Hashing passwords with a password based key derivation function in .NET

In this post we saw a basic hashing technique using a password and a salt. We added an extra random set of bytes to the password and hashed the combined byte array instead of just the password bytes. We can store the salt along with the hash in our database. The main purpose of adding a salt to the password is to increase its entropy which more or less means randomness.

Hashing the password with an extra salt like that may still not be as secure as we think it is. The processing power of today’s fast computers and the increasing size of available rainbow tables keep pushing the limits of what’s available to crack with brute force attacks. One way to increase the difficulty of cracking a password is to keep hashing its hash in an iterative manner. Password-based key derivation functions help us achieve that and we’ll see an example of their usage in this post.

A password-based key derivation function – PBKDF2 – takes a password and a salt like we saw before and repeats the hashing process multiple times to produce a derived key. The added password hashing complexity makes it more difficult to use rainbow tables to find the original password. There are at least 2 other important terms related to PBKDF2:

  • PKCS: RSA public key cryptographic standards, PKCS #5 Version 2.0 to be exact, where PBKDF2 is part of the standard
  • RFC2898: the password-based cryptography specification Internet engineering task force where PKCS #5 Version 2.0 is outlined. We’ll soon see how this task force is reflected in the appropriate .NET class name

The implementation

We’ll use the below object to store the salt and the message digest to be returned from the hashing function:

public class HashWithSaltResult
	public string Salt { get; }
	public string Digest { get; set; }

	public HashWithSaltResult(string salt, string digest)
		Salt = salt;
		Digest = digest;

Here’s is our random number generator class which will produce the salt – for details check out this link:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Security.Cryptography;

namespace RandomNumberGenerator
    public class RNG
		public string GenerateRandomCryptographicKey(int keyLength)
			return Convert.ToBase64String(GenerateRandomCryptographicBytes(keyLength));

		public byte[] GenerateRandomCryptographicBytes(int keyLength)
			RNGCryptoServiceProvider rngCryptoServiceProvider = new RNGCryptoServiceProvider();
			byte[] randomBytes = new byte[keyLength];
			return randomBytes;

PBKDF2, or RFC2898 is represented by the Rfc2898DeriveBytes class in the System.Security.Cryptography namespace. Here comes the PKCS password hasher with Rfc2898DeriveBytes in action:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Security.Cryptography;
using RandomNumberGenerator;

namespace HashingAlgos
	public class PKCS
		public HashWithSaltResult HashPasswordWithPkcs(string plainPassword, int roundOfHashIterations, int saltLengthBytes)
			RNG rng = new RNG();
			byte[] saltBytes = rng.GenerateRandomCryptographicBytes(saltLengthBytes);
			Rfc2898DeriveBytes pbkdf = new Rfc2898DeriveBytes(plainPassword, saltBytes, roundOfHashIterations);
			byte[] derivedBytes = pbkdf.GetBytes(32);
			return new HashWithSaltResult(Convert.ToBase64String(saltBytes), Convert.ToBase64String(derivedBytes));

We start by creating a salt with the provided byte size. Then we use the Rfc2898DeriveBytes object to calculate the derived key with a number of iterations. The Rfc2898DeriveBytes.GetBytes method accepts an integer that represents the byte length of the produced key. Finally we return the calculated values.

Here’s an example of creating a hash with 100, 10000 and 50000 iterations. Note that the execution time increases with the number of iterations so be aware of the trade-off between increased security and code performance.

private static void TestPkcs()
	string password = "ultra_safe_P455w0rD";
	PKCS pkcs = new PKCS();
	HashWithSaltResult hashResult100Iterations = pkcs.HashPasswordWithPkcs(password, 100, 32);
	HashWithSaltResult hashResult10000Iterations = pkcs.HashPasswordWithPkcs(password, 10000, 32);
	HashWithSaltResult hashResult50000Iterations = pkcs.HashPasswordWithPkcs(password, 50000, 32);


Here’s the output from top to bottom:




You can view the list of posts on Security and Cryptography here.


About Andras Nemes
I'm a .NET/Java developer living and working in Stockholm, Sweden.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


A great WordPress.com site

iReadable { }

.NET Tips & Tricks

Robin Sedlaczek's Blog

Developer on Microsoft Technologies

HarsH ReaLiTy

A Good Blog is Hard to Find

Softwarearchitektur in der Praxis

Wissenswertes zu Webentwicklung, Domain-Driven Design und Microservices

the software architecture

thoughts, ideas, diagrams,enterprise code, design pattern , solution designs

Technology Talks

on Microsoft technologies, Web, Android and others

Software Engineering

Web development

Disparate Opinions

Various tidbits

chsakell's Blog

Anything around ASP.NET MVC,WEB API, WCF, Entity Framework & AngularJS

Cyber Matters

Bite-size insight on Cyber Security for the not too technical.

Guru N Guns's

OneSolution To dOTnET.

Johnny Zraiby

Measuring programming progress by lines of code is like measuring aircraft building progress by weight.

%d bloggers like this: