Default AES Salt in ASPNET2 Site



I've written a simple membership/role provider library which I use in my websites. It works fine, and uses custom AES and SHA1 keys
in Web.config to encrypt or hash password information.

I now have a second, Windows Forms app that needs to access that same credential file, and hash/encrypt user-supplied credentials to
authenticate them. I know how to set up an SHA1 hasher or an AES (ManagedRijndael) cryptor in the windows app.

The ManagedRinjdael approach uses both a key and a salt in its operation. If you don't provide one or the other a random one is
generated each time you create an encryptor or a decryptor.

Where in the Web.config file is the AES/Rijndael salt defined? Right now my sites don't define a salt, which means they're using
some default salt value (which is clearly either defined or stored somewhere, since the membership provider can decrypt and encrypt
successfully in different sessions).

If it's not defined in the Web.config file, where is the default salt defined?

- Mark
.



Relevant Pages

  • Re: Custom UsernameTokenManager
    ... sender needs to know the salt. ... encrypt it first with server's public key. ... authentication anyway so you can encrypt and sign future messages. ... This salts the pw and username and encrypts/signs everything so no ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Password storage facility exe - how safe is this idea?
    ... phrase of at least 15 characters and a passcode. ... A salt doesn't have to be secret, and should not be created by the user. ... Or, you could always call out to DPAPI, to encrypt the password data using ... they can't just change the pass-phrase in there and use the ...
    (microsoft.public.dotnet.security)
  • Re: my KDF vs dictionary attacks
    ... When the OP wrote, "the salt has 1 requirement, it must encrypt into a 32 character string, no more and no less, this means that the salt has a minimum of 5 digits and a maximum of 20 digits," did you understand what ... DES is a 64-bit block cipher - 8 bytes at a time. ...
    (sci.crypt)
  • Re: my KDF vs dictionary attacks
    ... When the OP wrote, "the salt has 1 requirement, it must encrypt into a 32 character string, no more and no less, this means that the salt has a minimum of 5 digits and a maximum of 20 digits," did you understand what ... some encryption systems will give a larger output if the input is larger than a certain criteria, for example, twofish will encrypt a 5 character string into a 32 character output string, ...
    (sci.crypt)