This project has moved and is read-only. For the latest updates, please go here.

New encryption implementation security audit request

Topics: Developer Forum, Project Management Forum, User Forum
Dec 4, 2012 at 9:12 PM
Edited Dec 13, 2012 at 1:30 PM

Hi, there is a new PasswordFunctions2 class, which implements stronger passwords handling. It is not finished yet, but you can already check the concept. The goal is to ensure,  if it really improves all issues described in following request: http://terminals.codeplex.com/workitem/32491
We are talking on really important upgrade. 

Is there any security specialist, who is able to have a look at the code and give me a feedback?

Dec 13, 2012 at 1:33 PM
Edited Dec 13, 2012 at 1:34 PM

I will repeat my question until there is at least one answer. ;-)

Dec 15, 2012 at 5:59 PM
Edited Jan 3, 2013 at 12:51 PM

Thanks very much user Dughtiram for his security audit.

Results are:

- increase the key length to 32B
- increase the iterations count to 2121 (more than 2000 was recommended)
- use Rfc2898DeriveBytes with random masterpasswordSalt2 to create stored master password validation key (instead of fix defined well known key, currently Hash is stored). 

Jan 15, 2013 at 1:51 PM

Related discussion, which explains source of the problem:

http://terminals.codeplex.com/discussions/47950