How to derive a key for encryption

So it came up today, how to properly derive a key for symmetric encryption. In the past, I’ve always just used System.Security.Cryptography.PasswordDeriveBytes. However, it turns out there is a second class in that namespace called Rfc2898DeriveBytes which also inherits from DeriveBytes. What’s the difference?
I found a great blog post from 2004, but it’s still relavent today, which explains it all:
Generating a key from a password
In short, PasswordDeriveBytes implements RCF 2898 section 5.1 (a.k.a. PBKDF1), and Rfc2898DeriveBytes implements what’s described in section 5.2 (a.k.a. PBKDF2), a more secure way to generate a key, from a given password. Basically, 5.1 is limited by the length of the output from the hashing algorithm, and 5.2 is unbounded and can be an unlimited length.
So basically, unless you need PBKDF1 for compatibility, you should probably use the Rfc2898DeriveBytes implementation!
Posted in Best-practices, Uncategorized
One comment on “How to derive a key for encryption
  1. […] How to derive a key for encryption […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Enter your email address to follow this blog and receive notifications of new posts by email.

Join 9 other followers

%d bloggers like this: