Closed koczkatamas closed 9 years ago
I think you're probably right. Do you want to send a pull request? I can update the NuGet package.
P.S., I also added you as a collaborator, so if you want, you can fix it without a PR. But it would be nice to do it in the open :smile:
@koczkatamas What do you think of 2c0ab4179, does that resolve the concern?
Yeah, it looks good! Thanks. :)
Two of the constructors of the Key class are very dangerous and should never be used!
new Random() is not a secure random generator. Use RandomNumberGenerator instead!
"As indicated in the algorithm requirement section, keys SHOULD be chosen at random or using a cryptographically strong pseudorandom generator properly seeded with a random value." (https://tools.ietf.org/html/rfc6238)
Also 10 bytes (= 80 bits) random is not enough: "The algorithm MUST use a strong shared secret. The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits." (https://tools.ietf.org/html/rfc4226)