Security Audit 4.1. Enhanced Persistence encryption salt generation

to be more random based on the password or master password used.
2006-05-02 21:44:13 +00:00
parent 7e3c1a6dcb
commit 6d5251fe02
6 changed files with 1570 additions and 1041 deletions
--- a/c_micasad/lss/Rfc2898DeriveBytes.cs
+++ b/c_micasad/lss/Rfc2898DeriveBytes.cs
@@ -56,7 +56,7 @@ using System;
 using System.Text;
 using System.Security.Cryptography;

-//using Mono.Security.Cryptography;
+using sscs.lss;

 namespace sscs.crypto { 

@@ -103,26 +103,77 @@ namespace sscs.crypto {
 			: this (password, saltSize, defaultIterations)
 		{
 		}
-		
-		public Rfc2898DeriveBytes (string password, int saltSize, int iterations)
+
+        public Rfc2898DeriveBytes(string password, int saltSize, int iterations)        
+            : this (password, saltSize, iterations, false)
+        {
+        }
+
+        public Rfc2898DeriveBytes (string password, int saltSize, int iterations, bool bUseOldMethod)
 		{
 			if (password == null)
 				throw new ArgumentNullException ("password");
 			if (saltSize < 0)
 				throw new ArgumentOutOfRangeException ("invalid salt length");

-			//Salt = KeyBuilder.Key (saltSize);
-			byte[] buffer = new byte[saltSize];
-			Random rand = new Random(password.GetHashCode());
-			rand.NextBytes(buffer);
-			Salt = buffer;			
+            if (bUseOldMethod)
+            {                
+                Salt = GenerateOldSalt(password, saltSize);
+            }
+            else
+            {                
+                Salt = GenerateNewSalt(password, saltSize);
+            }			
 			
 			IterationCount = iterations;
 			_hmac = new HMACSHA1 (Encoding.UTF8.GetBytes (password));
 		}

-		// properties
-		public int IterationCount { 
+        private static byte[] GenerateOldSalt(string password, int saltSize)
+        {            
+            byte[] buffer = new byte[saltSize];
+            Random rand = new Random(password.GetHashCode());
+            rand.NextBytes(buffer);
+            return buffer;
+        }
+
+        private static byte[] GenerateNewSalt(string password, int saltSize)
+        {
+            int j = 0;
+            byte[] buffer = new byte[saltSize]; 
+           
+            // iterate thru each character, creating a new Random, 
+            // getting 2 bytes from each, until our salt buffer is full.
+            for (int i = 0; i < password.Length; i++)
+            {
+                FastRandom ranNum = new FastRandom((password[i].ToString().GetHashCode()) * (j+1));
+            
+                byte[] temp = new byte[2];
+                ranNum.NextBytes(temp);
+
+                for (int k = 0; k < temp.Length; k++)
+                {
+                    buffer[j++] = temp[k];                    
+                    // get out if buffer is full
+                    if (j >= saltSize)
+                    {                        
+                        return buffer;
+                    }                        
+                }   
+                
+                // reset i if at end of password
+                if ((i + 1) == password.Length)
+                {
+                    i = 0;
+                }                
+            }
+
+            return buffer;
+        }
+
+        // properties
+        public int IterationCount
+        { 
 			get { return _iteration; }
 			set {
 				if (value < 1)