34

How to generate Rijndael KEY and IV using a passphrase? The key length must be in 256 bits.

Improve this question
7
  • 3
    What language are you using? Which library? Commented Jun 26, 2011 at 9:08
  • 2
    Thanks for all responses. My upvote for all. Commented Jul 2, 2011 at 9:50
  • 1
    Don't do this; learn how an IV actually works. See my response on the chosen answer for why this is an abysmal idea. Commented Sep 24, 2013 at 17:42
  • 3
    @Spongeboy Nope. The fundamental premise of the question is wrong. You don't generate an IV from the same source as the key. You generate a unique IV with no relationship to the key every time you encrypt a message, then include that IV with that message. It is impossible to both answer this question and provide a working solution as the question is based on false premises. Commented Sep 25, 2013 at 12:25
  • 1
    @Spongeboy In the case of C#, you can call the GenerateIV() method to get an appropriate IV. Then once you've encrypted the plaintext, add the IV as the first 16 bytes of the ciphertext. When you decrypt the ciphertext, pluck off the first 16 bytes and use those as the IV when decrypting. Commented Sep 25, 2013 at 12:32

6 Answers 6

Reset to default
62

I think you are looking for password-based key derivation. There is Rfc2898DeriveBytes class that implements it.

Rfc2898DeriveBytes takes a password, a salt, and an iteration count, and then generates keys through calls to the GetBytes method.

RFC 2898 includes methods for creating a key and initialization vector (IV) from a password and salt. You can use PBKDF2, a password-based key derivation function, to derive keys using a pseudo-random function that allows keys of virtually unlimited length to be generated. The Rfc2898DeriveBytes class can be used to produce a derived key from a base key and other parameters. In a password-based key derivation function, the base key is a password and the other parameters are a salt value and an iteration count.

For more information about PBKDF2, see RFC 2898, "PKCS #5: Password-Based Cryptography Specification Version 2.0,".

Example:

public static byte[] CreateKey(string password) { var salt = new byte[] { 1, 2, 23, 234, 37, 48, 134, 63, 248, 4 }; const int Iterations = 9872; using (var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, salt, Iterations)) return rfc2898DeriveBytes.GetBytes(32); }

You can use DeriveBytes in any symmetric algorithm, not just Rijndael.
Example:

public static SymmetricAlgorithm InitSymmetric(SymmetricAlgorithm algorithm, string password, int keyBitLength) { var salt = new byte[] { 1, 2, 23, 234, 37, 48, 134, 63, 248, 4 }; const int Iterations = 234; using (var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, salt, Iterations)) { if (!algorithm.ValidKeySize(keyBitLength)) throw new InvalidOperationException("Invalid size key"); algorithm.Key = rfc2898DeriveBytes.GetBytes(keyBitLength / 8); algorithm.IV = rfc2898DeriveBytes.GetBytes(algorithm.BlockSize / 8); return algorithm; } } private static byte[] Transform(byte[] bytes, Func<ICryptoTransform> selectCryptoTransform) { using (var memoryStream = new MemoryStream()) { using (var cryptoStream = new CryptoStream(memoryStream, selectCryptoTransform(), CryptoStreamMode.Write)) cryptoStream.Write(bytes, 0, bytes.Length); return memoryStream.ToArray(); } }

Usage:

public static void Main() { using (var rijndael = InitSymmetric(Rijndael.Create(), "TestPassword", 256)) { var text = "Some text to encrypt"; var bytes = Encoding.UTF8.GetBytes(text); var encryptedBytes = Transform(bytes, rijndael.CreateEncryptor); var decryptedBytes = Transform(encryptedBytes, rijndael.CreateDecryptor); var decryptedText = Encoding.UTF8.GetString(decryptedBytes); Debug.Assert(text == decryptedText); } }

Make sure you change salt and iterations parameters.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Do you need to pass in a random salt for each usage of this method? Can you do this instead: Use a constant salt, just like in your example, but derive the IV separately, using a different password. For example, if you had a User record, could you derive the IV from a constant salt and the User's ID? That would avoid having to store the salt somewhere, and you could instead rely on existing data (in this one case)
As mentioned in @Rushyo's comment on the question, the IV should not be derived from the password, rather, call GenerateIV, then pre-pend this to the encrypted string.
44
+50

This is plug and play code that I found on internet. It just works:

using System.IO; using System.Security.Cryptography; private static readonly byte[] SALT = new byte[] { 0x26, 0xdc, 0xff, 0x00, 0xad, 0xed, 0x7a, 0xee, 0xc5, 0xfe, 0x07, 0xaf, 0x4d, 0x08, 0x22, 0x3c }; public static byte[] Encrypt(byte[] plain, string password) { MemoryStream memoryStream; CryptoStream cryptoStream; Rijndael rijndael = Rijndael.Create(); Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT); rijndael.Key = pdb.GetBytes(32); rijndael.IV = pdb.GetBytes(16); memoryStream = new MemoryStream(); cryptoStream = new CryptoStream(memoryStream, rijndael.CreateEncryptor(), CryptoStreamMode.Write); cryptoStream.Write(plain, 0, plain.Length); cryptoStream.Close(); return memoryStream.ToArray(); } public static byte[] Decrypt(byte[] cipher, string password) { MemoryStream memoryStream; CryptoStream cryptoStream; Rijndael rijndael = Rijndael.Create(); Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT); rijndael.Key = pdb.GetBytes(32); rijndael.IV = pdb.GetBytes(16); memoryStream = new MemoryStream(); cryptoStream = new CryptoStream(memoryStream, rijndael.CreateDecryptor(), CryptoStreamMode.Write); cryptoStream.Write(cipher, 0, cipher.Length); cryptoStream.Close(); return memoryStream.ToArray(); }
Improve this answer

9 Comments

@Gens - I always believed that the best answer should be chosen, the answer that is the most useful for all the users. I spent quite a lot of time for making reusable API and examples. While you make it encouraging for new users, it is absolutely unfair and discouraging for old ones.
Regarding the lines- rijndael.Key = pdb.GetBytes(32); rijndael.IV = pdb.GetBytes(16); Does this mean the IV is just the first half of the Key? Does this have security implications?
@Spongeboy Yes. I suspect it is possible to establish the original key by doing an attack to determine the IV which, if determined (and bear in mind Rijndael doesn't treat the IV as being secret), would allow a brute-force attack against the original password/salt combination (just keep plugging values until you get that IV).
This doesn't even begin to touch on the problems with using the same IV repeatedly. Don't do this. Every time you re-use an IV, a kitty's entropy rapidly increases at an alarming rate.
Also, if it is the first half of the key (will check in a second), then recovering the IV would reduce the problem of getting the rest of the key by 17 million trillion times. EDIT: FWIW no, it isn't. However, that doesn't automatically mean you can't potentially recover half of the key from it anyway.
|
9

The IV must be random (doesn't need to be an unpredictable random, just random enough that they won't be reused).

As to generating the key from the password, you are looking for a key derivation function for which nowadays there are at least three good choices (PBKDF2, bcrypt, scrypt), using a non iterated hash as a previous poster suggests more often than not leads to insecure systems.

Also use AES nor Rijndael, that's not exactly the same thing. Using a Rijndael combination not part of AES could be an inter-operability nightmare later, and the security of those functions combination isn't well studied anyway.

Improve this answer

Comments

4

IV must be random (you usually pass it together with the encrypted data), and the key can be derived in a number of ways: simply pad the password to the length of the key (if the password is shorter than 32 characters) or (which is more reliable) derive a key by using SHA2 hashing algorithm or use some more sophisticated way.

Improve this answer

4 Comments

Don't ever pad the password. Don't use String input as a key. Don't use SHA2. Use a key derivation algorithm, such as PKBDF2, which is specifically designed for this problem. Also, be sure to read the label (RTFM) before you use a key derivation algorithm.
@Rushyo don't ever make so all-embracing statements.
Because playing guessing games and hoping things are going to work with cryptographic algorithms has been proven to be such a good idea? May as well pray to the Machine God and recant the holy sacred rites for all the engineering sense that makes. There are very well defined methodologies for key derivation. The fact that people use home-brew nonsense means I get a paycheck as a hacker but that doesn't make it good engineering.
Hmm. Just had a look at 'BlackBox'. I can see you're a big fan of the DIY approach. GL with that!
1

Use this Rfc2898DeriveBytes Class.

Word of advise though, your security level has dropped/limited by the passphrase length/strength. So, don't do it.

Improve this answer

Comments

1

Other answers contain way more information. The answer to this question where you only want to generate the key and IV given a passphrase use:

 // use something more random in real life var salt = new byte[]{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16}; string password = "my-password"; Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, salt); var key = pdb.GetBytes(32); var iv = pdb.GetBytes(16);
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.