I have been doing some research on creating an encryption/decryption class for use in .NET application. Time after time I read that a salt was needed in addition to the secret password. Today I have come across an encryption/decryption method that only makes use of a single password. Is there something wrong with the encryption methods used by this code as it does not seem make use of a salt?
Public Shared Function EncryptString(ByRef input As String, ByRef password As String) As String
Dim RijndaelManagedObject As New RijndaelManaged
Dim crypto As ICryptoTransform, MD5Obj As New MD5CryptoServiceProvider
Dim EncryptedBytes As Byte()
Dim HashedBytes As Byte() = New ASCIIEncoding().GetBytes(password)
Dim PlainTextBytes As Byte() = New ASCIIEncoding().GetBytes(input)
RijndaelManagedObject.BlockSize = 128
RijndaelManagedObject.KeySize = 128
RijndaelManagedObject.Mode = CipherMode.ECB
RijndaelManagedObject.Padding = PaddingMode.Zeros
RijndaelManagedObject.Key = MD5Obj.ComputeHash(HashedBytes)
crypto = RijndaelManagedObject.CreateEncryptor()
EncryptedBytes = crypto.TransformFinalBlock(PlainTextBytes, 0, PlainTextBytes.Length)
If EncryptedBytes.Length > 0 Then
Return Convert.ToBase64String(EncryptedBytes)
Else
Return String.Empty()
End If
End Function
No, there’s nothing wrong with this.
Salting passwords is to prevent rainbow table attacks when you store those hashed passwords. In this case the password is being used to generate an encryption / decryption key and is not being stored.