Discuss this help topic in SecureBlackbox Forum

Derive binary key from password

Often there is a need to generate a strong binary key from a text password. In particular, this is needed when a user-supplied password is used to encrypt some data with a strong symmetric algorithm. Using the password as a key 'as is' is bad practice, therefore a proper key shall be generated using some one-way function.

SecureBlackbox's TElSymmetricKeyMaterial class (SBSymmetricCrypto namespace) provides this capability via its set of DeriveKey() methods. You can choose one of the following options, depending on you project requirements:

  • void DeriveKey(int bits, string password);
  • void DeriveKey(int bits, string password, string salt);
  • void DeriveKey(int bits, string password, byte[] salt);
  • void DeriveKey(int bits, string password, byte[] salt, int iterations);
Salt is an important factor in password-to-key conversion that helps to overcome dictionary attacks. Always generate a random salt (8-32 bytes long) when creating a key, and keep it together with the encrypted data.

The 'iterations' parameter specifies the complexity of the password-to-key routine, loosely speaking, how many times the password should be hashed before the result is returned as a key. The more iterations, the more secure is the procedure, as it slows down the brute force attack. The default number of iterations is 2048.

Note that DeriveKey() produces consistent results, and calling it repeatedly with the same parameters will yield the same key.


TElSymmetricCryptoFactory fac = new TElSymmetricCryptoFactory();
TElSymmetricCrypto aesCrypto = fac.CreateInstance(SBConstants.Unit.SB_ALGORITHM_CNT_AES256);

TElSymmetricKeyMaterial km = new TElSymmetricKeyMaterial();
km.DeriveKey(256, "password", "salt");
km.IV = iv; // DeriveKey() only generates the key, not the IV, so we have to set that ourselves

aesCrypto.KeyMaterial = km;

How To articles related to low-level cryptography

Discuss this help topic in SecureBlackbox Forum