Skip to content

Update rfc28981.cs example#9545

Open
wfurt wants to merge 1 commit intomainfrom
wfurt-patch-1
Open

Update rfc28981.cs example#9545
wfurt wants to merge 1 commit intomainfrom
wfurt-patch-1

Conversation

@wfurt
Copy link
Member

@wfurt wfurt commented Jan 16, 2024
edited by buyaa-n
Loading

updates based on https://developercommunity.visualstudio.com/t/Rfc2898DeriveBytes-Class-Microsoft-Learn/10547811 feedback

removes use of obsolete methods.

Fixes #9657

@wfurt wfurt requested a review from bartonjs January 16, 2024 04:06
@wfurt wfurt requested a review from a team as a code owner January 16, 2024 04:06
@ghost ghost assigned wfurt Jan 16, 2024
@ghost ghost added the area-System.Security Issues related to security practices for .NET developers. label Jan 16, 2024
@ghost
Copy link

ghost commented Jan 16, 2024

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

updates based on https://developercommunity.visualstudio.com/t/Rfc2898DeriveBytes-Class-Microsoft-Learn/10547811 feedback

removes use of obsolete methods.

Author: wfurt
Assignees: wfurt
Labels:

area-System.Security
Milestone: -

@learn-build-service-prod
Copy link

learn-build-service-prod bot commented Jan 16, 2024

Learn Build status updates of commit f158a39:

✅ Validation status: passed

File Status Preview URL Details
snippets/csharp/System.Security.Cryptography/Rfc2898DeriveBytes/Overview/rfc28981.cs ✅Succeeded View

For more details, please refer to the build report.

For any questions, please:

bartonjs
bartonjs requested changes Jan 18, 2024
View reviewed changes
Copy link
Member

@bartonjs bartonjs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SNIPPET3's comment and SNIPPET4's usage were consistent: the default value is 1000, so specifying 1000 explicitly produces the same answer.
https://source.dot.net/#System.Security.Cryptography/System/Security/Cryptography/Rfc2898DeriveBytes.cs,45

Now that SNIPPET4 is no longer using a default iteration count, the comment in SNIPPET3 doesn't make sense.

I recommend bumping the iteration count 600_000, and changing the comment to express that the iteration count should be high enough to resist brute forcing, but low enough that you're willing to wait that long. The 600k number comes from OWASP (when using SHA-2-256), which comes out to about 0.33 seconds on my computer using the static span-writing functions .NET 8, or about 0.38 when using the instance array-returning functions. (.NET Framework is slower; 600k there is 1.6 seconds; so it gets 0.3 seconds around 130k)

@ghost ghost added the needs-author-action An issue or pull request that requires more info or actions from the author. label Jan 18, 2024
@buyaa-n buyaa-n mentioned this pull request Feb 28, 2024
Open
@gewarren
Copy link
Contributor

gewarren commented Apr 3, 2025

@wfurt Do you plan to keep working on this PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bartonjs bartonjs bartonjs requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@wfurt wfurt

Labels

area-System.Security Issues related to security practices for .NET developers. needs-author-action An issue or pull request that requires more info or actions from the author.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Rfc2898DeriveBytes Class Microsoft Learn Page

3 participants

@wfurt @gewarren @bartonjs