Default hash and iteration count not mentioned the constructors of Rfc2898DeriveBytes Constructors #7829
Comments
|
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
rzikm
added
the
area-System.Security
|
Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones Issue DetailsCurrently the default hash algorithm (SHA-1) and iteration count (1000) are not mentioned. It is also not mentioned that requesting more bytes from Rfc2898DeriveBytes than the output size of the selected hash algorithm will have adverse affects on the performance of this algorithm as it will perform all the iterations again, while the adversary may not require those. There is also a slight bug that mentions in the exception that an iteration count < 1 will generate an error, even though the constructor doesn't have the iteration count as parameter. In short: please mention the defaults on top of the constructor description.
|
|
@owlstead I agree these should be better documented. Along these same lines, we intend on obsoleting the constructors that have defaults for iterations and the hash algorithm. |
jeffhandley
added
untriaged
ghost
removed
the
jozkee
added
untriaged
Currently the default hash algorithm (SHA-1) and iteration count (1000) are not mentioned. It is also not mentioned that requesting more bytes from Rfc2898DeriveBytes than the output size of the selected hash algorithm will have adverse affects on the performance of this algorithm as it will perform all the iterations again, while the adversary may not require those. There is also a slight bug that mentions in the exception that an iteration count < 1 will generate an error, even though the constructor doesn't have the iteration count as parameter. In short: please mention the defaults on top of the constructor description.
The text was updated successfully, but these errors were encountered: