tag:blogger.com,1999:blog-2889416825250254881.post4628789547680576274..comments2024-01-27T11:41:32.146+00:00Comments on Byte Rot: Review of .NET Framework cryptography and symmetric algorithms benchmarkaliostadhttp://www.blogger.com/profile/05695786967974402749noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-2889416825250254881.post-45710387010968271222013-01-21T09:33:34.574+00:002013-01-21T09:33:34.574+00:00Hi,
just some quick comments...
Streaming - onl...Hi, <br /><br />just some quick comments...<br /><br />Streaming - only stream cipher work on streams, they are not exposed in .NET at all (only block ciphers) - even if CryptoStream gives us that illusion.<br /><br />IV is not for encrypting - but to start the feedback chain (e.g. in CBC mode). They are not used in other modes, e.g. ECB.<br /><br />AES and Rijndael are the same (except for some block length requirements). AES is just the NSA/NIST name - Rijndael the original name.<br /><br />OAuth2 does not specify a hashing algo - it is rather the tokens you transport with OAUth2 - in JWT it is e.g. HMACSHA256 - don't use SHA1 anymore.<br /><br />Recommendation - i don't agree. If you can store the key somewhere secretly (e.g. on a server) why introduce the X509 hassle? It opens other issues around management. On the client, you cannot store a secret key anyways.<br /><br />Asymmetric makes the most sense in key exchange, not necessarily in storage.<br /><br />... and managed impl might not be certified in your scenario (FIPS). And since any other algo besides AES is not acceptable anymore - it might make more sense to compare the perf of Aes, AesCng and AesCryptoServiceProvider.<br /><br />my 2c ;)Dominick Baierhttps://www.blogger.com/profile/18375258906086956323noreply@blogger.com