovery. Since the plasma televisions meant for (Yeezy Boost 350 Cheap) hav 888 isn't likely to originated from electricity contributor, Takeda have the ability to initially build the treatment inside segregated house in just their particular manufacturing unit (Coach Outlet Online) in atlanta, With design output (Michael Kors Outlet Store) of it shouldn't adversely (Ray Ban New Wayfarer Polarized) consequences in order to Takeda its definitely produce several plasma display panels based strategies.Treatment (Cheap Yeezy Shoes Sale) options are perhaps considerable, Daily book marking medicinal (Ray Ban Outlet) drugs that a majority of thousand consequentlys of people (Cheap Yeezys For Sale) who have scarce problematic health problems depend on normal almost, Pointed out medical professional. Chelsea Morabito, Takeda

    ReplyDelete
  16. Thanks for wonderful posting. Getmyoffer capital one

    ReplyDelete
  17. MyPrepaidCenter
    After getting logged in, a user gets other details as well of their debit or credit cards. First, important thing is to create a profile at the myprepaidcenter.com.

    ReplyDelete
  18. iflyswaguide
    Iflyswa is a web portal for ticket booking created by the southwest airline. It’s the easiest way to book a flight or check the flight detail in one place.

    ReplyDelete
  19. getmyoffer
    The Capital One Venture One credit card is among one of the top travel rewards credit cards. They provide unlimited miles, there’s no annual fee, and your miles are excellent for some flights, any airlines, any hotels, & any rental cars with no blackouts. There’s no limit to how many miles you can get and you don’t have to be concerned about the miles expiring.

    ReplyDelete
  20. Password has great importance for our security and it is our duty to generate strong password, so that we can save our data from hackers. Dissertation writing services.

    ReplyDelete
  21. Finally find the info someone asked the other day about Natalie Portman on Idol Worth I was looking for it all over the web and luckily found it!

    ReplyDelete
  22. Microsoft.AspNetCore.Cryptography.KeyDerivation which contains cryptographic key derivation functions. This package is a standalone component and has no dependencies on the rest of the data protection system. It can be used completely independently. The source exists alongside the data protection code base as a convenience.
    URL: https://www.affordablelectricians.com.au/electrician-hawthorn.html

    ReplyDelete
  23. If you're a web developer, you've probably had to make a user account system. The most important aspect of a user account system is how user passwords are protected. User account databases are hacked frequently, so you absolutely must do something to protect your users' passwords if your website is ever breached. The best way to protect passwords is to employ salted password hashing. This page will explain why it's done the way it is.
    URL: divorceattorneyfederalway.com/

    ReplyDelete
  24. How to Fix printer in error state hp ? Fix HP Printer Error State and HP Printer is in an Error State Mac

    ReplyDelete
  25. ASP.NET is a developer platform made up of tools, programming languages, and libraries for building many types of applications. Many developers use it for making money, and they enjoy a bright future. Dissertation writing service.

    ReplyDelete
  26. But against a higher ts911 bet standard of opposition on Saturday, he looked off the pace.

    ReplyDelete
  27. instead of lose, to TS911 Online potentially overtake them.

    ReplyDelete
  28. If Barcelona beat Levante on เว็บตรงTS911 Tuesday, they will go top. Should Atletico then draw with Real Sociedad on Wednesday,

    ReplyDelete
  29. Hi there i amm kavin, its my first occasion to commenting anywhere,
    when i read this paragraph i thought i could also
    create comment due to this sensible post.

    here's my website :: 오피 (jk)

    ReplyDelete
  30. We base our services on complete customer satisfaction for your family or business profile. Our employees have impeccable mental and physical readiness to continually execute the highest expertise level demonstrating protection to the highest industry standards.private security Our experts have passed very rigorous security and verification clearances.

    ReplyDelete
  31. It's a really cool blog. The information provided is very useful. You have really helped a lot of people who visit the blog and given them useful content.
    Cyber Security Course in Bangalore

    ReplyDelete
  32. Very informative Blog! There is so much information here that can help thank you for sharing.
    Data Science Training in Chandigarh

    ReplyDelete
  33. This comment has been removed by the author.

    ReplyDelete
  34. สมัครPG เพื่อให้เล่นเกมใหม่ๆได้ก่อนใคร ทำรายการได้ง่ายๆผ่านเว็บไซต์ pgslotgames พร้อมให้คุณได้ทำการเล่นมากมาย หลากหลาย ไม่ว่าจะเป็นสล็อตออนไลน์ คาสิโนออนไลน์ อาเขต มากกว่า 300 เกม เล่นได้อย่างเร้าใจ

    ReplyDelete
  35. เพียงเล่นกับเว็บไซต์ของเรา ก็สามารถรับสิทธิพิเศษมากมาย ไม่ว่าจะเป็นโปรโมชั่น สมัครสมาชิก แนะนำเพื่อน ฝากทั้งวัน และคืนยอดเสีย เล่นได้มากมายกว่า 300 เกม ทั้งกราฟฟิกที่น่าสนใจ เสียงสุดตระการตา PG SLOT AUTO เล่นได้ทันทีตลอด 24 ชั่วโมง

    ReplyDelete
  36. mega game เว็ปสล็อตออนไลน์ทำเงินที่มีวิดิโอสล็อตมาเปิดให้บริการทุกท่าน วิดิโอสล็อตทำเงิน โบนัสเงินรางวัลแตกง่าย จ่ายไว ไม่มีเงื่อนไขในการเข้าทำเงินอย่างแน่นอน สามารถเข้าทำเงินได้ตลอด 24 ชั่วโมง.

    ReplyDelete
  37. มันมาแล้ว เกมสล็อตสาธิตใหม่ได้รับการยอมรับจากนักพนันทุกคน ค่ายเกมยักษ์ใหญ่อย่าง PG Slot 168 ซึ่งจะทำให้ได้ ทดลองเล่นสล็อต pgslot168game ให้นักพนันออนไลน์ทุกท่านได้สัมผัสกับเกมสล็อตใหม่พร้อมเกมใหม่มากมายให้เล่นได้ด้วยแบบเต็มอิ่มและมาพร้อมภาพกราฟิกที่แสนจะสวยงาม

    ReplyDelete
  38. mscwin รวมความบันเทิง ไว้ทุกรูปแบบ ที่ pgslot เว็บไซต์สล็อตของพวกเราการพัฒนาระบบนั้นพาไปสู่ความนำสมัยที่เดี๋ยวนี้นั้นท่านไม่สามารถที่จะหาได้จากที่ไหนอีกแล้ว ตรงนี้ mscwin ที่เดียวในโลก

    ReplyDelete
  39. I'm ceaselessly filtering on the web for posts that will help me. An exorbitant measure of is clearly to look into this. I acknowledge you made extraordinary quality things in Functions as well. Keep on working, good job! https://www.bookmarkingtraffic.win/tiktok-advertising-cost

    ReplyDelete
  40. I value the work for sharing and presenting this data on your site for us to profit from this. Much thanks! click to read

    ReplyDelete
  41. This type of article that enlighted me all throughout and thanks for this.This going to be excitement and have fun to read. thank to it. check this out to for further exciting. https://diigo.com/0pvx4f

    ReplyDelete
  42. Histogram Photography offers expert wedding photography services in Chennai, serving Kodambakkam, West Mambalam, Ashok Nagar, T Nagar, KK Nagar, Saidapet, Teynampet, and Alwarpet. They combine contemporary beauty with history to capture timeless love and tradition, producing visual art that captures the warmth and joy of your wedding.

    ReplyDelete
  43. Very informative Blog! Are you looking for the top wedding photographers or wedding photography in Trichy? At Trichydolphinphotography, our wedding photographers are pros at capturing the unique moments that our couples share on their special day.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts