PowerShell / SecretStore

MIT License
158 stars 24 forks source link

Rfc2898DeriveBytes obsolete constructor #102

Open grey0ut opened 1 year ago

grey0ut commented 1 year ago

Summary of the new feature / enhancement

Utils.cs leverages the Rfc2898DeriveBytes class for key derivation. The constructor used appears to be:

public Rfc2898DeriveBytes (byte[] password, byte[] salt, int iterations)

This constructor, and any that leverage a default iteration count and/or hash algorithm, are marked as 'obsolete' as of .NET 7. The constructor leverages Sha1 with an iterations count of 1000.

Given events like the LastPass hack/breach, are there plans to update this module to leverage a newer constructor with a higher iteration count and non-deprecated hash algorithm?

Proposed technical implementation details (optional)

I mainly write Powershell, with no experience writing C# but it seems like the 3 sections that use the Rfc2898DeriveBytes constructor could be updated to look more like this:

    using (var derivedBytes = new Rfc2898DeriveBytes(  
        password: passWordData,  
        salt: /// Key bytes variable  
        iterations: 600000,  
        hashalgorithmname: HashAlgorithm))  

where 'HashAlgorithm' is a previously defined variable containing 'HashAlgorithmName.SHA256'. Or hard code it in each construction of the Rfc2898DeriveBytes class. At the time of writing SHA256 or SHA512 with a work factor of 600,000 and 210,000 iterations respectively is the recommended defaults by OWASP.