[Mono-bugs] [Bug 80016][Nor] Changed - PasswordDeriveBytes results differ from Microsoft when used in non-PKCS5 compliant mode

Thu Nov 23 09:21:48 EST 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by sebastien at ximian.com.

http://bugzilla.ximian.com/show_bug.cgi?id=80016

--- shadow/80016	2006-11-23 06:17:03.000000000 -0500
+++ shadow/80016.tmp.29857	2006-11-23 09:21:48.000000000 -0500
@@ -1,23 +1,23 @@
 Bug#: 80016
 Product: Mono: Class Libraries
 Version: 1.2
 OS: All
 OS Details: 
-Status: NEW   
-Resolution: 
-Severity: 
+Status: RESOLVED   
+Resolution: DUPLICATE
+Severity: Unknown
 Priority: Normal
 Component: System.Security
 AssignedTo: sebastien at ximian.com                            
 ReportedBy: rdealba at codicesoftware.com               
 QAContact: mono-bugs at ximian.com
 TargetMilestone: ---
 URL: 
 Cc: 
-Summary: Different encrypted string with Rijndael Algorithm. 
+Summary: PasswordDeriveBytes results differ from Microsoft when used in non-PKCS5 compliant mode
 
 Description of Problem:
 
 I've a problem encrypting a string with the Rijndael algorithm. The
 encryption method returns me different encrypted string executing it
 over mono and over Microsoft framework. I've tested the TripleDES 
@@ -60,6 +60,37 @@
 Additional Information:
 
 ------- Additional Comments From rdealba at codicesoftware.com  2006-11-23 06:17 -------
 Created an attachment (id=18137)
 A Visual Studio solution with the case of use the encryption algorithms
 
+
+------- Additional Comments From sebastien at ximian.com  2006-11-23 09:21 -------
+This is the same problem as bug #79499 (and #69036) and has nothing to
+do with the algorithm themselves (i.e. remove the use of
+PasswordDeriveBytes or use the 2.0 Rfc2898DeriveBytes and you won't
+have the problem).
+
+Note that (most of) the same conclusions apply here. You cannot,
+either securely or for interop, ask more than 160 bits (20 bytes) of
+data out of PasswordDeriveBytes (it's PKCS#5 v1.5) as, by default, the
+algorithm is based on SHA-1.
+
+The MS "extension" (it's not allowed in the PKCS#5 standard) to allow
+more than 20 bytes out of the derivation is (a) undocumented and (b)
+doesn't add any security (which means that it limits your security,
+possibly making you less secure that you expect). In this case your
+crypto, either algorithms, have an effective strength of 160 bits
+(actually it's even less than that because your salt is static - but
+that's another issue).
+
+The fix suggested in #79499 would also "work" for you. That is call
+GetBytes once (total length), then split the key and IV into separate
+buffers. Note that this works because, in that specific case, we're
+able to match MS undocumented derivation. I.e. it doesn't make it more
+secure (than the first 20 bytes) and it will cause you problem to
+interoperate with anything else besides MS and Mono.
+
+Last note: the issue is already documented in monodoc
+
+
+*** This bug has been marked as a duplicate of 79499 ***
