23

Guys, I'm trying to implement a PBKDF2 function in C# that creates a WPA Shared key. I've found some here: http://msdn.microsoft.com/en-us/magazine/cc163913.aspx that seems to produce a valid result, but it's one byte too short... and the wrong PSK value.

To test the output, I am comparing it to this: http://www.xs4all.nl/~rjoris/wpapsk.html or http://anandam.name/pbkdf2/

I did find one way of getting this to work with a built in library to C# called Rfc2898DeriveBytes. Using this, I get a valid output using:

Rfc2898DeriveBytes k3 = new Rfc2898DeriveBytes(pwd1, salt1, 4096); byte[] answers = k3.GetBytes(32);

Now, the one limitation I have using Rfc2898DeriveBytes is the "salt" must be 8 octets long. If it is shorter, the Rfc2898DeriveBytes throws an exception. I was thinking all I had to do was pad the salt (if it was shorter) to 8 bytes, and I'd be good. But NO! I've tried pretty much every combination of padding with a shorter salt, but I cannot duplicate the results I get from those two websites above.

So bottom line is, does this mean the Rfc2898DeriveBytes just simply won't work with a source salt shorter than 8 bytes? If so, does anyone know of any C# code I could use that implements PBKDF2 for WPA Preshared key?

Improve this question
1

4 Answers 4

Reset to default
15
+100

Here is an implementation that does not require the 8 byte salt.

You can calculate a WPA key as follows:

Rfc2898DeriveBytes rfc2898 = new Rfc2898DeriveBytes(passphrase, Encoding.UTF8.GetBytes(name), 4096); key = rfc2898.GetBytes(32); public class Rfc2898DeriveBytes : DeriveBytes { const int BlockSize = 20; uint block; byte[] buffer; int endIndex; readonly HMACSHA1 hmacsha1; uint iterations; byte[] salt; int startIndex; public Rfc2898DeriveBytes(string password, int saltSize) : this(password, saltSize, 1000) { } public Rfc2898DeriveBytes(string password, byte[] salt) : this(password, salt, 1000) { } public Rfc2898DeriveBytes(string password, int saltSize, int iterations) { if (saltSize < 0) { throw new ArgumentOutOfRangeException("saltSize"); } byte[] data = new byte[saltSize]; new RNGCryptoServiceProvider().GetBytes(data); Salt = data; IterationCount = iterations; hmacsha1 = new HMACSHA1(new UTF8Encoding(false).GetBytes(password)); Initialize(); } public Rfc2898DeriveBytes(string password, byte[] salt, int iterations) : this(new UTF8Encoding(false).GetBytes(password), salt, iterations) { } public Rfc2898DeriveBytes(byte[] password, byte[] salt, int iterations) { Salt = salt; IterationCount = iterations; hmacsha1 = new HMACSHA1(password); Initialize(); } static byte[] Int(uint i) { byte[] bytes = BitConverter.GetBytes(i); byte[] buffer2 = new byte[] {bytes[3], bytes[2], bytes[1], bytes[0]}; if (!BitConverter.IsLittleEndian) { return bytes; } return buffer2; } byte[] DeriveKey() { byte[] inputBuffer = Int(block); hmacsha1.TransformBlock(salt, 0, salt.Length, salt, 0); hmacsha1.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length); byte[] hash = hmacsha1.Hash; hmacsha1.Initialize(); byte[] buffer3 = hash; for (int i = 2; i <= iterations; i++) { hash = hmacsha1.ComputeHash(hash); for (int j = 0; j < BlockSize; j++) { buffer3[j] = (byte) (buffer3[j] ^ hash[j]); } } block++; return buffer3; } public override byte[] GetBytes(int bytesToGet) { if (bytesToGet <= 0) { throw new ArgumentOutOfRangeException("bytesToGet"); } byte[] dst = new byte[bytesToGet]; int dstOffset = 0; int count = endIndex - startIndex; if (count > 0) { if (bytesToGet < count) { Buffer.BlockCopy(buffer, startIndex, dst, 0, bytesToGet); startIndex += bytesToGet; return dst; } Buffer.BlockCopy(buffer, startIndex, dst, 0, count); startIndex = endIndex = 0; dstOffset += count; } while (dstOffset < bytesToGet) { byte[] src = DeriveKey(); int num3 = bytesToGet - dstOffset; if (num3 > BlockSize) { Buffer.BlockCopy(src, 0, dst, dstOffset, BlockSize); dstOffset += BlockSize; } else { Buffer.BlockCopy(src, 0, dst, dstOffset, num3); dstOffset += num3; Buffer.BlockCopy(src, num3, buffer, startIndex, BlockSize - num3); endIndex += BlockSize - num3; return dst; } } return dst; } void Initialize() { if (buffer != null) { Array.Clear(buffer, 0, buffer.Length); } buffer = new byte[BlockSize]; block = 1; startIndex = endIndex = 0; } public override void Reset() { Initialize(); } public int IterationCount { get { return (int) iterations; } set { if (value <= 0) { throw new ArgumentOutOfRangeException("value"); } iterations = (uint) value; Initialize(); } } public byte[] Salt { get { return (byte[]) salt.Clone(); } set { if (value == null) { throw new ArgumentNullException("value"); } salt = (byte[]) value.Clone(); Initialize(); } } }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

7

I get matching results when comparing key-derivation from .NET's Rfc2898DeriveBytes and Anandam's PBKDF2 Javascript implementation.

I put together an example of packaging SlowAES and Anandam's PBKDF2 into Windows Script Components. Using this implementation shows good interop with the .NET RijndaelManaged class and the Rfc2898DeriveBytes class.

See also:

All of these go further than what you are asking for. They all show interop of the AES encryption. But to get interop on encryption, it is a necessary pre-requisite to have interop (or matching outputs) on the password-based key derivation.

Improve this answer

Comments

7

Looking at the Microsoft link, I made some changes in order to make the PMK the same as those discovered in the links you put forward.

Change the SHA algorithm from SHA256Managed to SHA1Managed for the inner and outer hash.

Change HASH_SIZE_IN_BYTES to equal 20 rather than 34.

This produces the correct WPA key.

I know it's a bit late coming, but I've only just started looking for this sort of informatin and thought I could help others out. If anyone does read this post, any ideas on the PRF function and how to do it within C#?

Improve this answer

3 Comments

I would not recommend using the SHA-1 algorithm if you have the choice. It has been proven as vulnerable. Admittedly the attack still requires a lot of computation but it will be feasible to crack SHA-1 hashes much sooner that the NSA intended.
@Sam - that article is from 2005 and security has moved a lot since then. SHA1 is vulnerable not because it can be reversed or because the number of collisions is too high but because it is fast, making brute force attacks too easy with modern cloud processing. SHA256 is not much slower and so is pretty much as vulnerable. Key-stretching algorithms like PBKDF2/RFC2898 take hash like SHA and repeat it thousands of times so that it's slow, making any brute force attack much tougher. The difference between SHA1 and SHA256 is nowhere near as significant in that context.
@Keith Ah yes agreed, but it would still be best to avoid SHA1 if you have the choice.
3

This expands on Dodgyrabbit's answer and his code helped to fix mine as I developed this. This generic class can use any HMAC-derived class in C#. This is .NET 4 because of the parameters with default values, but if those were changed then this should work down to .NET 2, but I haven't tested that. USE AT YOUR OWN RISK.

I have also posted this on my blog, The Albequerque Left Turn, today.

using System; using System.Text; using System.Security.Cryptography; namespace System.Security.Cryptography { //Generic PBKDF2 Class that can use any HMAC algorithm derived from the // System.Security.Cryptography.HMAC abstract class // PER SPEC RFC2898 with help from user Dodgyrabbit on StackExchange // http://stackoverflow.com/questions/1046599/pbkdf2-implementation-in-c-sharp-with-rfc2898derivebytes // the use of default values for parameters in the functions puts this at .NET 4 // if you remove those defaults and create the required constructors, you should be able to drop to .NET 2 // USE AT YOUR OWN RISK! I HAVE TESTED THIS AGAINST PUBLIC TEST VECTORS, BUT YOU SHOULD // HAVE YOUR CODE PEER-REVIEWED AND SHOULD FOLLOW BEST PRACTICES WHEN USING CRYPTO-ANYTHING! // NO WARRANTY IMPLIED OR EXPRESSED, YOU ARE ON YOUR OWN! // PUBLIC DOMAIN! NO COPYRIGHT INTENDED OR RESERVED! //constrain T to be any class that derives from HMAC, and that exposes a new() constructor public class PBKDF2<T>: DeriveBytes where T : HMAC, new() { //Internal variables and public properties private int _blockSize = -1; // the byte width of the output of the HMAC algorithm byte[] _P = null; int _C = 0; private T _hmac; byte[] _S = null; // if you called the initializer/constructor specifying a salt size, // you will need this property to GET the salt after it was created from the crypto rng! // GET THIS BEFORE CALLING GETBYTES()! OBJECT WILL BE RESET AFTER GETBYTES() AND // SALT WILL BE LOST!! public byte[] Salt { get { return (byte[])_S.Clone(); } } // Constructors public PBKDF2(string Password, byte[] Salt, int IterationCount = 1000) { Initialize(Password, Salt, IterationCount); } public PBKDF2(byte[] Password, byte[] Salt, int IterationCount = 1000) { Initialize(Password, Salt, IterationCount); } public PBKDF2(string Password, int SizeOfSaltInBytes, int IterationCount = 1000) { Initialize(Password, SizeOfSaltInBytes, IterationCount);} public PBKDF2(byte[] Password, int SizeOfSaltInBytes, int IterationCount = 1000) { Initialize(Password, SizeOfSaltInBytes, IterationCount);} //All Construtors call the corresponding Initialize methods public void Initialize(string Password, byte[] Salt, int IterationCount = 1000) { if (string.IsNullOrWhiteSpace(Password)) throw new ArgumentException("Password must contain meaningful characters and not be null.", "Password"); if (IterationCount < 1) throw new ArgumentOutOfRangeException("IterationCount"); Initialize(new UTF8Encoding(false).GetBytes(Password), Salt, IterationCount); } public void Initialize(byte[] Password, byte[] Salt, int IterationCount = 1000) { //all Constructors/Initializers eventually lead to this one which does all the "important" work if (Password == null || Password.Length == 0) throw new ArgumentException("Password cannot be null or empty.", "Password"); if (Salt == null) Salt = new byte[0]; if (IterationCount < 1) throw new ArgumentOutOfRangeException("IterationCount"); _P = (byte[])Password.Clone(); _S = (byte[])Salt.Clone(); _C = IterationCount; //determine _blockSize _hmac = new T(); _hmac.Key = new byte[] { 0 }; byte[] test = _hmac.ComputeHash(new byte[] { 0 }); _blockSize = test.Length; } public void Initialize(string Password, int SizeOfSaltInBytes, int IterationCount = 1000) { if (string.IsNullOrWhiteSpace(Password)) throw new ArgumentException("Password must contain meaningful characters and not be null.", "Password"); if (IterationCount < 1) throw new ArgumentOutOfRangeException("IterationCount"); Initialize(new UTF8Encoding(false).GetBytes(Password), SizeOfSaltInBytes, IterationCount); } public void Initialize(byte[] Password, int SizeOfSaltInBytes, int IterationCount = 1000) { if (Password == null || Password.Length == 0) throw new ArgumentException("Password cannot be null or empty.", "Password"); if (SizeOfSaltInBytes < 0) throw new ArgumentOutOfRangeException("SizeOfSaltInBytes"); if (IterationCount < 1) throw new ArgumentOutOfRangeException("IterationCount"); // You didn't specify a salt, so I'm going to create one for you of the specific byte length byte[] data = new byte[SizeOfSaltInBytes]; RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); rng.GetBytes(data); // and then finish initializing... // Get the salt from the Salt parameter BEFORE calling GetBytes()!!!!!!!!!!! Initialize(Password, data, IterationCount); } ~PBKDF2() { //*DOOT* clean up in aisle 5! *KEKERKCRACKLE* this.Reset(); } // required by the Derive Bytes class/interface // this is where you request your output bytes after Initialize // state of class Reset after use! public override byte[] GetBytes(int ByteCount) { if (_S == null || _P == null) throw new InvalidOperationException("Object not Initialized!"); if (ByteCount < 1)// || ByteCount > uint.MaxValue * blockSize) throw new ArgumentOutOfRangeException("ByteCount"); int totalBlocks = (int)Math.Ceiling((decimal)ByteCount / _blockSize); int partialBlock = (int)(ByteCount % _blockSize); byte[] result = new byte[ByteCount]; byte[] buffer = null; // I'm using TT here instead of T from the spec because I don't want to confuse it with // the generic object T for (int TT = 1; TT <= totalBlocks; TT++) { // run the F function with the _C number of iterations for block number TT buffer = _F((uint)TT); //IF we're not at the last block requested //OR the last block requested is whole (not partial) // then take everything from the result of F for this block number TT //ELSE only take the needed bytes from F if (TT != totalBlocks || (TT == totalBlocks && partialBlock == 0)) Buffer.BlockCopy(buffer, 0, result, _blockSize * (TT - 1), _blockSize); else Buffer.BlockCopy(buffer, 0, result, _blockSize * (TT - 1), partialBlock); } this.Reset(); // force cleanup after every use! Cannot be reused! return result; } // required by the Derive Bytes class/interface public override void Reset() { _C = 0; _P.Initialize(); // the compiler might optimize this line out! :( _P = null; _S.Initialize(); // the compiler might optimize this line out! :( _S = null; if (_hmac != null) _hmac.Clear(); _blockSize = -1; } // the core function of the PBKDF which does all the iterations // per the spec section 5.2 step 3 private byte[] _F(uint I) { //NOTE: SPEC IS MISLEADING!!! //THE HMAC FUNCTIONS ARE KEYED BY THE PASSWORD! NEVER THE SALT! byte[] bufferU = null; byte[] bufferOut = null; byte[] _int = PBKDF2<T>.IntToBytes(I); _hmac = new T(); _hmac.Key = (_P); // KEY BY THE PASSWORD! _hmac.TransformBlock(_S, 0, _S.Length, _S, 0); _hmac.TransformFinalBlock(_int, 0, _int.Length); bufferU = _hmac.Hash; bufferOut = (byte[])bufferU.Clone(); for (int c = 1; c < _C; c++) { _hmac.Initialize(); _hmac.Key = _P; // KEY BY THE PASSWORD! bufferU = _hmac.ComputeHash(bufferU); _Xor(ref bufferOut, bufferU); } return bufferOut; } // XOR one array of bytes into another (which is passed by reference) // this is the equiv of data ^= newData; private void _Xor(ref byte[] data, byte[] newData) { for (int i = data.GetLowerBound(0); i <= data.GetUpperBound(0); i++) data[i] ^= newData[i]; } // convert an unsigned int into an array of bytes BIG ENDIEN // per the spec section 5.2 step 3 static internal byte[] IntToBytes(uint i) { byte[] bytes = BitConverter.GetBytes(i); if (!BitConverter.IsLittleEndian) { return bytes; } else { Array.Reverse(bytes); return bytes; } } } }
Improve this answer

1 Comment

+1 for the comment: THE HMAC FUNCTIONS ARE KEYED BY THE PASSWORD! NEVER THE SALT! Saved me a massive headache!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.