RNGCryptoServiceProvider

  private static string GetSalt()
        {
            byte[] saltBytes = new byte[64];
            var provider = new RNGCryptoServiceProvider();
            provider.GetNonZeroBytes(saltBytes);

            return Convert.ToBase64String(saltBytes);
        }

 

This is a C# method that generates a random 64-byte salt using the RNGCryptoServiceProvider class from the System.Security.Cryptography namespace. The GetNonZeroBytes method of the RNGCryptoServiceProvider class is used to fill the saltBytes array with random non-zero bytes. Finally, the Convert.ToBase64String method is used to convert the salt bytes to a base64-encoded string, which can be stored along with the hashed password in a database or other storage mechanism.

The purpose of using a salt in password hashing is to add additional randomness and complexity to the hashed password, making it more difficult for attackers to use precomputed tables or rainbow tables to crack the password. By generating a unique salt for each password, even two identical passwords will have different hashed values, which makes it more difficult for an attacker to find common patterns or weaknesses.

 

Does it mean that I will get a random bytes each time?

Yes, that is correct. The RNGCryptoServiceProvider generates a random sequence of bytes every time GetNonZeroBytes is called. The length of the byte array returned by GetNonZeroBytes will be equal to the length of the byte array passed as an argument. In this case, the length of saltBytes is 64, so GetNonZeroBytes will generate 64 random bytes and store them in the saltBytes array.

 

 

 generate password salt  by  RNGCryptoServiceProvider vs use random GUID as salt, which one is better?

Both generating a password salt by using RNGCryptoServiceProvider and using a random GUID as a salt can be good options for password hashing.

RNGCryptoServiceProvider is a cryptographic random number generator provided by the .NET framework, and is considered to be a secure way to generate random numbers. Using this method to generate a salt can help ensure that the salt is truly random and unpredictable, which can help increase the security of password hashing.

Using a random GUID as a salt can also be a good option, as GUIDs are designed to be globally unique identifiers. However, it's important to ensure that the GUID is truly random and not generated in a predictable way.

Overall, both methods can be secure if implemented correctly. The important thing is to ensure that the salt is truly random and unpredictable, so that an attacker cannot use precomputed hashes to guess the passwords.

 

Is GUID.New() in C# is truly random and not generated in a predictable way?

The GUID generated by Guid.NewGuid() in C# is designed to be a unique identifier and is generated using a combination of the current time, a unique identifier on the computer where it was generated, and some random bits.

While it is extremely unlikely for two Guid values to be the same, it is not strictly guaranteed that the values are truly random and not predictable. However, the chances of generating the same GUID twice are astronomically low, making it a suitable choice for generating unique identifiers such as password salts.

If you require cryptographically secure random numbers or values, it is generally better to use a cryptographically secure random number generator, such as RNGCryptoServiceProvider, to generate your random values.

 

 

作者:Chuck Lu    GitHub