[Cryptography] [FORGED] FOSS library recommendation for VB.NET encryption using AES

Kevin W. Wall kevin.w.wall at gmail.com
Tue Mar 6 09:36:53 EST 2018


On Tue, Mar 6, 2018 at 2:32 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> Kevin W. Wall <kevin.w.wall at gmail.com> writes:
>
>>Their company policy prohibits the use of PBE.
>
> Before we can answer, a question: If their policy prohibits the use of PBE (I
> assume that means KEK-based mechanisms in general?) to encrypt passwords, what
> are we supposed to use?  Does it need to be reversible?  If not, you're going
> to run into a KEK at some point.

No, KEK-based is okay. The company's objection with PBE is the mandate
that keys must be generated randomly from the complete possible key
space and that passwords (at least as picked by humans) are generally
susceptible to dictionary attacks.

The use case here is storing system passwords used with downstream
systems such as internal databases, web services, etc., so those
passwords need to be stored so it is reversible. User passwords on the
other hand are mandated to be stored as secure one-way hashes, and
there's a whole lot of specifics about how exactly that must be done.

Thanks,
-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.


More information about the cryptography mailing list