لطفا منتظر باشید ...
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to and click on the form. You will alsogain access to thousands ofotherFAQs at ITFAQnet.com.
1. | Should I use the encryption algorithms based on the CryptoAPI or the managed versions of these algorithms? |  |
2. | Can I use the GetHashCode method of an object rather than bothering with creating MS5 or SHA-1 hashes? | |
3. | How can I access some of the other features of CrytpoAPI that the .NET Framework doesn’t expose? | |
4. | When creating hashes, should I always use the largest hash size available, SHA-512? | |
5. | I am using CryptDeriveKey to produce a key from a password. I know that a password will reduce the effective strength of the key, but what would be the equivalent key length of an eight-character password? | |
6. | To reduce the processing overhead of SSL, should I use 40-bit encryption instead of 128-bit encryption? | |
Answers
1.
The answer to this question depends on your particular requirements. You may prefer always using managed code, but the CryptoAPI functions are slightly faster and are FIPS 140-1 certified.
2.
The GetHashCode method produces a hash key that is useful with structures such as hash tables. The hash it produces does not have the secure characteristics required for cryptographic use.
3.
The CryptoAPI provides many advanced features for which the .NET Framework does not provide wrappers. Read the article “Extending .NET Cryptography with CAPICOM and P/Invoke” at
http://msdn.microsoft.com/security/securecode/dotnet/default.aspx? pull=/library/en-us/dncapi/html/netcryptoapi.asp for more information.
4.
The larger hash may be useful in some scenarios, but consider what you are hashing. It doesn’t make much sense to use SHA-512 to hash an eight-character password, because the attacker would just perform a brute-force attack on the password, not the hash itself.
5.
It is generally accepted that due to the limited keyspace and repetitive nature of the English language, there are 1.3 bits of entropy for each 8-bit character. To achieve the equivalent of a 128-bit key, the user would need a 98-character password, and an eight-character password would be roughly equivalent to using a 10-bit encryption key. However, if you use a password with random letters, numbers, and characters, you can achieve a little more than 6 bits of entropy per character, so an eight-character random password would be roughly equivalent to 50-bit encryption.
6.
Most of the processing overhead comes from the initial handshake process. Once the session is established, you will see little performance gain by using the much weaker 40-bit encryption.
