Utils.cs leverages the Rfc2898DeriveBytes class for key derivation. The constructor used appears to be:
public Rfc2898DeriveBytes (byte[] password, byte[] salt, int iterations)
This constructor, and any that leverage a default iteration count and/or hash algorithm, are marked as 'obsolete' as of .NET 7. The constructor leverages Sha1 with an iterations count of 1000.
Given events like the LastPass hack/breach, are there plans to update this module to leverage a newer constructor with a higher iteration count and non-deprecated hash algorithm?
I mainly write Powershell, with no experience writing C# but it seems like the 3 sections that use the Rfc2898DeriveBytes constructor could be updated to look more like this:
using (var derivedBytes = new Rfc2898DeriveBytes(
password: passWordData,
salt: /// Key bytes variable
iterations: 600000,
hashalgorithmname: HashAlgorithm))
where 'HashAlgorithm' is a previously defined variable containing 'HashAlgorithmName.SHA256'. Or hard code it in each construction of the Rfc2898DeriveBytes class. At the time of writing SHA256 or SHA512 with a work factor of 600,000 and 210,000 iterations respectively is the recommended defaults by OWASP.
Summary of the new feature / enhancement
Utils.cs leverages the Rfc2898DeriveBytes class for key derivation. The constructor used appears to be:
This constructor, and any that leverage a default iteration count and/or hash algorithm, are marked as 'obsolete' as of .NET 7. The constructor leverages Sha1 with an iterations count of 1000.
Given events like the LastPass hack/breach, are there plans to update this module to leverage a newer constructor with a higher iteration count and non-deprecated hash algorithm?
Proposed technical implementation details (optional)
I mainly write Powershell, with no experience writing C# but it seems like the 3 sections that use the Rfc2898DeriveBytes constructor could be updated to look more like this:
where 'HashAlgorithm' is a previously defined variable containing 'HashAlgorithmName.SHA256'. Or hard code it in each construction of the Rfc2898DeriveBytes class. At the time of writing SHA256 or SHA512 with a work factor of 600,000 and 210,000 iterations respectively is the recommended defaults by OWASP.