Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update rfc28981.cs example #9545

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update rfc28981.cs example #9545

wants to merge 1 commit into from

Conversation

wfurt
Copy link
Member

@wfurt wfurt commented Jan 16, 2024
edited by buyaa-n

updates based on https://developercommunity.visualstudio.com/t/Rfc2898DeriveBytes-Class-Microsoft-Learn/10547811 feedback

removes use of obsolete methods.

Fixes #9657

@wfurt wfurt requested a review from bartonjs January 16, 2024 04:06
@wfurt wfurt requested a review from a team as a code owner January 16, 2024 04:06
@ghost ghost assigned wfurt Jan 16, 2024
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-System.Security Issues related to security practices for .NET developers. label Jan 16, 2024
@ghost
Copy link

ghost commented Jan 16, 2024

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

updates based on https://developercommunity.visualstudio.com/t/Rfc2898DeriveBytes-Class-Microsoft-Learn/10547811 feedback

removes use of obsolete methods.

Author: wfurt
Assignees: wfurt
Labels:

area-System.Security
Milestone: -

@learn-build-service-prod Learn Build Service (PROD)
Copy link

Learn Build status updates of commit f158a39:

✅ Validation status: passed

File Status Preview URL Details
snippets/csharp/System.Security.Cryptography/Rfc2898DeriveBytes/Overview/rfc28981.cs ✅Succeeded View

For more details, please refer to the build report.

For any questions, please:

bartonjs
bartonjs requested changes Jan 18, 2024
View reviewed changes
Copy link
Member

@bartonjs bartonjs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SNIPPET3's comment and SNIPPET4's usage were consistent: the default value is 1000, so specifying 1000 explicitly produces the same answer.
https://source.dot.net/#System.Security.Cryptography/System/Security/Cryptography/Rfc2898DeriveBytes.cs,45

Now that SNIPPET4 is no longer using a default iteration count, the comment in SNIPPET3 doesn't make sense.

I recommend bumping the iteration count 600_000, and changing the comment to express that the iteration count should be high enough to resist brute forcing, but low enough that you're willing to wait that long. The 600k number comes from OWASP (when using SHA-2-256), which comes out to about 0.33 seconds on my computer using the static span-writing functions .NET 8, or about 0.38 when using the instance array-returning functions. (.NET Framework is slower; 600k there is 1.6 seconds; so it gets 0.3 seconds around 130k)

@ghost ghost added the needs-author-action An issue or pull request that requires more info or actions from the author. label Jan 18, 2024
@buyaa-n buyaa-n mentioned this pull request Feb 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartonjs bartonjs bartonjs requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@wfurt wfurt

Labels
area-System.Security Issues related to security practices for .NET developers. needs-author-action An issue or pull request that requires more info or actions from the author.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Rfc2898DeriveBytes Class Microsoft Learn Page
2 participants
@wfurt @bartonjs